Web App Firewall support for cluster configurations

Note:

Web App Firewall support for Striped and partially striped configurations was introduced in Citrix ADC release 11.0.

A cluster is a group of Citrix ADC appliances that are configured and managed as a single system. Each appliance in the cluster is called a node. Depending on the number of nodes the configurations are active on, cluster configurations are referred to as striped, partially striped, or spotted configurations. The Web App Firewall is fully supported in all configurations.

The two main advantages of striped and partially striped virtual server support in cluster configurations are the following:

1. Session failover support—Striped and partially striped virtual server configurations support session failover. The advanced Web App Firewall security features, such as Start URL Closure and the Form Field Consistency check, maintain and use sessions during transaction processing. In ordinary high availability configurations, or in spotted cluster configurations, when the node that is processing the Web App Firewall traffic fails, all the session information is lost and the user has to reestablish the session. In striped virtual server configurations, user sessions are replicated across multiple nodes. If a node goes down, a node running the replica becomes the owner. Session information is maintained without any visible impact to the user.
2. Scalability—Any node in the cluster can process the traffic. Multiple nodes of the cluster can process the incoming requests served by the striped virtual server. This improves the Web App Firewall’s ability to handle multiple simultaneous requests, thereby improving the overall performance.

Security checks and signature protections can be deployed without the need for any additional cluster-specific Web App Firewall configuration. You just do the usual Web App Firewall configuration on the configuration coordinator (CCO) node for propagation to all the nodes.

Note:

The session information is replicated across multiple nodes, but not across all the nodes in the striped configuration. Therefore, failover support accommodates a limited number of simultaneous failures. If multiple nodes fail simultaneously, the Web App Firewall might lose the session information if a failure occurs before the session is replicated on another node.

Highlights

• Web App Firewall offers scalability, high throughput, and session failover support in cluster deployments.
• All Web App Firewall security checks and signature protections are supported in all cluster configurations.
• Character-Maps are not yet supported for a cluster. The learning engine recommends Field-Types in learned rules for the Field Format security check.
• Stats and learned rules are aggregated from all the nodes in a cluster.
• Distributed Hash Table (DHT) provides the caching of the session and offers the ability to replicate session information across multiple nodes. When a request comes to the virtual server, the Citrix ADC appliance creates Web App Firewall sessions in the DHT, and can also retrieve the session information from the DHT.
• Clustering is licensed with the Enterprise and Platinum licenses. This feature is not available with the Standard license.