Citrix ADC

Web Application Firewall profile settings

September 9, 2021

Contributed by:

S S

Following are the profile settings that you must configure on the appliance.

At the command prompt, type:

add appfw profile <name> [-invalidPercentHandling <invalidPercentHandling>] [-checkRequestHeaders ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-optimizePartialReqs ( ON | OFF )] [-errorURL <expression>]

Example:

add appfw profile profile1 [-invalidPercentHandling secure_mode] [-checkRequestHeaders ON] [-URLDecodeRequestCookies OFF] [-optimizePartialReqs OFF]

Where,

invalidPercentHandling. Configure the method for handling percent-encoded names and values.

Available settings function as follows:

asp_mode - Strips and Parses Invalid Percent for Parsing. Example:- curl –v “http://<vip>/forms/login.html?field=sel%zzect -> Invalid percent encoded char(%zz) is stripped of and the rest of the content is inspected and action taken for the SQLInjection check. secure_mode - We detect the Invalid Percent coded value and ignore it. Example:- curl –v “http://<vip>/forms/login.html?field=sel%zzect -> Invalid percent encoded char(%zz) is detected, counters are incremented and content is passed as is to the server. apache_mode - This mode works similar to secure mode. Possible values: apache_mode, asp_mode, secure_mode Default value: secure_mode

optimizePartialReqs. When OFF/ON (without safe object), a Citrix ADC appliance sends the partial request to the back-end server. This partial response sent back to the client. OptimizePartialReqs makes sense when the Safe object is configured. The appliance sends requests for full response from the server when OFF, requests only partial response when ON.

Available settings are as follows:

ON - Partial requests by the client result in partial requests to the back-end server. OFF - Partial requests by the client are changed to full requests to the back-end server Possible values: ON, OFF Default value: ON

URLDecodeRequestCookies. URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.

Possible values: ON, OFF Default value: OFF

Signature Post Body Limit (Bytes). Limits the request payload (in bytes) inspected for signatures with the location specified as ‘HTTP_POST_BODY’.

Default value: 8096 Minimum value: 0 Maximum Value: 4294967295

Post Body Limit (Bytes). Limits the request payload (in bytes) inspected by Web Application Firewall.

Default value: 20000000 Minimum value: 0 Maximum Value: 10 GB

postBodyLimitAction. PostBodyLimit honors error settings when you specify the maximum size of HTTP body to be allowed. To honor error settings you must configure one or more Post Body Limit actions. The configuration is also applicable for requests where the transfer encoding header is chunked.

set appfw profile <profile_name> -PostBodyLimitAction block log stats

Where, Block - This action blocks connection that violates the security check and it is based on the maximum size of the configured HTTP body (post body limit). The option must always be enabled.

Log - Log violations of this security check.

Stats - Generate statistics for this security check.

Note:

The log format for post body limit action is now changed to follow the standard audit logging format, for example: ns.log.4.gz:Jun 25 1.1.1.1. <local0.info> 10.101.10.100 06/25/2020:10:10:28 GMT 0-PPE-0 : default APPFW APPFW_POSTBODYLIMIT 1506 0 : <Netscaler IP> 4234-PPE0 - testprof ><URL> Request post body length(<Post Body Length>) exceeds post body limit.

inspectQueryContentTypes Inspect request query and web forms for injected SQL and cross-site scripts for the following content types.

set appfw profile p1 -inspectQueryContentTypes HTML XML JSON OTHER

Possible values: HTML, XML, JSON, OTHER

By default, this parameter is set as “InspectQueryContentTypes: HTML JSON OTHER” for both basic and advanced appfw profiles.

Example for inspect query content type as XML:

> set appfw profile p1 -type XML
Warning: HTML, JSON checks except “InspectQueryContentTypes” Action will not be applicable when profile type is not HTML or JSON respectively.
<!--NeedCopy-->

Example for inspect query content type as HTML:

> set appfw profile p1 -type HTML
Warning: XML, JSON checks except “InspectQueryContentTypes” Action will not be applicable when profile type is not XML or JSON respectively
Done
<!--NeedCopy-->

Example for inspect query content type as JSON:

> set appfw profile p1 -type JSON
Warning: HTML, XML checks except “InspectQueryContentTypes” Action will not be applicable when profile type is not HTML or XML respectively
Done
<!--NeedCopy-->

errorURL expression. The URL that the Citrix Web App Firewall uses as an error URL. Maximum Length: 2047.

Note:

For blocking violations in a requested URL, if the error URL is similar to the signature URL the appliance resets the connection.

logEveryPolicyHit - Log every profile match, regardless of security checks results. Possible values: ON, OFF. Default value: OFF.

stripXmlComments - Strip XML comments before forwarding a web page sent by a protected web site in response to a user request. Possible values: none, all, exclude_script_tag. Default value: none

postBodyLimitSignature - Maximum allowed HTTP post body size for signature inspection for location HTTP_POST_BODY in the signatures, in bytes. Note that the changes in value could impact CPU and latency profile. Default value: 2048. Minimum value: 0 Maximum Value: 4294967295

fileUploadMaxNum - Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads. Default value: 65535 Minimum value: 0 Maximum value: 65535

canonicalizeHTMLResponse - Perform HTML entity encoding for any special characters in responses sent by your protected web sites. Possible values: ON, OFF Default value: ON

percentDecodeRecursively - Configure whether the application firewall should use percentage recursive decoding. Possible values: ON, OFF Default value: ON

multipleHeaderAction - One or more multiple header actions. Available settings function as follows:

Block. Block connections that have multiple headers.
Log. Log connections that have multiple headers.
KeepLast. Keep only last header when multiple headers are present.

inspectContentTypes – One or more InspectContentType lists.

application/x-www-form-urlencoded
multipart/form-data
text/x-gwt-rpc

Possible values: none, application/x-www-form-urlencoded, multipart/form-data, text/x-gwt-rpc

semicolonFieldSeparator - Allow ‘;’ as a form field separator in URL queries and POST form bodies. Possible values: ON, OFF Default value: OFF

The official version of this content is in English. Some of the Citrix documentation content is machine translated for your convenience only. Citrix has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Citrix product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Citrix, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Citrix will not be held responsible for any damage or issues that may arise from using machine-translated content.

Web Application Firewall profile settings

September 9, 2021

Contributed by:

S S

September 9, 2021

Contributed by:

S S

Web Application Firewall profile settings

In this article