Application Delivery Management

Web application firewall StyleBook

Citrix Web App Firewall is a web application firewall (WAF) that protects web applications and sites from both known and unknown attacks, including all application-layer and zero-day threats.

Citrix ADM now provides a default StyleBook with which you can more conveniently create an application firewall configuration on Citrix ADC instances.

Deploying application firewall configurations

The following task assists you in deploying a load balancing configuration along with the application firewall and IP reputation policy on Citrix ADC instances in your business network.

To create an LB configuration with application firewall settings:

  1. In Citrix ADM, navigate to Applications > Configurations > StyleBooks. The StyleBooks page displays all the StyleBooks available for your use in Citrix ADM. Scroll down and find HTTP/SSL Load Balancing StyleBook with application firewall policy and IP reputation policy. You can also search for the StyleBook by typing the name as lb-appfw. Click Create Configuration.

    The StyleBook opens as a user interface page on which you can enter the values for all the parameters defined in this StyleBook.

  2. Enter values for the following parameters:

    • Load Balanced Application Name. Name of the load balanced configuration with application firewall to deploy in your network.

    • Load balanced App Virtual IP address. Virtual IP address at which the Citrix ADC instance receives client requests.

    • Load Balanced App Virtual Port. The TCP Port to be used by the users in accessing the load balanced application.

    • Load Balanced App Protocol. Select the front-end protocol from the list.

    • Application Server Protocol. Select the protocol of the application server.

    Create load balancing configuration with app firewall settings

  3. As an option, you can enable and configure the Advanced Load Balancer Settings.

    Specify advanced load balancer settings

  4. Optionally, you can also set up an authentication server for authenticating traffic for the load balancing virtual server.

    Optional, advanced load balancer virtual server

  5. Click “+” in the server IPs and Ports section to create application servers and the ports that they can be accessed on.

    Specify IPs and ports details

  6. You can also create FQDN names for application servers.

    Create FQDN names for application servers

  7. You can also specify the details of the SSL certificate.

    Specify SSL certificate details to an application server

  8. You can also create monitors in the target Citrix ADC instance.

    Create monitors in the target instance

  9. To configure an application firewall on the virtual server, enable WAF Settings.

    Ensure that the application firewall policy rule is true if you want to apply the application firewall settings to all traffic on that VIP. Otherwise, specify the Citrix ADC policy rule to select a subset of requests to which to apply the application firewall settings. Next, select the type of profile that has to be applied - HTML or XML.

    Enable WAF settings

  10. Optionally you can configure detailed application firewall profile settings by enabling the application firewall Profile Settings check box.

  11. Optionally, if you want to configure application firewall signatures, enter the name of the signature object that is created on the Citrix ADC instance where the virtual server is to be deployed.

    Note

    You cannot create a signature object by using this StyleBook.

  12. Next, you can also configure any other application firewall profile settings such as, StartURL settings, DenyURL settings and others.

    Enable AppFw profile settings

    For more information on application firewall and configuration settings, see Application Firewall.

  13. In the Target Instances section, select the Citrix ADC instance on which to deploy the load balancing virtual server with the application firewall.

    Note

    You can also click the refresh icon to add recently discovered Citrix ADC instances in Citrix ADM to the available list of instances in this window.

  14. You can also enable IP Reputation check to identify the IP address that is sending unwanted requests. You can use the IP reputation list to preemptively reject requests that are coming from the IP with the bad reputation.

  15. Click Create to create the configuration on the selected Citrix ADC instances.

    Tip

    Citrix recommends that you select Dry Run to check the configuration objects that must be created on the target instance before you run the actual configuration on the instance.

    When the configuration is successfully created, the StyleBook creates the required load balancing virtual server, application server, services, service groups, application firewall labels, application firewall policies, and binds them to the load balancing virtual server.

    The following figure shows the objects created in each server:

    Object created on ADC instances by WAF

  16. To see the ConfigPack created on Citrix ADM, navigate to Applications > Configurations.

    WAF configuration pack

Web application firewall StyleBook