NetScaler

Manual configuration By using the command line interface

You can configure Web App Firewall features from the NetScaler command interface. However, there are exceptions such as enabling signatures from the command interface. There are over 1,000 default signatures in seven categories. The task is too complex for the command line interface. You can configure the check actions and parameters for security checks from the command interface, but cannot manually add relaxations. When you configure Adaptive Learning feature and enable it from the command interface, you cannot review learned relaxations or learned rules but approve or skip them. The command interface is intended for advanced users who are familiar with NetScaler appliance and the Web App Firewall feature.

To manually configure Web App Firewall by using the NetScaler command interface, use a telnet or secure shell client.

To create a profile by using the command line interface

At the command prompt, type the following commands:

  • add appfw profile <name> [-defaults ( basic | advanced )]
  • set appfw profile <name> -type ( HTML | XML | HTML XML )
  • save ns config

Example

The following example is a profile named pr-basic, with basic defaults with a profile type HTML. This profile type is created to protect an HTML website.

add appfw profile pr-basic -defaults basic
set appfw profile pr-basic -type HTML
save ns config

To configure a profile by using the command line interface

At the command prompt, type the following commands:

  • set appfw profile <name> <arg1> [<arg2> ...] where <arg1> represents a parameter and <arg2> represents either another parameter or the value to assign to the parameter represented by <arg1>. For descriptions of the parameters to use when configuring specific security checks, see Advanced Protections and its subtopics. For descriptions of the other parameters, see “Parameters for Creating a Profile.”
  • save ns config

Example

The following example shows how to configure an HTML profile created with basic defaults to protect a simple HTML-based website. The profile turns on logging and maintenance of statistics for most security checks, but enables blocking only for those checks that have low false positive rates and requires no special configuration. It turns on transformation of unsafe HTML and unsafe SQL to prevent attacks. The profile also blocks requests to your websites. With logging and statistics enabled, you can later review the logs to determine whether to enable blocking for a specific security check.

set appfw profile -startURLAction log stats
set appfw profile -denyURLAction block log stats
set appfw profile -cookieConsistencyAction log stats
set appfw profile -crossSiteScriptingAction log stats
set appfw profile -crossSiteScriptingTransformUnsafeHTML ON
set appfw profile -fieldConsistencyAction log stats
set appfw profile -SQLInjectionAction log stats
set appfw profile -SQLInjectionTransformSpecialChars ON
set appfw profile -SQLInjectionOnlyCheckFieldsWithSQLChars ON
set appfw profile -SQLInjectionParseComments checkall
set appfw profile -fieldFormatAction log stats
set appfw profile -bufferOverflowAction block log stats
set appfw profile -CSRFtagAction log stats
save ns config

To create and configure a policy

At the command prompt, type the following commands:

  • add appfw policy <name> <rule> <profile>
  • save ns config

Example

The following example is a policy with a rule that intercepts all traffic from a client, blog.example.com, and associates a Web App Firewall policy to the profile. The policy protects the blog hosted on a specific host name.

add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog

To bind a Web App Firewall policy

At the command prompt, type the following commands:

  • bind appfw global <policyName> <priority>
  • save ns config

Example

The following example binds the policy named pl-blog and assigns it a priority of 10.

bind appfw global pl-blog 10
save ns config

Manual configuration By using the command line interface