This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Web App Firewall Policies
A firewall policy is a rule associated with a profile. The rule is an expression or group of expressions that define the types of request/response pairs that the Web App Firewall is to filter by applying the profile. Firewall policy expressions are written in the Citrix ADC expressions language, an object-oriented programming language with special features to support specific Citrix ADC functions. The profile is the set of actions that the Web App Firewall is to use to filter request/response pairs that match the rule.
The Web App Firewall processes only HTTP connections, and therefore uses a subset of the overall Citrix ADC expressions language. The information here is limited to topics and examples that are likely to be useful when configuring the Web App Firewall. Following are links to additional information and procedures for firewall policies:
- For procedures that explain how to create and configure a policy, see Creating and Configuring Web App Firewall Policies.
- For a procedure that explains in detail how to create a policy rule (expression), see To create or configure an Web App Firewall rule (expression).
- For a procedure that explains how to use the Add Expression dialog box to create a policy rule, see To add a firewall rule (expression) by using the Add Expression dialog box.
- For a procedure that explains how to view the current bindings for a policy, see Viewing a Firewall Policy’s Bindings.
- For procedures that explain how to bind an Web App Firewall policy, see Binding Web App Firewall Policies.
- For detailed information about the Citrix ADC expressions language, see Policies and Expressions.
Web App Firewall evaluates the policies based on the configured priority and goto expressions. At the end of the policy evaluation, the last policy that evaluates to true is used and the security configuration of the corresponding profile is invoked for processing the request.
For example, Consider a scenario where there are 2 policies.
- Policy_1 is a generic policy with Expression=ns_true and has a corresponding profile_1 which is a basic profile. The priority is set to 100.
- Policy_2 is more specific with Expression=HTTP.REQ.URL.CONTAINS(“XYZ”) and has a corresponding profile_2 which is an advance profile. The GoTo Expression is set to NEXT and the priority is set to 95 which is a higher priority compared to Policy_1.
In this scenario, if the target string “XYZ” is detected in the URL of the processed request, Policy_2 match is triggered as it has a higher priority even though Policy_1 is also a match. However, as per the GoTo expression configuration of Policy_2, the policy evaluation continues and the next policy Policy_1 is also processed. At the end of the policy evaluation, Policy_1 evaluates as true and the basic security checks configured in Profile_1 are invoked.
If the Policy_2 is modified and the GoTo Expression is changed from NEXT to END, the processed request that has the target string “XYZ”, triggers the Policy_2 match due to priority consideration and as per the GoTo expression configuration, the policy evaluation ends at this point. Policy_2 evaluates as true and the advanced security checks configured in Profile_2 are invoked.
Policy evaluation is completed in one pass. Once the policy evaluation is completed for the request and the corresponding profile actions are invoked, the request does not go through another round of policy evaluation.
In this article
This Preview product documentation is Citrix Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Citrix Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Citrix product purchase decisions.
If you do not agree, select Do Not Agree to exit.