Web App Firewall Policies
A firewall policy is a rule associated with a profile. The rule is an expression or group of expressions that define the types of request/response pairs that the Web App Firewall is to filter by applying the profile. Firewall policy expressions are written in the Citrix ADC expressions language, an object-oriented programming language with special features to support specific Citrix ADC functions. The profile is the set of actions that the Web App Firewall is to use to filter request/response pairs that match the rule.
The Web App Firewall processes only HTTP connections, and therefore uses a subset of the overall Citrix ADC expressions language. The information here is limited to topics and examples that are likely to be useful when configuring the Web App Firewall. Following are links to additional information and procedures for firewall policies:
- For procedures that explain how to create and configure a policy, see Creating and Configuring Web App Firewall Policies.
- For a procedure that explains in detail how to create a policy rule (expression), see To create or configure an Web App Firewall rule (expression).
- For a procedure that explains how to use the Add Expression dialog box to create a policy rule, see To add a firewall rule (expression) by using the Add Expression dialog box.
- For a procedure that explains how to view the current bindings for a policy, see Viewing a Firewall Policy’s Bindings.
- For procedures that explain how to bind an Web App Firewall policy, see Binding Web App Firewall Policies.
- For detailed information about the Citrix ADC expressions language, see Policies and Expressions.
Web App Firewall evaluates the policies based on the configured priority and goto expressions. At the end of the policy evaluation, the last policy that evaluates to true is used and the security configuration of the corresponding profile is invoked for processing the request.
For example, Consider a scenario where there are 2 policies.
- Policy_1 is a generic policy with Expression=ns_true and has a corresponding profile_1 which is a basic profile. The priority is set to 100.
- Policy_2 is more specific with Expression=HTTP.REQ.URL.CONTAINS(“XYZ”) and has a corresponding profile_2 which is an advance profile. The GoTo Expression is set to NEXT and the priority is set to 95 which is a higher priority compared to Policy_1.
In this scenario, if the target string “XYZ” is detected in the URL of the processed request, Policy_2 match is triggered as it has a higher priority even though Policy_1 is also a match. However, as per the GoTo expression configuration of Policy_2, the policy evaluation continues and the next policy Policy_1 is also processed. At the end of the policy evaluation, Policy_1 evaluates as true and the basic security checks configured in Profile_1 are invoked.
If the Policy_2 is modified and the GoTo Expression is changed from NEXT to END, the processed request that has the target string “XYZ”, triggers the Policy_2 match due to priority consideration and as per the GoTo expression configuration, the policy evaluation ends at this point. Policy_2 evaluates as true and the advanced security checks configured in Profile_2 are invoked.
Policy evaluation is completed in one pass. Once the policy evaluation is completed for the request and the corresponding profile actions are invoked, the request does not go through another round of policy evaluation.