Create WAF and BOT profiles using StyleBooks
When you can select a policy to an API resource in API Gateway, it allows you to define the traffic selection criteria to authenticate an API request. Also, it allows you to configure API security policies to the API traffic. For more information, see API Security.
You can configure WAF and BOT policies to an API resource. Before you configure a policy, ensure to create its profile in NetScaler Console. Use the following default StyleBooks to create a profile:
-
API WAF Detection StyleBook
-
API BOT Detection StyleBook
Create a WAF profile using StyleBooks
Perform the following to create a WAF profile:
-
In NetScaler Console, navigate to Applications > Configurations > StyleBooks. Search for the StyleBook by typing the name as
api-waf-profile
. Click Create Configuration.The StyleBook opens as a user interface page on which you can enter the values for all the parameters defined in this StyleBook.
-
Specify values for the following parameters:
-
API WAF profile name - A name to identify a WAF profile.
-
Application Type - Add application types to the profile. The WAF profile supports JSON and XML application types.
-
-
Optional, enable Security Settings to specify HTTP, JSON, or XML protection checks. You can also specify an Error URL to the NetScaler Web App Firewall. For more information, see Creating Web App Firewall profile.
-
Select the target NetScaler instance or instance group on which you want to deploy this configuration.
-
Click Create.
To configure a WAF policy, see Add policies to an API deployment.
Create a BOT profile using the StyleBook
Perform the following to create a BOT profile:
-
In NetScaler Console, navigate to Applications > Configurations > StyleBooks. Search for the StyleBook by typing the name as
api-bot-profile
. Click Create Configuration.The StyleBook opens as a user interface page on which you can enter the values for all the parameters defined in this StyleBook.
-
In BOT Profile Name, specify a name to identify a BOT profile.
-
Optional, enable the following options based on your requirements:
-
Enable IP reputation check - This option identifies the IP address that is sending unwanted requests. You can use the IP reputation list to preemptively reject requests that are coming from the IP with the bad reputation.
-
Enable BOT Signatures - Specify the BOT signature name. It blocks the requests from the specified signature.
-
Allow List - Specify IPv4 or subnet (CIDR) address. This option enables the BOT profile to bypass requests from the specified IPv4 or subnet address.
-
Deny List - Specify IPv4 or subnet (CIDR) address. This option enables the BOT profile to block requests from the specified IPv4 or subnet address.
-
-
Select the target NetScaler instance or instance group on which you want to deploy this configuration.
-
Click Create.
To configure a BOT policy, see Add policies to an API deployment.