Creating and configuring Web App Firewall policies
A firewall policy consists of two elements: a rule, and an associated profile. The rule selects the HTTP traffic that matches the criteria that you set, and sends that traffic to the Web App Firewall for filtering. The profile contains the filtering criteria that the Web App Firewall uses.
The policy rule consists of one or more expressions in the Citrix ADC expressions language. The Citrix ADC expressions syntax is a powerful, object-oriented programming language that enables you to precisely designate the traffic that you want to process with a specific profile. For users who are not completely familiar with the Citrix ADC expressions language syntax, or who prefer to configure their Citrix ADC appliance by using a web-based interface, the GUI provides two tools: the Prefix menu and the Add Expression dialog box. Both help you to write expressions that select exactly the traffic that you want to process. Experienced users who are thoroughly familiar with the syntax may prefer to use the Citrix ADC command line to configure their Citrix ADC appliances.
Note: In addition to the default expressions syntax, for backward compatibility the Citrix ADC operating system supports the Citrix ADC classic expressions syntax on Citrix ADC Classic and nCore appliances and virtual appliances. Classic expressions are not supported on Citrix ADC Cluster appliances and virtual appliances. Current Citrix ADC users who want to migrate existing configurations to the Citrix ADC Cluster must migrate any policies that contain classic expressions to the default expressions syntax.
For detailed information about the Citrix ADC expressions languages, see Policies and Expressions.
You can create a firewall policy by using the GUI or the Citrix ADC command line.
To create and configure a policy by using the command line interface
At the command prompt, type the following commands:
add appfw policy <name><rule> <profileName>save ns config
Example
The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog. This is an appropriate policy to protect a blog hosted on a specific hostname.
add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog
To create and configure a policy by using the GUI
-
Navigate to Security > Web App Firewall > Policies.
-
In the details pane, do one of the following:
- To create a new firewall policy, click Add. The Create Web App Firewall Policy is displayed.
- To edit an existing firewall policy, select the policy, and then click Edit.
The Create Web App Firewall Policy or Configure Web App Firewall Policy is displayed.
-
If you are creating a new firewall policy, in the Create Web App Firewall Policy dialog box, Policy Name text box, type a name for your new policy.
The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.
If you are configuring an existing firewall policy, this field is read-only. You cannot modify it.
-
Select the profile that you want to associate with this policy from the Profile drop-down list. You can create a new profile to associate with your policy by clicking New, and you can modify an existing profile by clicking Modify.
-
In the Expression text area, create a rule for your policy.
- You can type a rule directly into the text area.
- You can click Prefix to select the first term for your rule, and follow the prompts. See
[To Create an Web App Firewall Rule (Expression)](/en-us/netscaler/ns-gen-Citrix ADC11-wrapper-con/ns-gen-appsec-wrapper-10-con/appfw-wrapper-con-10/appfw-policies-con/appfw-policies-firewall-tsk/appfw-policies-firewall-configuring-tsk.html)for a complete description of this process. - You can click Add to open the Add Expression dialog box, and use it to construct the rule. See
[The Add Expression Dialog Box](/en-us/netscaler/ns-gen-Citrix ADC11-wrapper-con/ns-gen-appsec-wrapper-10-con/appfw-wrapper-con-10/appfw-policies-con/appfw-policies-firewall-tsk/appfw-policies-firewall-configuring-tsk.htmlfor a complete description of this process.
-
Click Create or OK, and then click Close.
To create or configure an Web App Firewall rule (expression)
The policy rule, also called the expression, defines the web traffic that the Web App Firewall filters by using the profile associated with the policy. Like other Citrix ADC policy rules (or expressions), Web App Firewall rules use Citrix ADC expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.
-
If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the Citrix ADC GUI to create your policy rule:
- If you are configuring a policy in the Web App Firewall wizard, in the navigation pane, click Web App Firewall, then in the details pane click Web App Firewall Wizard, and then navigate to the Specify Rule screen.
- If you are configuring a policy manually, in the navigation pane, expand Web App Firewall, then Policies, and then Firewall. In the details pane, to create a new policy, click Add. To modify an existing policy, select the policy, and then click Open.
