Product Documentation

Manual configuration by using the GUI

If you need to configure the Web App Firewall feature manually, Citrix recommends that you use the GUI. For a description of the GUI, see “The Web App Firewall User Interfaces.”

To create and configure a signatures object

Before you can configure the signatures, you must create a new signatures object from the appropriate default signatures object template. Assign the copy a new name, and then configure the copy. You cannot configure or modify the default signatures objects directly. The following procedure provides basic instructions for configuring a signatures object. For more detailed instructions, see “Manually Configuring the Signatures Feature.”

  1. Navigate to Security > application firewall > Signatures.

  2. In the details pane, select the signatures object that you want to use as a template, and then click Add.

    Your choices are:

    • *Default Signatures. Contains the signatures rules, the SQL injection rules, and the cross-site scripting rules.
    • *XPath Injection. Contains all of the items in the *Default Signatures, and in addition, contains the XPath injection rules.
  3. In the **Add Signatures Object **dialog box, type a name for your new signatures object, click OK, and then click Close. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), and underscore (_) symbols.

  4. Select the signatures object that you created, and then click Open.

  5. In the Modify Signatures Object dialog box, set the Display Filter Criteria options at the left to display the filter items that you want to configure.

    As you modify these options, the results that you specify are displayed in the Filtered Results window at the right. For more information about the categories of signatures, see “Signatures.”

  6. In the Filtered Results area, configure the settings for a signature by selecting and clearing the appropriate checkboxes.

  7. When finished, finished, click Close.

To create an Web App Firewall profile by using the GUI

Creating an Web App Firewall profile requires that you specify only a few configuration details.

  1. Navigate to Security > application firewall > Profiles.

  2. In the details pane, click Add.

  3. In the Create Web App Firewall Profile dialog box, type a name for your profile.

    The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.

  4. Choose the profile type from the drop-down list.

  5. Click Create, and then click Close.

To configure an Web App Firewall profile by using the GUI

  1. Navigate to Security > application firewall > Profiles.
  2. In the details pane, select the profile that you want to configure, and then click Edit.
  3. In the Configure Web App Firewall Profile dialog box, on the Security Checks tab, configure the security checks.
    • To enable or disable an action for a check, in the list, select or clear the checkbox for that action.

    • To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check.

      You can also select a check and, at the bottom of the dialog box, click Open to display the Configure Relaxation dialog box or Configure Rule dialog box for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations or user-defined rules, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation or rule for the check. (A relaxation is a rule for exempting specified traffic from the check.) If relaxations have already been configured, you can select one and click Open to modify it.

    • To review learned exceptions or rules for a check, select the check, and then click Learned Violations. In the Manage Learned Rules dialog box, select each learned exception or rule in turn.

      • To edit the exception or rule, and then add it to the list, click Edit & Deploy.
      • To accept the exception or rule without modification, click Deploy.
      • To remove the exception or rule from the list, click Skip.
    • To refresh the list of exceptions or rules to be reviewed, click Refresh.

    • To open the Learning Visualizer and use it to review learned rules, click Visualizer.

    • To review the log entries for connections that matched a check, select the check, and then click Logs. You can use this information to determine which checks are matching attacks so that you can enable blocking for those checks. You can also use this information to determine which checks are matching legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, see “Logs, Statistics, and Reports.”

    • To completely disable a check, in the list, clear all of the checkboxes to the right of that check.

  4. On the Settings tab, configure the profile settings.
    • To associate the profile with the set of signatures that you previously created and configured, under Common Settings, choose that set of signatures in the Signatures drop-down list.

      Note:

      You may need to use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.

    • To configure an HTML or XML Error Object, select the object from the appropriate drop-down list.

      Note:

      You must first upload the error object that you want to use in the Import pane.

    • To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types.
  5. If you want to use the learning feature, click Learning, and configure the learning settings for the profile.. For more information, see Configure and Learning feature..

  6. Click OK to save your changes and return to the Profiles pane.

Configuring an Web App Firewall rule or relaxation

You configure two different types of information in this dialog box, depending upon which security check you are configuring. In the majority of cases, you configure an exception (or relaxation) to the security check. If you are configuring the Deny URL check or the Field Formats check, you configure an addition (or rule). The process for either of these is the same.

To configure a relaxation or rule by using the GUI

  1. Navigate to Security > application firewall > Profiles.

  2. In the Profiles pane, select the profile you want to configure, and then click Edit.

  3. In the Configure Web App Firewall Profile dialog box, click the Security Checks tab. The Security Checks tab contains the complete list of Web App Firewall security checks, also called advanced protections in some places.

