Configure security service domains for WAF service

Domains are a way to segment network traffic for different applications. You can use traffic domains to create multiple isolated environments within a Citrix ADC appliance network. An application belonging to a specific traffic domain communicates with entities and processes traffic within that domain. The traffic belonging to one traffic domain cannot cross the boundary of another traffic domain.

Use the following steps to add security service domains by using specific application firewall functionality.

  1. On the Citrix Web App Security Service Domains page, click Action to select Application Firewall features.

Citrix Web App Firewall security domain page

The stand-alone objects to be created to construct a domain, application and profile are:

  • SSL Cert Key: Created with SSL certificate and key in addition to the pass phrase. This object is required to create a domain.
  • Profile: This object is required to create a domain. An application is equivalent to a policy which is bound to a domain. Each domain contains a list of applications with priorities assigned to each one of them. In addition, an application consists of a flag for turning on the IP Reputation feature.
  • HTML Error Page and Signatures: These objects are optional if creating a profile.

These objects can be reused and shared between domains and applications and are available under the Action menu.

Citrix Web App Firewall action menu

  1. Click Add. The Add Web App Security Service Domain page is displayed. Type the Name, Description, and Domain. Upload the SSL Certificate and SSL key files, for example; waf.cert and waf.key. Enter an SSL Pass Phrase and then click Create. The domain is added to the list of domains. If you want to add multiple domains, click Add, and specify the same SSL CertKey.

SSL pass phrase

Upload SSL certificate

  1. To upload an SSL certificate and key, you can click the “+” sign in the SSL Cert Keys Name field. The Add SSL Cert Keys page is displayed.

Note:

Web Application Firewall service currently supports certificates in PEM format and SSL passphrase is not mandatory.

Add the SSL keys

  1. After a certificate is uploaded, select the SSL Cert Key.

SSK Key added

  1. Create a Domain. Type Name, Domain name, and description for the domain. Click Create.

Add Web App Firewall service domain

A confirmation page is displayed.

Domain name confirmation

Domain name creation confirmation status

  1. Select the newly created domain and click Edit to edit it. If you hover over the row of a domain, a circle with three dots icon appears on the left-most column where you can directly select an action to click.

Edit domain name

Edit domain name details

Note:

You must allow traffic only from the NetScaler IP address to the back end server and block traffic from all other IP addresses.

Manage Citrix Web App Firewall Service Domain Application

Configure security service application

  1. Click Add to add an application. Add profile name, description, and URL for the Application. Click Create and Close.

  2. After you have finished editing the domain information, click OK. A confirmation page displaying the edited information for the domain is displayed. Click Close.

  3. You can also choose the newly added domain and click Manage Applications. Ensure that you change the CNAME provided by the WAF service for the newly created domain. The changes are DNS record address for the CNAME. The IP address of the back-end server is populated as shown below. Click Close. You can copy “CNAME to clipboard” to setup DNS.

Add Citrix Web App Firewall service domain

  1. Select a profile name. You would must add a profile name by adding it from the Applications page as shown below.

Web App Firewall application profiles page

Add Web App Firewall application profile

You can also perform more actions using the Action tab on the Manage application service page.

Manage application profile

  1. To edit a profile, select it and click Edit.

Edit Citrix Web App Security Service application

Manage Citrix Web App Security Service applications

  1. Choose an application, and click Manage Security Profile.

Manage Web App Security Service applications

Application Security service profile:

Application Security service profile

  1. On the Security Checks page, create security profiles. This page displays the Application Firewall standard GUI interface options for you to add security profiles. Add Application Name, URL, and Priority.
  2. Choose the security profile which you want to edit.
  3. Edit the allowed list URLs and click OK.

Security check actions views: URL allowed list Settings and URL blocked list Settings.

Select “Block” and “Log” settings for allowed list and blocked list URL settings.

Security check

Buffer overflow settings:

Buffer overflow settings

Content-type Settings: Use the check box to deselect “Block” and “Log” settings.

HTML cross-site scripting settings:

HTML cross-site scripting settings

HTML SQL injection settings:

HTML SQL injection settings

Save & Close your changes for Security checks.

Profile settings page:

Web App Firewall Profile settings

Profile Signatures:

Web App Firewall profile signatures

Relaxation rules: All relaxation rules are enabled by default when you add them. When you need to delete a relaxation rule, you disable it first and then remove it.

Web App Firewall relaxation rules

URL allowed list relaxation rules:

URL allowed list relaxation rules

Add relaxation rules

URL blocked list relaxation rules:

URL blocked list

Add a URL block list

Content-type relaxation rules:

Content-type relaxation rules

Add a Content-type relaxation rule

HTML cross-Site scripting relaxation rules:

HTML cross-site scripting relaxation rules

Add HTML cross-site scripting relaxation rules

HTML SQL injection relaxation rules:

HTML SQL injection relaxation rules

Add an HTML SQL injection relaxation rule

Configure security service domains for WAF service