Product Documentation

Application Firewall

Mar 28, 2012
The following topics cover installation and configuration of the Citrix Application Firewall feature.
Introduction An overview of web application security and how the application firewall works.
Configuration How to configure the application firewall to protect a web site, a web service, or a Web 2.0 site.
Signatures A detailed description of the signatures feature and how to configure the signatures, add signatures from a supported vulnerability scanning tool, and define your own signatures, with examples.
Overview of Security Checks A detailed description of all of the application firewall security checks, with configuration information and examples.
Profiles A description of how profiles are configured and used in the application firewall.
Policies A description of how policies are used when configuring the application firewall, with examples of useful policies.
Imports A description of how the application firewall uses different types of imported files, and how to import and export files.
Global Configuration A description of application firewall features that apply to all profiles, and how to configure them.
Use Cases Extended examples that demonstrate how to set up the application firewall to best protect specific types of more complex web sites and web services.
Logs, Statistics, and Reports How to access and use the application firewall logs, the statistics, and the reports to assist in configuring the application firewall.

The Citrix application firewall offers easy to configure options to meet a wide range of application security requirements. Application firewall profiles, which consist of sets of security checks, can be used to protect both the requests and the responses by providing deep packet-level inspections. Each profile includes an option to select basic protections or advanced protections. Some protections might require use of other files. For example, xml validation checks might require WSDL or schema files. The profiles can also use other files, such as signatures or error objects. These files can be added locally, or they can be imported ahead of time and saved on the appliance for future use. They can be shared by multiple profiles.

Profiles work in conjunction with the application firewall policies. Each policy identifies a type of traffic, and that traffic is inspected for the security check violations specified in the profile that is associated with the policy. The policies can have different bind points, which determine the scope of the policy. For example, a policy that is bound to a specific virtual server is invoked and evaluated for only the traffic flowing through that virtual server. The policies are evaluated in the order of their designated priorities, and the first one that matches the request or response is applied.

Quick Deployment of Application Firewall Protection
You can use the following procedure for quick deployment of application firewall security:
  1. Add an appfw profile and select the appropriate type (html, xml, web2.0) for the security requirements of the application.
  2. Select the required level of security (basic or advanced).
  3. Add or import the required files, such as signatures or WSDL.
  4. Configure the profile to use the files, and make any other necessary changes to the default settings.
  5. Add an appfw policy for this profile.
  6. Bind the policy to the target bind point and specify the priority.
Application firewall entities

Following are brief overviews of the application firewall entities. For details, see the Application Firewall Guide.

Profile—An application firewall profile specifies what to look for and what to do. It inspects both the request and the response to determine which potential security violations should be checked and what actions should be taken when processing a transaction. A profile can protect an HTML, XML or HTML and XML payload. Depending on the security requirements of the application, you can create either a basic or an advanced profile. A basic profile can protect against known attacks. If higher security is required, you can deploy an advanced profile to allow controlled access to the application resources, blocking zero day attacks. However, a basic profile can be modified to offer advanced protections, and vice versa. Multiple action choices (for example, block, log, learn, and transform) are available. Advanced security checks might use session cookies and hidden form tags for controlling and monitoring the client connections. Application firewall profiles can learn the triggered violations and suggest the relaxation rules.

Basic Protections—A basic profile includes a preconfigured set of Start URL and Deny URL relaxation rules. These relaxation rules determine which requests should be allowed and which should be denied. Incoming requests are matched against these lists and the configured actions are applied. This allows the user to be able to secure applications with minimal configuration for relaxation rules. The Start URL rules protect against forceful browsing. Known web server vulnerabilities that are exploited by hackers can be detected and blocked by enabling a set of default Deny URL rules. Commonly launched attacks, such as Buffer Overflow, SQL, or Cross-site scripting can also be easily detected.

Advanced Protections—As the name indicates, advanced protections are used for applications that have higher security requirements. Relaxation rules are configured to allow access to only specific data and block the rest. This positive security model mitigates unknown attacks, which might not be detected by basic security checks. In addition to all the basic protections, an advanced profile keeps track of a user session by controlling the browsing, checking for cookies, specifying input requirements for various form fields, and protecting against tampering of forms or cross-site request forgery attacks. Learning, which observes the traffic and deploys the appropriate relaxations, is enabled by default for many security checks. Although easy to use, advanced protections require due consideration, because they offer tighter security but also require more processing and do not allow use of caching, which can affect performance.

Import—Import functionality is useful when application firewall profiles need to use external files, that is, files hosted on an external or internal web server, or that have to be copied from a local machine. Importing a file and storing it on the appliance is very useful, especially in situations where you have to control access to external websites, or where compilation takes a long time, large files have to be synced across HA deployments, or you can reuse a file by copying it across multiple devices. For example:
  • WSDLs hosted on external web servers can be imported locally before blocking access to external websites.
  • Large signature files generated by an external scan tool such as Cenzic can be imported and precompiled, using schema on the Citrix appliance.
  • A customized HTML or XML error page can be imported from an external web server or copied from a local file.

Signatures—Signatures are very powerful, because they use pattern matching to detect malicious attacks and can be configured to check both the request and the response of a transaction. They are a preferred option when a customizable security solution is needed. Multiple choices (for example, block, log, learn, and transform) are available for the action to take when a signature match is detected. The application firewall has a built-in default signature object consisting of more than 1,300 signature rules, with an option to get the latest rules by using the auto-update feature. Rules created by other scan tools can also be imported. The signature object can be customized by adding new rules, which can work in conjunction with the other security checks specified in the application firewall profile. A signature rule can have multiple patterns and can flag a violation only when all the patterns are matched, thereby avoiding false positives. Careful selection of a literal fastmatch pattern for a rule can significantly optimize processing time.

Policies—Application Firewall Policies are used to filter and separate the traffic into different types. This provides the flexibility to implement different levels of security protections for the application data. Access to highly sensitive data can be directed to advanced security-check inspections, while less sensitive data is protected by basic-level security inspections. Policies can also be configured to bypass security-check inspection for harmless traffic. Higher security requires more processing, so careful design of the policies can provide desired security along with optimized performance. The priority of the policy determines the order in which it is evaluated, and its bind point determines the scope of its application.


  1. Ability to secure a wide range of applications by protecting different types of data, implementing the right level of security for different resources, and still getting maximum performance.
  2. Flexibility to add or modify a security configuration. You can tighten or relax security checks by enabling or disabling basic and advanced protections.
  3. Option to convert an HTML profile to an XML or Web2.0 (HTML+XML) profile and vice-versa, providing the flexibility to add security for different types of payload.
  4. Easily deployed actions to block attacks, monitor them in logs, collect statistics, or even transform some attack strings to render them harmless.
  5. Ability to detect attacks by inspecting incoming requests, and to prevent leakage of sensitive data by inspecting the responses sent by the servers.
  6. Capability to learn from the traffic pattern to get recommendations for easily editable relaxation rules that can be deployed to allow exceptions.
  7. Hybrid security model that applies the power of customizable signatures to block attacks that match specified patterns, and provides the flexibility to use the positive-security-model checks for basic or advanced security protections.
  8. Availability of comprehensive configuration reports, including information about PCI-DSS compliance.