Product Documentation

The Web App Firewall wizard

Unlike most wizards, the Citrix Web Web App Firewall Wizard is designed not just to simplify the initial configuration process, but also to modify previously created configurations and to maintain your Web App Firewall setup. A typical user runs the wizard multiple times, skipping some of the screens each time.

The Web App Firewall Wizard automatically creates profiles, policies, and signatures.

Opening the wizard

To run the Web App Firewall Wizard, open the GUI and follow these steps:

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard. The wizard opens.

For more information about the GUI, see “The Web App Firewall Configuration Interfaces.”

The Wizard screens

The Web App Firewall wizard displays the following screens on a tabular page:

1. Specify Name: on this screen, when creating a new security configuration, specify a meaningful name and the appropriate type (HTML, XML or WEB 2.0) for your profile. The default policy and signatures are auto-generated by using the same name.

Profile Name

The name can begin with a letter, number, or the underscore symbol, and can consist of from 1 to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols. Choose a name that makes it easy for others to tell what content your new security configuration protects.

Note:

Because the wizard uses this name for both the policy and the profile, it is limited to 31 characters. Manually created policies can have names up to 127 characters in length.

When modifying an existing configuration, you select Modify Existing Configuration and then, in the Name drop-down list, select the name of the existing configuration that you want to modify.

Note:

Only policies that are bound to global or to a bind point appear in this list; you cannot modify an unbound policy by using the Application Firewall wizard. You must either manually bind it to Global or a bind point, or modify it manually. (For manual modification, in the GUI Application Firewall > Policies > Firewall pane, select the policy and click Open).

Profile Type

You also select a profile type on this screen. The profile type determines the types of advanced protection (security checks) that can be configured. Because certain kinds of content are not vulnerable to certain types of security threats, restricting the list of available checks saves time during configuration. The types of Web App Firewall profiles are:

  • Web Application (HTML). Any HTML-based Web site that does not use XML or Web 2.0 technologies.
  • XML Application (XML, SOAP). Any XML-based Web service.
  • Web 2.0 Application (HTML, XML, REST). Any Web 2.0 site that combines HTML and XML-based content, such as an ATOM-based site, a blog, an RSS feed, or a wiki.

Note: If you are unsure which type of content is used on your website, you can choose Web 2.0 Application to ensure that you protect all types of web application content.

2. Specify Rule: on this screen, you specify the policy rule (expression) that defines the traffic the current configuration examines. If you create an initial configuration to protect your websites and web services, you can accept the default value, true, which selects all web traffic .

If you want this security configuration to examine, not all HTTP traffic that is routed through the appliance, but specific traffic, you can write a policy rule specifying the traffic that you want it to examine. Rules are written in Citrix ADC expressions language, which is a fully functional object-oriented programming language.

Note: In addition to the default expressions syntax, for backward compatibility the Citrix ADC operating system supports the Citrix ADC classic expressions syntax on Citrix ADC Classic and nCore appliances and virtual appliances. Classic expressions are not supported on Citrix ADC Cluster appliances and virtual appliances. Current users who want to migrate their existing configurations to the Citrix ADC cluster must migrate any policies that contain classic expressions to the default expressions syntax.

  • For a simple description of using the Citrix ADC expressions syntax to create Web App Firewall rules, and a list of useful rules, see “Firewall Policies.”
  • For a detailed explanation of how to create policy rules in Citrix ADC expressions syntax, see “Policies and Expressions.”

4. Select Signatures: on this screen, you select the categories of signatures that you want to use to protect your web sites and web services.

This is not a mandatory step, and you can skip it if you want to and go to the Specify Deep Protections screen. If the Select Signatures screen is skipped, only a profile and associated policies are created, and the signatures are not created.

You can select Create New Signature or Select Existing Signature.

If you are creating a new security configuration, the signature categories that you select are enabled, and by default they are recorded in a new signatures object. The new signatures object is assigned the same name that you entered on the Specify name screen as the name of the security configuration.

If you have previously configured signatures objects and want to use one of them as the signatures object associated with the security configuration that you are creating, click Select Existing Signature and select a signatures object from the Signatures list.

If you are modifying an existing security configuration, you can click Select Existing Signature and assign a different signatures object to the security configuration.

 If you click Create New Signature, you can choose the edit mode as Simple or Advanced.

  1. Specify Signature Protections (Simple mode)

The simple mode allows for easy configuration of the signature, with a preset list of protection definitions for common applications such as IIS (Internet Information Server), PHP and ActiveX. The default categories in Simple mode are:

  • CGI. Protection against attacks on web sites that use CGI scripts in any language, including PERL scripts, Unix shell scripts, and Python scripts.

  • Cold Fusion. Protection against attacks on web sites that use the Adobe Systems® ColdFusion® Web development platform.

  • FrontPage. Protection against attacks on web sites that use the Microsoft® FrontPage® Web development platform.

  • PHP. Protection against attacks on web sites that use the PHP open-source Web development scripting language.

  • Client side. Protection against attacks on client-side tools used to access your protected web sites, such as Microsoft Internet Explorer, Mozilla Firefox, the Opera browser, and the Adobe Acrobat Reader.

  • Microsoft IIS. Protection against attacks on Web sites that run the Microsoft Internet Information Server (IIS)

  • Miscellaneous. Protection against attacks on other server-side tools, such as Web servers and database servers.

On this screen, you select the actions associated with the signature categories that you selected on the Select Signatures screen. The actions that you can configure are:

  • Block
  • Log
  • Stats

By default the Log and Stats actions are enabled but not the Block action. To configure actions, click Settings. You can change the action settings of all the selected categories by using the Action drop-down menu.

