Binding Web App Firewall policies
After you have configured your Web App Firewall policies, you bind them to Global or a bind point to put them into effect. After binding, any request or response that matches an Web App Firewall policy is transformed by the profile associated with that policy.
When you bind a policy, you assign a priority to it. The priority determines the order in which the policies you define are evaluated. You can set the priority to any positive integer. In the Citrix ADC OS, policy priorities work in reverse order - the higher the number, the lower the priority.
Because the Web App Firewall feature implements only the first policy that a request matches, not any additional policies that it might also match, policy priority is important for achieving the results that you intend. If you give your first policy a low priority (such as 1000), you configure the Web App Firewall to perform it only if other policies with a higher priority do not match a request. If you give your first policy a high priority (such as 1), you configure the Web App Firewall to perform it first, and skip any other policies that might also match. You can leave yourself plenty of room to add other policies in any order, without having to reassign priorities, by setting priorities with intervals of 50 or 100 between each policy when you bind your policies.
For more information about binding policies on the Citrix ADC appliance, see “Policies and Expressions.”
To bind an Web App Firewall policy by using the command line interface
At the command prompt, type the following commands:
bind appfw global <policyName>bind appfw profile <profile_name> -crossSiteScripting data
Example
The following example binds the policy named pl-blog and assigns it a priority of 10.
bind appfw global pl-blog 10
save ns config
Configure log expressions
The log expression support for binding Web App Firewall is added to log HTTP header information when a violations occurs.
Log expression is binded at the Application profile, and binding contains the expression that needs to be evaluated and sent to logging frameworks when violation occurs.
The Web App Firewall violation log record with http header information is recorded. You can specify a custom log expression and it helps in analysis and diagnosis when violations are generated for the current flow (request/response).
Example configuration
bind appfw profile <profile> -logexpression <string> <expression>
add policy expression headers "\" HEADERS(100):\"+HTTP.REQ.FULL_HEADER"
add policy expression body_100 "\"BODY:\"+HTTP.REQ.BODY(100)"
bind appfw profile test -logExpression log_body body_100
bind appfw profile test -logExpression log_headers headers
bind appfw profile test -logExpression "\"URL:\"+HTTP.REQ.URL+\" IP:\"+CLIENT.IP.SRC"
Example logs
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_LOGEXPRESSION|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg= HEADERS(100):POST /test/credit.html HTTP/1.1^M User-Agent: curl/7.24.0 (amd64-portbld-freebsd8.4) libcurl/7.24.0 OpenSSL/0.9.8y zlib/1.2.3^M Host: 10.217.222.44^M Accept: /^M Content-Length: 33^M Content-Type: application/x-www-form-urlencoded^M ^M cn1=58 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_LOGEXPRESSION|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg=BODY:ata\=asdadasdasdasdddddddddddddddd cn1=59 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_LOGEXPRESSION|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg=URL:/test/credit.html IP:10.217.222.128 cn1=60 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
Other violation logs
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_STARTURL|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg=Disallow Illegal URL. cn1=61 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
Dec 8 16:55:33 <local0.info> 10.87.222.145 CEF:0|Citrix|NetScaler|NS12.1|APPFW|APPFW_SAFECOMMERCE|6|src=10.217.222.128 spt=26409 method=POST request=http://10.217.222.44/test/credit.html msg=Maximum number of potential credit card numbers seen cn1=62 cn2=174 cs1=test cs2=PPE1 cs4=ALERT cs5=2017 act=not blocked
Note
Only auditlog support is available. Support for logstream and visibility in security insight would be added in future release versions.
If auditlogs are generated, then only 1024 bytes of data can be generated per log message.
If log streaming is used, then the limits are based on maximum supported size of log stream/ipfix protocol size limitations. Maximum support size for log stream is larger than 1024 bytes.
To bind an Web App Firewall policy by using the GUI
- Do one of the following:
- Navigate to Security > Web App Firewall, and in the details pane, click Web App Firewall policy manager.
- Navigate to Security > Web App Firewall > Policies > Firewall Policies, and in the details pane, click Policy Manager.
- In the Web App Firewall Policy Manager dialog, choose the bind point to which you want to bind the policy from the drop-down list. The choices are:
- Override Global. Policies that are bound to this bind point process all traffic from all interfaces on the Citrix ADC appliance, and are applied before any other policies.
- LB Virtual Server. Policies that are bound to a load balancing virtual server are applied only to traffic that is processed by that load balancing virtual server, and are applied before any Default Global policies. After selecting LB Virtual Server, you must also select the specific load balancing virtual server to which you want to bind this policy.
- CS Virtual Server. Policies that are bound to a content switching virtual server are applied only to traffic that is processed by that content switching virtual server, and are applied before any Default Global policies. After selecting CS Virtual Server, you must also select the specific content switching virtual server to which you want to bind this policy.
- Default Global. Policies that are bound to this bind point process all traffic from all interfaces on the Citrix ADC appliance.
- Policy Label. Policies that are bound to a policy label process traffic that the policy label routes to them. The policy label controls the order in which policies are applied to this traffic.
- None. Do not bind the policy to any bind point.
- Click Continue. A list of existing Web App Firewall policies appears.
- Select the policy you want to bind by clicking it.
- Make any additional adjustments to the binding.
- To modify the policy priority, click the field to enable it, and then type a new priority. You can also select Regenerate Priorities to renumber the priorities evenly.
- To modify the policy expression, double click that field to open the Configure Web App Firewall Policy dialog box, where you can edit the policy expression.
- To set the Goto Expression, double click field in the Goto Expression column heading to display the drop-down list, where you can choose an expression.
- To set the Invoke option, double click field in the Invoke column heading to display the drop-down list, where you can choose an expression
- Repeat steps 3 through 6 to add any additional Web App Firewall policies you want to globally bind.
- Click OK. A message appears in the status bar, stating that the policy has been successfully bound.