Application Delivery Management

Web application firewall StyleBook

September 27, 2025

Contributed by:

C R S

NetScaler Web App Firewall is a web application firewall (WAF) that protects web applications and sites from both known and unknown attacks, including all application-layer and zero-day threats.

NetScaler ADM now provides a default StyleBook with which you can more conveniently add standard and advanced application firewall configurations to existing virtual servers on NetScaler instances.

Deploy standard application firewall configurations

Perform the following steps to deploy the standard application firewall and IP reputation policy on existing LB virtual servers in your NetScaler instances.

In NetScaler® ADM, navigate to Applications > Configurations > StyleBooks and do the following:
1. Search for the StyleBook with the name as waf-basic.
2. Click Create Configuration.
  
  The ADM opens as a user interface page with all the parameters defined in the StyleBook.
Specify the values for the following parameters:
- Application Name - Name of the application.
- Load Balancing Virtual Server Name - Name of the load-balancing virtual server present on an ADC instance.
- WAF Settings - Enable this option to apply WAF configuration to an ADC instance.
  - AppFw Policy Rule - Select True to apply the application firewall settings to all virtual server traffic.
    
    Alternatively, specify the NetScaler policy rule to select a subset of requests to which you want to apply the application firewall settings. For more information, see Web App Firewall Policies.
  - Type - The WAF basic configuration supports only HTML type.
- AppFw Profile Settings - Enable this option to add an application firewall profile to a virtual server.
  
  The following image displays the protections and parameters that are part of the StyleBook:
  - Enable WAF Signatures - This option attaches the existing Application Firewall Signature on NetScaler to the profile created by the StyleBook.
  - Enable the required protections to an application.
    
    By default, the StyleBook applies the log and stats WAF actions to an enabled protection. Specify the other actions as required.
    
    For example:
    
    In SQL Injection Settings, you can enable and configure SQL injection settings.
    
    Similarly, you can enable and configure the required protections.
Optional, enable IP Reputation check to evaluate the client source IP address.
1. Select Block Malicious IPs.
2. In Block Malicious IPs by Category, Select categories to preemptively reject requests that belong to the selected categories.
  
  If you select REPUTATION, the application blocks the traffic from the IPs with bad reputation.
In Target Instances, select the ADC instances where you want to deploy this application firewall setting.
Click Create.

Tip

Citrix recommends that you select Dry Run to check the configuration objects that must be created on the target instance before you execute the actual configuration on the instance.

Note

The StartURL protection is not part of standard WAF deployment. The ADC defaults of StartURLAction to block log stats might block URLs.

Therefore, configure StartURLAction and StartURL separately on ADC without using StyleBook.

Deploy advanced application firewall configurations

Perform the following steps to deploy the advanced application firewall and IP reputation policy on existing LB virtual servers in your NetScaler instances.

In NetScaler ADM, navigate to Applications > Configurations > StyleBooks and do the following:
1. Search for the StyleBook with the name as waf-adv.
2. Click Create Configuration.
  
  The ADM opens as a user interface page with all the parameters defined in the StyleBook.
Specify the values for the following parameters:
- Application Name - Name of the application.
- Load Balancing Virtual Server Name - Name of the load-balancing virtual server present on an ADC instance.
- WAF Settings - Enable this option to apply WAF configuration to an ADC instance.
  - AppFw Policy Rule - Select True to apply the application firewall settings to all virtual server traffic.
    
    Alternatively, specify the NetScaler policy rule to select a subset of requests to which you want to apply the application firewall settings. For more information, see Web App Firewall Policies.
  - Type of profile - You can select multiple profile types. The advanced WAF StyleBook supports HTML, XML, or JSON profile types.
- AppFw Profile Settings - Enable this option to add an application firewall profile to a virtual server.
  
  The following image displays the protections and parameters that are part of the StyleBook:
  - Enable WAF Signatures - This option attaches the existing Application Firewall Signature on NetScaler to the profile created by the StyleBook.
  - WAF Advanced Protection - Enable this option to use advanced WAF protections.
  - Enable the required protections to an application.
    
    By default, the StyleBook applies the log and stats WAF actions to an enabled protection. Specify the other actions as required.
    
    For example:
    
    In SQL Injection Settings, you can enable and configure SQL injection settings.
    
    Similarly, you can enable and configure the required protections.
Optional, enable IP Reputation check to evaluate the client source IP address.
1. Select Block Malicious IPs.
2. In Block Malicious IPs by Category, Select categories to preemptively reject requests that belong to the selected categories.
  
  If you select REPUTATION, the application blocks the traffic from the IPs with bad reputation.
In Target Instances, select the ADC instances where you want to deploy this application firewall setting.
Click Create.

Tip

Citrix recommends that you select Dry Run to check the configuration objects that must be created on the target instance before you execute the actual configuration on the instance.

View objects created by WAF configuration pack

When you deploy the configuration successfully, the StyleBook creates the following configuration objects on ADC:

Application firewall policy labels
Application firewall policies
Application firewall profiles

Also, it binds application firewall policies with the specified load-balancing virtual server.

To view the objects created,

Navigate to Applications > StyleBook > Configurations.
Select the configuration pack created by WAF StyleBook.
Click View Objects Created.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

NetScaler Secure Deployment Guide

Web application firewall StyleBook

September 27, 2025

Contributed by:

C R S

September 27, 2025

Contributed by:

C R S

Web application firewall StyleBook

Deploy standard application firewall configurations

Deploy advanced application firewall configurations

View objects created by WAF configuration pack

In this article