Web App Firewall

Statistics and reports

The information maintained in the logs and statistics, and displayed in the reports, provides important guidance for configuring and maintaining the Web App Firewall.

The Web App Firewall statistics

When you enable the statistics action for Web App Firewall signatures or security checks, the Web App Firewall maintains information about connections that match that signature or security check. You can view the accumulated statistics information on the Monitoring tab by selecting one of the following choices in the Select Group list box:

  • Web App Firewall. A summary of all statistics information gathered by your Web App Firewall appliance for all profiles.
  • Web App Firewall (per profile). The same information, but displayed per-profile rather than summarized.

You can use this information to monitor how your Web App Firewall is operating and determine whether there is any abnormal activity or abnormal amounts of hits on a signature or security check. If you see such a pattern of abnormal activity, you can check the logs for that signature or security check to diagnose and take corrective action.

Relaxation hit statistical counter

Based on the relaxation that is applied on the violated traffic, you can also display statistical details such as number of times a violation is occurring on the appliance, number of relaxation rules applied at the time of violation, and its last applied timestamp. By performing this, the centralized learning engine can automatically deletes unused or redundant relaxation bindings. For more information, see WAF Learn Engine topic.

The relaxation hit statistical counter is available only for the following security checks.

• Starturl • Denyurl • Cross-site scripting • SQL Injection

To display statistics for relaxation rule hit counters by using the CLI

At the command prompt, type:

stat appfw profile p1

Example:

stat appfw profile p1 –fullvalues

Starturl Rules Statistics

Rule hits Rate last hit time
87a4…51177 0 0 Thu … 1970
5b83…dc12a 0 0 Thu … 1970
12345 0 0 Thu … 1970

To display statistics for relaxation rule hit counters by using the GUI

Complete the following steps to view the relaxation rule hit counter statistics:

  1. Navigate to Security > Citrix Web App Firewall > Profiles.
  2. In the details pane, select a Web App Firewall profile and click Statistics.
  3. The Citrix Web App Firewall Statistics page displays the statistics details.
  4. You can select Tabular View or switch to Graphical View to display the data in a tabular or graphical format.

The Web App Firewall Reports

The Web App Firewall reports provide information about your Web App Firewall configuration and how it is handling traffic for your protected websites.

The PCI DSS report

The Payment Card Industry (PCI) Data Security Standard (DSS), version 1.2, consists of 12 security criteria that most credit card companies require businesses who accept online payments via credit and debit cards to meet. These criteria are designed to prevent identity theft, hacking, and other types of fraud. If an internet service provider does not meet the PCI DSS criteria, that ISP or merchant might lose authorization to accept credit card payments through the website.

ISPs and online merchants prove that they are in compliance with PCI DSS by having an audit conducted by a PCI DSS Qualified Security Assessor (QSA) Company. The PCI DSS report is designed to assist them both before and during the audit. Before the audit, it shows which Web App Firewall settings are relevant to PCI DSS, how they must be configured, and (most important) whether your current Web App Firewall configuration meets the standard. During the audit, the report can be used to demonstrate compliance with relevant PCI DSS criteria.

The PCI DSS report consists of a list of those criteria that are relevant to your Web App Firewall configuration. Under each criterion, it lists your current configuration options, indicates whether your current configuration complies with the PCI DSS criterion, and explains how to configure the Web App Firewall so that your protected websites are in compliance with the criterion.

The PCI DSS report is located under System > Reports. To generate the report as an Adobe PDF file, click Generate PCI DSS Report. Depending on your browser settings, the report is displayed in the pop-up window or you are prompted to save it to your hard disk.

Note:

To view this and other reports, you must have the Adobe Reader program installed on your computer.

The PCI DSS report consists of the following sections:

  • Description. A description of the PCI DSS Compliance Summary report.

  • Firewall License and Feature Status. Tells you whether the Web App Firewall is licensed and enabled on your Citrix ADC appliance.

  • Executive Summary. A table that lists the PCI DSS criteria and tells you which of those criteria are relevant to the Web App Firewall.

  • Detailed PCI DSS Criteria Information. For each PCI DSS criterion that is relevant to your Web App Firewall configuration, the PCI DSS report provides a section that contains information about whether your configuration is in compliance and, if it is not, how to bring it into compliance.

  • Configuration. Data for individual profiles, which you access either by clicking Web App Firewall Configuration at the top of the report, or directly from the Reports pane. The Web App Firewall Configuration report is the same as the PCI DSS report, with the PCI DSS-specific summary omitted.

The Web App Firewall configuration report

The Web App Firewall Configuration report is located under System > Reports. To display it, click Generate Web App Firewall Configuration Report. Depending on your browser settings, the report is displayed in the pop-up window or you are prompted to save it to your hard disk.

The Web App Firewall Configuration report starts with a Summary page, which consists of the following sections:

  • Web App Firewall Policies. A table that lists your current Web App Firewall policies, showing the policy name, the content of the policy, the action (or profile) it is associated with, and global binding information.
  • Web App Firewall Profiles. A table that lists your current Web App Firewall profiles and indicates which policy each profile is associated with. If a profile is not associated with a policy, the table displays INACTIVE in that location.

To download all report pages for all policies, at the top of the Profiles Summary page click Download All Profiles. You display the report page for each individual profile by selecting that profile in the table at the bottom of the screen. The Profile page for an individual profile shows whether each check action is enabled or disabled for each check, and the other configuration settings for the check.

To download a PDF file containing the PCI DSS report page for the current profile, click Download Current Profile at the top of the page. To return to the Profiles Summary page, click Web App Firewall Profiles. To go back to the main page, click Home. You can refresh the PCI DSS report at any time by clicking Refresh in the upper right corner of the browser.

Statistics and reports