Web Application Firewall profile settings
Following are the profile settings that you must configure on the appliance.
At the command prompt, type:
add appfw profile <name> [-invalidPercentHandling <invalidPercentHandling>] [-checkRequestHeaders ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-optimizePartialReqs ( ON | OFF )] [-errorURL <expression>]
add appfw profile profile1 [-invalidPercentHandling secure_mode] [-checkRequestHeaders ON] [-URLDecodeRequestCookies OFF] [-optimizePartialReqs OFF]
invalidPercentHandling. Configure the method for handling percent-encoded names and values.
Available settings function as follows:
asp_mode - Strips and Parses Invalid Percent for Parsing. Example:-
curl –v “http://<vip>/forms/login.html?field=sel%zzect -> Invalid percent encoded char(%zz) is stripped of and the rest of the content is inspected and action taken for the SQLInjection check.
secure_mode - We detect the Invalid Percent coded value and ignore it. Example:-
curl –v “http://<vip>/forms/login.html?field=sel%zzect -> Invalid percent encoded char(%zz) is detected, counters are incremented and content is passed as is to the server.
apache_mode - This mode works similar to secure mode.
Possible values: apache_mode, asp_mode, secure_mode
Default value: secure_mode
optimizePartialReqs. When OFF/ON (without safe object), a Citrix ADC appliance sends the partial request to the back-end server. This partial response sent back to the client. OptimizePartialReqs makes sense when the Safe object is configured. The appliance sends requests for full response from the server when OFF, requests only partial response when ON.
Available settings are as follows:
ON - Partial requests by the client result in partial requests to the back-end server. OFF - Partial requests by the client are changed to full requests to the back-end server Possible values: ON, OFF Default value: ON
URLDecodeRequestCookies. URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.
Possible values: ON, OFF Default value: OFF
Signature Post Body Limit (Bytes). Limits the request payload (in bytes) inspected for signatures with the location specified as ‘HTTP_POST_BODY’.
Default value: 8096 Minimum value: 0 Maximum Value: 4294967295
Post Body Limit (Bytes). Limits the request payload (in bytes) inspected by Web Application Firewall.
Default value: 20000000 Minimum value: 0 Maximum Value: 10 GB
postBodyLimitAction. PostBodyLimit honors error settings when you specify the maximum size of HTTP body to be allowed. To honor error settings you must configure one or more Post Body Limit actions. The configuration is also applicable for requests where the transfer encoding header is chunked.
set appfw profile <profile_name> -PostBodyLimitAction block log stats
Where, Block - This action blocks connection that violates the security check and it is based on the maximum size of the configured HTTP body (post body limit). The option must always be enabled.
Log - Log violations of this security check.
Stats - Generate statistics for this security check.
The log format for post body limit action is now changed to follow the standard audit logging format, for example:
ns.log.4.gz:Jun 25 220.127.116.11. <local0.info> 10.101.10.100 06/25/2020:10:10:28 GMT 0-PPE-0 : default APPFW APPFW_POSTBODYLIMIT 1506 0 : <Netscaler IP> 4234-PPE0 - testprof ><URL> Request post body length(<Post Body Length>) exceeds post body limit.
inspectQueryContentTypes Inspect request query and web forms for injected SQL and cross-site scripts for the following content types.
set appfw profile p1 -inspectQueryContentTypes HTML XML JSON OTHER
Possible values: HTML, XML, JSON, OTHER
By default, this parameter is set as “InspectQueryContentTypes: HTML JSON OTHER” for both basic and advanced appfw profiles.
Example for inspect query content type as XML:
> set appfw profile p1 -type XML Warning: HTML, JSON checks except “InspectQueryContentTypes” Action will not be applicable when profile type is not HTML or JSON respectively. <!--NeedCopy-->
Example for inspect query content type as HTML:
> set appfw profile p1 -type HTML Warning: XML, JSON checks except “InspectQueryContentTypes” Action will not be applicable when profile type is not XML or JSON respectively Done <!--NeedCopy-->
Example for inspect query content type as JSON:
> set appfw profile p1 -type JSON Warning: HTML, XML checks except “InspectQueryContentTypes” Action will not be applicable when profile type is not HTML or XML respectively Done <!--NeedCopy-->
errorURL expression. The URL that the Citrix Web App Firewall uses as an error URL. Maximum Length: 2047.
For blocking violations in a requested URL, if the error URL is similar to the signature URL the appliance resets the connection.
logEveryPolicyHit - Log every profile match, regardless of security checks results. Possible values: ON, OFF. Default value: OFF.
stripXmlComments - Strip XML comments before forwarding a web page sent by a protected web site in response to a user request. Possible values: none, all, exclude_script_tag. Default value: none
postBodyLimitSignature - Maximum allowed HTTP post body size for signature inspection for location HTTP_POST_BODY in the signatures, in bytes. Note that the changes in value could impact CPU and latency profile. Default value: 2048. Minimum value: 0 Maximum Value: 4294967295
fileUploadMaxNum - Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads. Default value: 65535 Minimum value: 0 Maximum value: 65535
canonicalizeHTMLResponse - Perform HTML entity encoding for any special characters in responses sent by your protected web sites. Possible values: ON, OFF Default value: ON
percentDecodeRecursively - Configure whether the application firewall should use percentage recursive decoding. Possible values: ON, OFF Default value: ON
multipleHeaderAction - One or more multiple header actions. Available settings function as follows:
- Block. Block connections that have multiple headers.
- Log. Log connections that have multiple headers.
- KeepLast. Keep only last header when multiple headers are present.
inspectContentTypes – One or more InspectContentType lists.
Possible values: none, application/x-www-form-urlencoded, multipart/form-data, text/x-gwt-rpc
semicolonFieldSeparator - Allow ‘;’ as a form field separator in URL queries and POST form bodies. Possible values: ON, OFF Default value: OFF