  4. In the Security Checks tab, click the check that you want to configure, and then click Open. The Modify Check dialog box for the check that you chose is displayed, with the Checks tab selected. The Checks tab contains a list of existing relaxations or rules for this check. The list might be empty if you have not either manually added any relaxations or approved any relaxations that were recommended by the learning engine. Beneath the list is a row of buttons that allow you to add, modify, delete, enable, or disable the relaxations on the list.

  5. To add or modify a relaxation or a rule, do one of the following:

    • To add a new relaxation, click Add.
    • To modify an existing relaxation, select the relaxation that you want to modify, and then click Open.

    The Add Check Relaxation or Modify Check Relaxation dialog box for the selected check is displayed. Except for the title, these dialog boxes are identical.

  6. Fill in the dialog box as described below. The dialog boxes for each check are different; the list below covers all elements that might appear in any dialog box.

    • Enabled check box—Select to place this relaxation or rule in active use; clear to deactivate it.

    • Attachment Content Type—The Content-Type attribute of an XML attachment. In the text area, enter a regular expression that matches the Content-Type attribute of the XML attachments to allow.

    • Action URL—In the text area, enter a PCRE-format regular expression that defines the URL to which data entered into the web form is delivered.

    • Cookie—In the text area, enter a PCRE-format regular expression that defines the cookie.

    • Field Name—A web form field name element may be labeled Field Name, Form Field, or another similar name. In the text area, enter a PCRE-format regular expression that defines the name of the form field.

    • Form Origin URL—In the text area, enter a PCRE-format regular expression that defines the URL that hosts the web form.

    • Form Action URL—In the text area, enter a PCRE-format regular expression that defines the URL to which data entered into the web form is delivered.

    • Name—An XML element or attribute name. In the text area, enter a PCRE-format regular expression that defines the name of the element or attribute.

    • URL—A URL element may be labeled Action URL, Deny URL, Form Action URL, Form Origin URL, Start URL, or simply URL. In the text area, enter a PCRE-format regular expression that defines the URL.

    • Format—The format section contains multiple settings that include list boxes and text boxes. Any of the following can appear:

      • Type—Select a field type in the Type drop-down list. To add a new field type definition, click Manage—
      • Minimum Length—Type a positive integer that represents the minimum length in characters if you want to force users to fill in this field. Default: 0 (Allows field to be left blank.)
      • Maximum length—To limit the length of data in this field, type a positive integer that represents the maximum length in characters. Default: 65535
    • Location—Choose the element of the request that your relaxation will apply to from the drop-down list. For HTML security checks, the choices are:

      • FORMFIELD—Form fields in web forms.
      • HEADER—Request headers.
      • COOKIE—Set-Cookie headers.

      For XML security checks, the choices are:

      • ELEMENT—XML element.
      • ATTRIBUE—XML attribute.
    • Maximum Attachment Size—The maximum size in bytes allowed for an XML attachment.

    • Comments—In the text area, type a comment. Optional.

    Note: For any element that requires a regular expression, you can type the regular expression, use the Regex Tokens menu to insert regular expression elements and symbols directly into the text box, or click Regex Editor to open the Add Regular Expression dialog box, and use it to construct the expression.

  7. To remove a relaxation or rule, select it, and then click Remove.

  8. To enable a relaxation or rule, select it, and then click Enable.

  9. To disable a relaxation or rule, select it, and then click Disable.

  10. To configure the settings and relationships of all existing relaxations in an integrated interactive graphic display, click Visualizer, and use the display tools.

    Note:

    The Visualizer button does not appear on all check relaxation dialog boxes.

  11. To review learned rules for this check, click Learning and perform the steps in To configure and use the Learning feature

  12. Click OK.

To configure the Learning feature by using the GUI

  1. Navigate to Security > application firewall > Profiles.
  2. In the Profiles pane, select the profile, and then click Edit.
  3. Click the Learning tab. At the top of the Learning tab is list of the security checks that are available in the current profile and that support the learning feature.

  4. To configure the learning thresholds, select a security check, and then type the appropriate values in the following text boxes:

    • Minimum number threshold. Depending on which security check’s learning settings you are configuring, the minimum number threshold might refer to the minimum number of total user sessions that must be observed, the minimum number of requests that must be observed, or the minimum number of times a specific form field must be observed, before a learned relaxation is generated. Default: 1

    • Percentage of times threshold. Depending on which security check’s learning settings you are configuring, the percentage of times threshold might refer to the percentage of total observed user sessions that violated the security check, the percentage of requests, or the percentage of times a form field matched a particular field type, before a learned relaxation is generated. Default: 0

  5. To remove all learned data and reset the learning feature, so that it must start its observations again from the beginning, click Remove All Learned Data.

