Configure security service domains for WAF service
Domains are a way to segment network traffic for different applications. You can use traffic domains to create multiple isolated environments within a Citrix ADC appliance network. An application belonging to a specific traffic domain communicates with entities and processes traffic within that domain. The traffic belonging to one traffic domain cannot cross the boundary of another traffic domain.
Use the following steps to add security service domains by using specific application firewall functionality.
- On the Citrix Web App Security Service Domains page, click Action to select Application Firewall features.
The stand-alone objects to be created to construct a domain, application and profile are:
- SSL Cert Key: Created with SSL certificate and key in addition to the pass phrase. This object is required to create a domain.
- Profile: This object is required to create a domain. An application is equivalent to a policy which is bound to a domain. Each domain contains a list of applications with priorities assigned to each one of them. In addition, an application consists of a flag for turning on the IP Reputation feature.
- HTML Error Page and Signatures: These objects are optional if creating a profile.
These objects can be reused and shared between domains and applications and are available under the Action menu.
- Click Add. The Add Web App Security Service Domain page is displayed. Type the Name, Description, and Domain. Upload the SSL Certificate and SSL key files, for example; waf.cert and waf.key. Enter an SSL Pass Phrase and then click Create. The domain is added to the list of domains. If you want to add multiple domains, click Add, and specify the same SSL CertKey.
Upload SSL certificate
- To upload an SSL certificate and key, you can click the “+” sign in the SSL Cert Keys Name field. The Add SSL Cert Keys page is displayed.
Web Application Firewall service currently supports certificates in PEM format and SSL passphrase is not mandatory.
- After a certificate is uploaded, select the SSL Cert Key.
- Create a Domain. Type Name, Domain name, and description for the domain. Click Create.
A confirmation page is displayed.
- Select the newly created domain and click Edit to edit it. If you hover over the row of a domain, a circle with three dots icon appears on the left-most column where you can directly select an action to click.
You must allow traffic only from the NetScaler IP address to the back end server and block traffic from all other IP addresses.
Configure security service application
Click Add to add an application. Add profile name, description, and URL for the Application. Click Create and Close.
After you have finished editing the domain information, click OK. A confirmation page displaying the edited information for the domain is displayed. Click Close.
You can also choose the newly added domain and click Manage Applications. Ensure that you change the CNAME provided by the WAF service for the newly created domain. The changes are DNS record address for the CNAME. The IP address of the back-end server is populated as shown below. Click Close. You can copy “CNAME to clipboard” to setup DNS.
- Select a profile name. You would must add a profile name by adding it from the Applications page as shown below.
You can also perform more actions using the Action tab on the Manage application service page.
- To edit a profile, select it and click Edit.
Manage Citrix Web App Security Service applications
- Choose an application, and click Manage Security Profile.
Application Security service profile:
- On the Security Checks page, create security profiles. This page displays the Application Firewall standard GUI interface options for you to add security profiles. Add Application Name, URL, and Priority.
- Choose the security profile which you want to edit.
- Edit the allowed list URLs and click OK.
Security check actions views: URL allowed list Settings and URL blocked list Settings.
Select “Block” and “Log” settings for allowed list and blocked list URL settings.
Buffer overflow settings:
Content-type Settings: Use the check box to deselect “Block” and “Log” settings.
HTML cross-site scripting settings:
HTML SQL injection settings:
Save & Close your changes for Security checks.
Profile settings page:
Relaxation rules: All relaxation rules are enabled by default when you add them. When you need to delete a relaxation rule, you disable it first and then remove it.
URL allowed list relaxation rules:
URL blocked list relaxation rules:
Content-type relaxation rules:
HTML cross-Site scripting relaxation rules:
HTML SQL injection relaxation rules: