Unlike most wizards, the NetScaler Application Firewall Wizard is designed not just to simplify the initial configuration process, but also to modify previously created configurations and to maintain your Application Firewall setup. A typical user runs the wizard multiple times, skipping some of the screens each time.
The Application Firewall Wizard automatically creates profiles, policies, and signatures.
To run the Application Firewall Wizard, open the configuration utility and follow these steps:
For more information about the configuration utility, see "The Application Firewall Configuration Interfaces."
The Application Firewall Wizard displays the following screens on a tabular page:
1. Specify Name: on this screen, when creating a new security configuration, specify a meaningful name and the appropriate type (HTML, XML or WEB 2.0) for your profile. The default policy and signatures are auto-generated by using the same name.
The name can begin with a letter, number, or the underscore symbol, and can consist of from 1 to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols. Choose a name that makes it easy for others to tell what content your new security configuration protects.
Note: Because the wizard uses this name for both the policy and the profile, it is limited to 31 characters. Manually created policies can have names up to 127 characters in length.
When modifying an existing configuration, you select Modify Existing Configuration and then, in the Name drop-down list, select the name of the existing configuration that you want to modify.
Note: Only policies that are bound to global or to a bind point appear in this list; you cannot modify an unbound policy by using the Application Firewall wizard. You must either manually bind it to Global or a bind point, or modify it manually. (For manual modification, in the configuration utility Application Firewall > Policies > Firewall pane, select the policy and click Open).
You also select a profile type on this screen. The profile type determines the types of advanced protection (security checks) that can be configured. Because certain kinds of content are not vulnerable to certain types of security threats, restricting the list of available checks saves time during configuration. The types of Application Firewall profiles are:
Note: If you are unsure which type of content is used on your website, you can choose Web 2.0 Application to ensure that you protect all types of web application content.
2. Specify Rule: on this screen, you specify the policy rule (expression) that defines the traffic to be examined by this security configuration. If you are creating an initial configuration to protect your websites and web services, you can simply accept the default value, true, which selects all web traffic .
If you want this security configuration to examine, not all HTTP traffic that is routed through the appliance, but specific traffic, you can write a policy rule specifying the traffic that you want it to examine. Rules are written in Citrix NetScaler expressions language, which is a fully functional object-oriented programming language.
Note: In addition to the default expressions syntax, for backward compatibility the NetScaler operating system supports the NetScaler classic expressions syntax on NetScaler Classic and nCore appliances and virtual appliances. Classic expressions are not supported on NetScaler Cluster appliances and virtual appliances. Current users who want to migrate their existing configurations to the NetScaler cluster must migrate any policies that contain classic expressions to the default expressions syntax.
4. Select Signatures: on this screen, you select the categories of signatures that you want to use to protect your web sites and web services.
This is not a mandatory step, and you can skip it if you want to and go to the Specify Deep Protections screen. If the Select Signatures screen is skipped, only a profile and associated policies are created, and the signatures are not created.
You can select Create New Signature or Select Existing Signature.
If you are creating a new security configuration, the signature categories that you select are enabled, and by default they are recorded in a new signatures object. The new signatures object is assigned the same name that you entered on the Specify name screen as the name of the security configuration.
If you have previously configured signatures objects and want to use one of them as the signatures object associated with the security configuration that you are creating, click Select Existing Signature and select a signatures object from the Signatures list.
If you are modifying an existing security configuration, you can click Select Existing Signature and assign a different signatures object to the security configuration.
If you click Create New Signature, you can choose the edit mode as Simple or Advanced.
5. Specify Signature Protections (Simple mode)
The simple mode allows for easy configuration of the signature, with a preset list of protection definitions for common applications such as IIS (Internet Information Server), PHP and ActiveX. The default categories in Simple mode are:
CGI. Protection against attacks on web sites that use CGI scripts in any language, including PERL scripts, Unix shell scripts, and Python scripts.
Cold Fusion. Protection against attacks on web sites that use the Adobe Systems® ColdFusion® Web development platform.
FrontPage. Protection against attacks on web sites that use the Microsoft® FrontPage® Web development platform.
PHP. Protection against attacks on web sites that use the PHP open-source Web development scripting language.
Client side. Protection against attacks on client-side tools used to access your protected web sites, such as Microsoft Internet Explorer, Mozilla Firefox, the Opera browser, and the Adobe Acrobat Reader.
Microsoft IIS. Protection against attacks on Web sites that run the Microsoft Internet Information Server (IIS).
On this screen, you select the actions associated with the signature categories that you selected on the Select Signatures screen. The actions that you can configure are:
By default the Log and Stats actions are enabled but not the Block action. To configure actions, click Settings. You can change the action settings of all the selected categories by using the Action drop-down menu.
6. Specify Signature Protections (Advanced mode)
The advanced mode allows for more granular control over the signature definitions and provides significantly more information. Use the advanced mode if you want complete control over signature definition.
The contents of this screen are the same as the contents of the Modify Signatures Object dialog box, as described in "Configuring or Modifying a Signatures Object." In this screen, you can configure actions either by clicking the Actions drop-down menu or the actions menu, which appears as a cirle with three dots.
7. Specify Deep Protections: on this screen, you choose the advanced protections (also called security checks or simply checks) that you want to use to protect your web sites and web services. Which checks are available depends on the profile type that you chose on the Specify Name screen. All checks are available for Web 2.0 Application profiles.
For more information, see Overview of Security Checks.
You configure the actions for the advanced protections that you have enabled.The actions that you can configure are:
To configure actions, select the protection by clicking the check box, and then click Action Settings to select the required actions. Select other parameters, if required, and then click OK to close the Action Settings window.
To view all logs for a specific check, select that check, and then click Logs to display the Syslog Viewer, as described in "Application Firewall Logs." If a security check is blocking legitimate access to your protected web site or web service, you can create and implement a relaxation for that security check by selecting a log that shows the unwanted blocking, and then clicking Deploy.
After you completing specifying Action Settings, click Finish to complete the wizard.
Following are four procedures that show how to perform specific types of configuration by using the Application Firewall wizard.
Follow these steps to use the Application Firewall Wizard to create a specialized security configuration to protect only specific content. In this case, you create a new security configuration instead of modifying the initial configuration. This type of security configuration requires a custom rule, so that the policy applies the configuration to only the selected Web traffic.
For a description of policies and policy rules, see "Policies."
For detailed information about signatures, see "Signatures."
For detailed information about the security checks, see "Advanced Form Protections Checks" and its subtopics.
For information about each security check to help you determine which actions to enable, see the Advanced Protections section.