    Note:

    This button removes only learned recommendations that have not been reviewed and either approved or skipped. It does not remove learned relaxations that have been accepted and deployed.

  6. To restrict the learning engine to traffic from a specific set of IPs, click Trusted Learning Clients, and add the IP addresses that you want to use to the list.
    1. To add an IP address or IP address range to the Trusted Learning Clients list, click Add.
    2. In the Add Trusted Learning Clients dialog box, Trusted Clients IP list box, type the IP address or an IP address range in CIDR format.
    3. In the Comments text area, type a comment that describes this IP address or range.
    4. Click Create to add your new IP address or range to the list.
    5. To modify an existing IP address or range, click the IP address or range, and then click Open. Except for the name, the dialog box that appears is identical to the Add Trusted Learning Clients dialog box.
    6. To disable or enable an IP address or range, but leave it on the list, click the IP address or range, and then click Disable or Enable, as appropriate.
    7. To remove an IP address or range completely, click the IP address or range, and then click Remove.
  7. Click Close to return to the Configure application firewall Profile dialog box.
  8. Click Close to close the Configure application firewall Profile dialog box, and return to the application firewall Profile screen.

To create and configure a policy by using the GUI

  1. Navigate to Security > application firewall > Policies.

  2. In the details pane, do one of the following:

    • To create a new firewall policy, click Add. The Create Web App Firewall Policy is displayed.
    • To edit an existing firewall policy, select the policy, and then click Edit.

    The Create Web App Firewall Policy or Configure Web App Firewall Policy is displayed.

  3. If you are creating a new firewall policy, in the Create Web App Firewall Policy dialog box, Policy Name text box, type a name for your new policy.

    The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.

    If you are configuring an existing firewall policy, this field is read-only. You cannot modify it.

  4. Select the profile that you want to associate with this policy from the Profile drop-down list. You can create a new profile to associate with your policy by clicking New, and you can modify an existing profile by clicking Modify.

  5. In the Expression text area, create a rule for your policy.

    • You can type a rule directly into the text area.
    • You can click Prefix to select the first term for your rule, and follow the prompts. See “To Create an Web App Firewall Rule (Expression)” for a complete description of this process.
    • You can click Add to open the Add Expression dialog box, and use it to construct the rule. See “The Add Expression Dialog Box” for a complete description of this process.
  6. Click Create or OK, and then click Close.

To create or configure an Web App Firewall rule (expression)

The policy rule, also called the expression, defines the web traffic that the Web App Firewall filters by using the profile associated with the policy. Like other Citrix ADC policy rules (or expressions), Web App Firewall rules use Citrix ADC expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.

  1. If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the Citrix ADC GUI to create your policy rule:

    • If you are configuring a policy in the Web App Firewall wizard, in the navigation pane, click application firewall, then in the details pane click application firewall Wizard, and then navigate to the Specify Rule screen.
    • If you are configuring a policy manually, in the navigation pane, expand application firewall, Policies, and then Firewall. In the details pane, to create a new policy, click Add. To modify an existing policy, select the policy, and then click Open.
  2. On the Specify Rule screen, the Create application firewall Profile dialog box, or the Configure Application Firewall Profile dialog box, click Prefix, and then choose the prefix for your expression from the drop-down list. Your choices are:

    • HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol.
    • SYS. The protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.

    After you choose a prefix, the Web App Firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.

  3. Choose your next term.

    If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The Web App Firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.

    When you have decided which term you want, double-click it to insert it into the Expression window.

  4. Type a period after the term you just chose. You are then prompted to choose your next term, as described in the previous step. When a term requires that you type a value, fill in the appropriate value. For example, if you choose HTTP.REQ.HEADER(“”), type the header name between the quotation marks.

  5. Continue choosing terms from the prompts and filling in any values that are needed, until your expression is finished.

    Following are some examples of expressions for specific purposes.

    • Specific web host. To match traffic from a particular web host:
HTTP.REQ.HEADER("Host").EQ("shopping.example.com")
    For shopping.example.com, substitute the name of the web host that you want to match.

-  **Specific web folder or directory.** To match traffic from a particular folder or directory on a Web host:
        HTTP.REQ.URL.STARTSWITH("https//www.example.com/folder")
    For www.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.

-  **Specific type of content: GIF images.** To match GIF format images:
        HTTP.REQ.URL.ENDSWITH(".gif")
    To match other format images, substitute another string in place of .gif.

-  **Specific type of content: scripts.** To match all CGI scripts located in the CGI-BIN directory:
        HTTP.REQ.URL.STARTSWITH("https//www.example.com/CGI-BIN")
    To match all JavaScripts with .js extensions:
        HTTP.REQ.URL.ENDSWITH(".js")
    For more information about creating policy expressions, see "[Policies and Expressions](http://docs.citrix.com/en-us/netscaler/12-1/appexpert/policies-and-expressions.html)."

