Citrix ADC

Configuring Web App Firewall profiles

To configure a user-defined Web App Firewall profile, first configure the security checks, which are called deep protections or advanced protections in the Web App Firewall wizard. Certain checks require configuration if you are to use them at all. Others have default configurations that are safe but limited in scope; your websites might need or benefit from a different configuration that takes advantage of more features of certain security checks.

After you have configured the security checks, you can also configure some other settings that control the behavior, not of a single security check, but the Web App Firewall feature. The default configuration is sufficient to protect most websites, but you must review them to make sure that they are right for your protected websites.

Note:

The profile name length and all import object name length can be set up to 127 characters.

For more information about the Web App Firewall security checks, see Advanced Protections.

To configure an Web App Firewall profile by using the command line

At the command prompt, type the following commands:

  • set appfw profile <name> <arg1> [<arg2> ...]

    where:

    • <arg1> = a parameter and any associated options.
    • <arg2> = a second parameter and any associated options.
    • … = additional parameters and options.

    For descriptions of the parameters to use when configuring specific security checks, see Advanced Protections.

  • save ns config

Example

The following example shows how to enable blocking for the HTML SQL Injection and HTML Cross-Site Scripting checks in a profile named pr-basic. This command enables blocking for those actions while making no other changes to the profile.

set appfw profile pr-basic -crossSiteScriptingAction block -SQLInjectionAction block
<!--NeedCopy-->

Bind relaxation rule to a Web App Firewall profile

When Web App Firewall detects a violation, the user has the ability to bypass the action applied through relaxation rules. Relaxation rule is an exception applied to the detected security violation. For example, the Start URL relaxation rules protect against forceful browsing. Known web server vulnerabilities that are exploited by hackers can be detected and blocked by enabling a set of default Deny URL rules. Commonly launched attacks, such as Buffer Overflow, SQL, or Cross-site scripting can also be easily detected.

To bind security exemption or relaxation rules by using the CLI

At the command prompt, type:

bind appfw profile <name> ((-startURL <expression> [-resourceId  <string>]) | -denyURL <expression> | (-fieldConsistency <string>   <formActionURL> [-isRegex ( REGEX | NOTREGEX )]) | (-cookieConsistency <string> [-isRegex ( REGEX | NOTREGEX )]) | (-SQLInjection <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )] [-location <location>] [-valueType <valueType> <valueExpression>....
<!--NeedCopy-->

To bind security exemption or relaxation rules by using the GUI

  1. Navigate to Security > Citrix Web App Firewall > Profiles.
  2. In the details pane, select a profile and click Edit.
  3. In the Citrix Web App Firewall Profile page, click Relaxation Rules from the Advanced Setting section.
  4. In the Relaxation Rules section, click StartURL and click Edit.
  5. In the Start URL Relaxation Rules page, click Add.
  6. In the Start URL Relaxation Rule page, set the following parameters:

    1. Enabled. Select the checkbox to enable the relaxation rule
    2. Start URL. Enter the regular expression value
    3. Comments. Provide a short description about the relaxation rule.
  7. Click Create and Close.

Bind relaxation rule

To configure an Web App Firewall profile by using the GUI

  1. Navigate to Security > Citrix Web App Firewall > Profiles.
  2. In the details pane, select the profile that you want to configure, and then click Edit.
  3. In the Configure Web App Firewall Profile dialog box, on the Security Checks tab, configure the security checks.

    • To enable or disable an action for a check, in the list, select or clear the check box for that action.

    • To configure parameters for the security checks in the list, select the checkbox and click Active Settings.

    • To review log entries for the selected security check, select the checkbox and click Logs. You can use this information to determine the security checks that match attacks, so that you can block the traffic for the security checks. You can also use the information to determine the checks that match legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, see Logs, Statistics, and Reports.

    • To completely disable a check, in the list, clear all of the check boxes to the right of that check.

  4. On the Settings tab, configure the profile settings.
    • To associate the profile with the set of signatures that you previously created and configured, under Common Settings, choose that set of signatures in the Signatures drop-down list.

      Note:

      You may must use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.

    • To configure an HTML or XML Error Object, select the object from the appropriate drop-down list.

      Note:

      You must first upload the error object that you want to use in the Imports pane. For more information about importing error objects, see Imports.

    • To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types. »More….
  5. If you want to use the learning feature, click Learning, and configure the learning settings for the profile, as described in Configuring and Using the Learning Feature.
  6. Click OK to save your changes and return to the Profiles pane.
Configuring Web App Firewall profiles