Binding App Firewall policies
After you have configured your App Firewall policies, you bind them to Global or a bind point to put them into effect. After binding, any request or response that matches an App Firewall policy is transformed by the profile associated with that policy.
When you bind a policy, you assign a priority to it. The priority determines the order in which the policies you define are evaluated. You can set the priority to any positive integer. In the NetScaler OS, policy priorities work in reverse order - the higher the number, the lower the priority.
Because the App Firewall feature implements only the first policy that a request matches, not any additional policies that it might also match, policy priority is important for achieving the results that you intend. If you give your first policy a low priority (such as 1000), you configure the App Firewall to perform it only if other policies with a higher priority do not match a request. If you give your first policy a high priority (such as 1), you configure the App Firewall to perform it first, and skip any other policies that might also match. You can leave yourself plenty of room to add other policies in any order, without having to reassign priorities, by setting priorities with intervals of 50 or 100 between each policy when you bind your policies.
For more information about binding policies on the NetScaler appliance, see “Policies and Expressions.”
To bind an App Firewall policy by using the command line interface
At the command prompt, type the following commands:
bind appfw global <policyName>
save ns config
bind appfw profile <profile_name> -crossSiteScripting data
The following example binds the policy named pl-blog and assigns it a priority of 10.
bind appfw global pl-blog 10 save ns config
To bind an App Firewall policy by using the GUI
- Do one of the following:
- Navigate to Security > App Firewall, and in the details pane, click App Firewall policy manager.
- Navigate to Security > App Firewall > Policies > Firewall Policies, and in the details pane, click Policy Manager.
- In the App Firewall Policy Manager dialog, choose the bind point to which you want to bind the policy from the drop-down list. The choices are:
- Override Global. Policies that are bound to this bind point process all traffic from all interfaces on the NetScaler appliance, and are applied before any other policies.
- LB Virtual Server. Policies that are bound to a load balancing virtual server are applied only to traffic that is processed by that load balancing virtual server, and are applied before any Default Global policies. After selecting LB Virtual Server, you must also select the specific load balancing virtual server to which you want to bind this policy.
- CS Virtual Server. Policies that are bound to a content switching virtual server are applied only to traffic that is processed by that content switching virtual server, and are applied before any Default Global policies. After selecting CS Virtual Server, you must also select the specific content switching virtual server to which you want to bind this policy.
- Default Global. Policies that are bound to this bind point process all traffic from all interfaces on the NetScaler appliance.
- Policy Label. Policies that are bound to a policy label process traffic that the policy label routes to them. The policy label controls the order in which policies are applied to this traffic.
- None. Do not bind the policy to any bind point.
- Click Continue. A list of existing App Firewall policies appears.
- Select the policy you want to bind by clicking it.
- Make any additional adjustments to the binding.
- To modify the policy priority, click the field to enable it, and then type a new priority. You can also select Regenerate Priorities to renumber the priorities evenly.
- To modify the policy expression, double click that field to open the Configure App Firewall Policy dialog box, where you can edit the policy expression.
- To set the Goto Expression, double click field in the Goto Expression column heading to display the drop-down list, where you can choose an expression.
- To set the Invoke option, double click field in the Invoke column heading to display the drop-down list, where you can choose an expression
- Repeat steps 3 through 6 to add any additional App Firewall policies you want to globally bind.
- Click OK. A message appears in the status bar, stating that the policy has been successfully bound.