> **Note**:
> If you use the command line to configure a policy, remember to escape any double quotation marks within Citrix ADC expressions. For example, the following expression is correct if entered in the GUI:
    HTTP.REQ.HEADER("Host").EQ("shopping.example.com")
If entered at the command line, however, you must type this instead:
    HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

To add a firewall rule (expression) by using the Add Expression dialog box

The Add Expression dialog box (also referred to as the Expression Editor) helps users who are not familiar with the Citrix ADC expressions language to construct a policy that matches the traffic that they want to filter.

  1. If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the Citrix ADC GUI:
    • If you are configuring a policy in the Web App Firewall wizard, in the navigation pane, click Web App Firewall, then in the details pane click Web App Firewall Wizard, and then navigate to the Specify Rule screen.
    • If you are configuring a policy manually, in the navigation pane, expand Web App Firewall, then Policies, and then Firewall. In the details pane, to create a new policy, click Add. To modify an existing policy, select the policy, and then click Open.
  2. On the Specify Rule screen, in the Create Web App Firewall Profile dialog box, or in the Configure Web App Firewall Profile dialog box, click Add.
  3. In the Add Expression dialog box, in the Construct Expression area, in the first list box, choose one of the following prefixes:
    • HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol. The default choice.
    • SYS. The protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.
  4. In the second list box, choose your next term. The available terms differ depending on the choice you made in the previous step, because the dialog box automatically adjusts the list to contain only those terms that are valid for the context. For example, if you selected HTTP in the previous list box, the only choice is REQ, for requests. Because the Web App Firewall treats requests and associated responses as a single unit and filters both, you do not need to specific responses separately. After you choose your second term, a third list box appears to the right of the second. The Help window displays a description of the second term, and the Preview Expression window displays your expression.
  5. In the third list box, choose the next term. A new list box appears to the right, and the Help window changes to display a description of the new term. The Preview Expression window updates to display the expression as you have specified it to that point.
  6. Continue choosing terms, and when prompted filling in arguments, until your expression is complete. If you make a mistake or want to change your expression after you have already selected a term, you can simply choose another term. The expression is modified, and any arguments or additional terms that you added after the term that you modified are cleared.
  7. When you have finished constructing your expression, click OK to close the Add Expression dialog box. Your expression is inserted into the Expression text area.

To bind an Web App Firewall policy by using the GUI

  1. Do one of the following:
    • Navigate to Security > Web App Firewall, and in the details pane, click application firewall policy manager.
    • Navigate to Security > application firewall > Policies > Firewall Policies, and in the details pane, click Policy Manager.
  2. In the Application Firewall Manager dialog, choose the bind point to which you want to bind the policy from the drop-down list. The choices are:
    • Override Global. Policies that are bound to this bind point process all traffic from all interfaces on the Citrix ADC appliance, and are applied before any other policies.
    • LB Virtual Server. Policies that are bound to a load balancing virtual server are applied only to traffic that is processed by that load balancing virtual server, and are applied before any Default Global policies. After selecting LB Virtual Server, you must also select the specific load balancing virtual server to which you want to bind this policy.
    • CS Virtual Server. Policies that are bound to a content switching virtual server are applied only to traffic that is processed by that content switching virtual server, and are applied before any Default Global policies. After selecting CS Virtual Server, you must also select the specific content switching virtual server to which you want to bind this policy.
    • Default Global. Policies that are bound to this bind point process all traffic from all interfaces on the Citrix ADC appliance.
    • Policy Label. Policies that are bound to a policy label process traffic that the policy label routes to them. The policy label controls the order in which policies are applied to this traffic.
    • None. Do not bind the policy to any bind point.
  3. Click Continue. A list of existing Web App Firewall policies appears.
  4. Select the policy you want to bind by clicking it.
  5. Make any additional adjustments to the binding.
    • To modify the policy priority, click the field to enable it, and then type a new priority. You can also select Regenerate Priorities to renumber the priorities evenly.
    • To modify the policy expression, double click that field to open the Configure Web App Firewall Policy dialog box, where you can edit the policy expression.
    • To set the Goto Expression, double click field in the Goto Expression column heading to display the drop-down list, where you can choose an expression.
    • To set the Invoke option, double click field in the Invoke column heading to display the drop-down list, where you can choose an expression.
  6. Repeat steps 3 through 6 to add any additional Web App Firewall policies you want to globally bind.
  7. Click OK. A message appears in the status bar, stating that the policy has been successfully bound.