-
On the Specify Rule screen, the Create Web App Firewall Profile dialog box, or the Configure Web App Firewall Profile dialog box, click Prefix, and then choose the prefix for your expression from the drop-down list. Your choices are:
- HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol.
- SYS. The protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
- CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
- SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.
After you choose a prefix, the Web App Firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.
-
Choose your next term.
If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The Web App Firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.
When you have decided which term you want, double-click it to insert it into the Expression window.
-
Type a period after the term you just chose. You are then prompted to choose your next term, as described in the previous step. When a term requires that you type a value, fill in the appropriate value. For example, if you choose HTTP.REQ.HEADER(“”), type the header name between the quotation marks.
-
Continue choosing terms from the prompts and filling in any values that are needed, until your expression is finished.
Following are some examples of expressions for specific purposes.
-
Specific web host. To match traffic from a particular web host:
HTTP.REQ.HEADER("Host").EQ("shopping.example.com")For shopping.example.com, substitute the name of the web host that you want to match.
-
Specific web folder or directory. To match traffic from a particular folder or directory on a Web host:
HTTP.REQ.URL.STARTSWITH("https//www.example.com/folder")For www.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.
-
Specific type of content: GIF images. To match GIF format images:
HTTP.REQ.URL.ENDSWITH(".gif")To match other format images, substitute another string in place of .gif.
-
Specific type of content: scripts. To match all CGI scripts located in the CGI-BIN directory:
HTTP.REQ.URL.STARTSWITH("https//www.example.com/CGI-BIN")To match all JavaScripts with .js extensions:
HTTP.REQ.URL.ENDSWITH(".js")For more information about creating policy expressions, see “Policies and Expressions.”
Note: If you use the command line to configure a policy, remember to escape any double quotation marks within Citrix ADC expressions. For example, the following expression is correct if entered in the GUI:
HTTP.REQ.HEADER("Host").EQ("shopping.example.com")If entered at the command line, however, you must type this instead:
HTTP.REQ.HEADER("Host").EQ("shopping.example.com") -
To add a firewall rule (expression) by using the Add Expression dialog box
The Add Expression dialog box (also referred to as the Expression Editor) helps users who are not familiar with the Citrix ADC expressions language to construct a policy that matches the traffic that they want to filter.
- If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the Citrix ADC GUI:
- If you are configuring a policy in the Web App Firewall wizard, in the navigation pane, click Web App Firewall, then in the details pane click Web App Firewall Wizard, and then navigate to the Specify Rule screen.
- If you are configuring a policy manually, in the navigation pane, expand Web App Firewall, then Policies, and then Firewall. In the details pane, to create a new policy, click Add. To modify an existing policy, select the policy, and then click Open.
- On the Specify Rule screen, in the Create Web App Firewall Profile dialog box, or in the Configure Web App Firewall Profile dialog box, click Add.
- In the Add Expression dialog box, in the Construct Expression area, in the first list box, choose one of the following prefixes:
- HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol. The default choice.
- SYS. The protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
- CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
- SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.
- In the second list box, choose your next term. The available terms differ depending on the choice you made in the previous step, because the dialog box automatically adjusts the list to contain only those terms that are valid for the context. For example, if you selected HTTP in the previous list box, the only choice is REQ, for requests. Because the Web App Firewall treats requests and associated responses as a single unit and filters both, you do not need to specific responses separately. After you choose your second term, a third list box appears to the right of the second. The Help window displays a description of the second term, and the Preview Expression window displays your expression.
- In the third list box, choose the next term. A new list box appears to the right, and the Help window changes to display a description of the new term. The Preview Expression window updates to display the expression as you have specified it to that point.
- Continue choosing terms, and when prompted filling in arguments, until your expression is complete. If you make a mistake or want to change your expression after you have already selected a term, you can simply choose another term. The expression is modified, and any arguments or additional terms that you added after the term that you modified are cleared.
- When you have finished constructing your expression, click OK to close the Add Expression dialog box. Your expression is inserted into the Expression text area.