  1. Specify Signature Protections (Advanced mode)

The advanced mode allows for more granular control over the signature definitions and provides significantly more information. Use the advanced mode if you want complete control over signature definition.

The contents of this screen are the same as the contents of the Modify Signatures Object dialog box, as described in “Configuring or Modifying a Signatures Object.” In this screen, you can configure actions either by clicking the Actions drop-down menu or the actions menu, which appears as a cirle with three dots.

7. Specify Deep Protections: on this screen, you choose the advanced protections (also called security checks or simply checks) that you want to use to protect your web sites and web services. Which checks are available depends on the profile type that you chose on the Specify Name screen. All checks are available for Web 2.0 Application profiles.

For more information, see Overview of Security Checks and see “Advanced Form Protections Checks.”

You configure the actions for the advanced protections that you have enabled.The actions that you can configure are:

  • Block: blocks connections that match the signature. Disabled by default.
  • Log: logs connections that match the signature for later analysis. Enabled by default.
  • Stats: maintains statistics, for each signature, that show how many connections it matched and provide certain other information about the types of connections that were blocked. Disabled by default.
  • Learn. Observe traffic to this website or web service, and use connections that repeatedly violate this check to generate recommended exceptions to the check, or new rules for the check. Available only for some checks. For more information about the learning feature see “Configuring and Using the Learning Feature,” and how learning works and how to configure exceptions (relaxations) or deploy learned rules for a check, see “Manual Configuration By Using the GUI.”

To configure actions, select the protection by clicking the check box, and then click Action Settings to select the required actions. Select other parameters, if required, and then click OK to close the Action Settings window.

To view all logs for a specific check, select that check, and then click Logs to display the Syslog Viewer, as described in “Web App Firewall Logs.” If a security check is blocking legitimate access to your protected web site or web service, you can create and implement a relaxation for that security check by selecting a log that shows the unwanted blocking, and then clicking Deploy.

After you completing specifying Action Settings, click Finish to complete the wizard.

Following are four procedures that show how to perform specific types of configuration by using the Web App Firewall wizard.

Create a new configuration

Follow these steps to create a new firewall configuration and signature objects, by using the Applicaiton Firewall wizard.

  1. Navigate to Security > Application Firewall.

  2. In the details pane, under Getting Started, click **Application Firewall. The wizard opens.

    localized image

  3. On the Specify Name screen, select **Create New Configuration.

  4. In the Name field, type a name, and then click Next.

  5. In the Specify Rule screen, click Next again.

  6. In the Select Signatures screen, select Create New Signature and Simple as the edit mode, and then click Next.

  7. In the Specify Signature Protections screen,  configure the required settings. For more information about which signatures to consider for blocking and how to determine when you can safely enable blocking for a signature, see Signatures.

  8. In the Specify Deep Protections screen configure the required actions and parameters in Action Settings.

  9. When you complete, click Finish to close the Application Firewall wizard.

Modify an existing configuration

Follow these steps to modify an existing configuration and existing signature categories.

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard. The wizard opens.
  3. On the Specify Name screen, select Modify Existing Configuration and, in the Name drop-down list, choose the security configuration that you created during new configuration, and then click Next.
  4. In the Specify Rule screen, click Next to keep the default value “true.” If you want to modify the rule, follow the steps described in “Configure a Custom Policy Expresssion.”
  5. In the Select Signatures screen, click Select Existing Signature. From the Existing Signature drop-down menu, select the appropriate option, and then click Next. The advanced signature protection screen appears.
    Note: If you select an existing signature, the default edit mode for signature protected is advanced.
  6. In the Specify Signature Protections screen, configure the required settings and click Next. For more information about which signatures to consider for blocking and how to determine when you can safely enable blocking for a signature, see “Signatures.”
  7. In the Specify Deep Protections screen, configure the settings and click Next.
  8. After you complete, click Finish to close the Web App Firewall Wizard.

Create a new configuration without signatures

Follow these steps to use the Application Firewall Wizard to skip the Select Signatures screen and create a new configuration with just the profile and the associated policies but without any signatures.

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard.The wizard opens.
  3. On the Specify Name screen, select Create New Configuration.
  4. In the Name field, type a name, and then click Next.
  5. In the Specify Rule screen, click Next again.
  6. In the Select Signatures screen, click Skip.
  7. In the Specify Deep Protections screen configure the required actions and parameters in Action Settings.
  8. When you complete, click Finish to close the Application Firewall Wizard.

Configure a custom policy expression

Follow these steps to use the Application Firewall Wizard to create a specialized security configuration to protect only specific content. In this case, you create a new security configuration instead of modifying the initial configuration. This type of security configuration requires a custom rule, so that the policy applies the configuration to only the selected Web traffic.

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard.
  3. On the Specify Name screen, type a name for your new security configuration in the Name text box, select the type of security configuration from the Type drop-down list, and then click Next.
  4. On the Specify Rule screen, enter a rule that matches only that content that you want this web application to protect. Use the Frequently Used Expressions drop-down list and the Expression Editor to create a custom expression.  When you complete, click Next.
  5. In the Select Signatures screen, select the edit mode, and then click Next.
  6. In the Specify Signature Protections screen,  configure the required settings.
  7. In the Specify Deep Protections screen configure the required actions and parameters in Action Settings.
  8. When you complete, click Finish to close the Application Firewall Wizard.