Creating and configuring App Firewall policies

A firewall policy consists of two elements: a rule, and an associated profile. The rule selects the HTTP traffic that matches the criteria that you set, and sends that traffic to the App Firewall for filtering. The profile contains the filtering criteria that the App Firewall uses.

The policy rule consists of one or more expressions in the NetScaler expressions language. The NetScaler expressions syntax is a powerful, object-oriented programming language that enables you to precisely designate the traffic that you want to process with a specific profile. For users who are not completely familiar with the NetScaler expressions language syntax, or who prefer to configure their NetScaler appliance by using a web-based interface, the GUI provides two tools: the Prefix menu and the Add Expression dialog box. Both help you to write expressions that select exactly the traffic that you want to process. Experienced users who are thoroughly familiar with the syntax may prefer to use the NetScaler command line to configure their NetScaler appliances.

Note: In addition to the default expressions syntax, for backward compatibility the NetScaler operating system supports the NetScaler classic expressions syntax on NetScaler Classic and nCore appliances and virtual appliances. Classic expressions are not supported on NetScaler Cluster appliances and virtual appliances. Current NetScaler users who want to migrate existing configurations to the NetScaler Cluster must migrate any policies that contain classic expressions to the default expressions syntax.

For detailed information about the NetScaler expressions languages, see “Policies and Expressions.”

You can create a firewall policy by using the GUI or the NetScaler command line.

To create and configure a policy by using the command line interface

At the command prompt, type the following commands:

  • add appfw policy <name><rule> <profileName>
  • save ns config

Example

The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog. This is an appropriate policy to protect a blog hosted on a specific hostname.

add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog

To create and configure a policy by using the GUI

  1. Navigate to Security > App Firewall > Policies.

  2. In the details pane, do one of the following:

    • To create a new firewall policy, click Add. The Create App Firewall Policy is displayed.
    • To edit an existing firewall policy, select the policy, and then click Edit.

    The Create App Firewall Policy or Configure App Firewall Policy is displayed.

  3. If you are creating a new firewall policy, in the Create App Firewall Policy dialog box, Policy Name text box, type a name for your new policy.

    The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.

    If you are configuring an existing firewall policy, this field is read-only. You cannot modify it.

  4. Select the profile that you want to associate with this policy from the Profile drop-down list. You can create a new profile to associate with your policy by clicking New, and you can modify an existing profile by clicking Modify.

  5. In the Expression text area, create a rule for your policy.

    • You can type a rule directly into the text area.
    • You can click Prefix to select the first term for your rule, and follow the prompts. See To Create an App Firewall Rule for a complete description of this process.
    • You can click Add to open the Add Expression dialog box, and use it to construct the rule. See The Add Expression Dialog Box for a complete description of this process.
  6. Click Create or OK, and then click Close.

To create or configure an App Firewall rule

The policy rule, also called the expression, defines the web traffic that the App Firewall filters by using the profile associated with the policy. Like other NetScaler policy rules (or expressions), App Firewall rules use NetScaler expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.

  1. If you have not already done so, navigate to the appropriate location in the App Firewall wizard or the NetScaler GUI to create your policy rule:

    • If you are configuring a policy in the App Firewall wizard, in the navigation pane, click App Firewall, then in the details pane click App Firewall Wizard, and then navigate to the Specify Rule screen.
    • If you are configuring a policy manually, in the navigation pane, expand App Firewall, then Policies, and then Firewall. In the details pane, to create a new policy, click Add. To modify an existing policy, select the policy, and then click Open.
  2. On the Specify Rule screen, the Create App Firewall Profile dialog box, or the Configure App Firewall Profile dialog box, click Prefix, and then choose the prefix for your expression from the drop-down list. Your choices are:

    • HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol.
    • SYS. The protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.

    After you choose a prefix, the App Firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.

  3. Choose your next term.

    If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The App Firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.

    When you have decided which term you want, double-click it to insert it into the Expression window.

  4. Type a period after the term you just chose. You are then prompted to choose your next term, as described in the previous step. When a term requires that you type a value, fill in the appropriate value. For example, if you choose HTTP.REQ.HEADER(“”), type the header name between the quotation marks.

  5. Continue choosing terms from the prompts and filling in any values that are needed, until your expression is finished.

    Following are some examples of expressions for specific purposes.

    • Specific web host. To match traffic from a particular web host:

       HTTP.REQ.HEADER("Host").EQ("shopping.example.com")
      

      For shopping.example.com, substitute the name of the web host that you want to match.

    • Specific web folder or directory. To match traffic from a particular folder or directory on a Web host:

       HTTP.REQ.URL.STARTSWITH("https//www.example.com/folder")
      

      For www.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.

    • Specific type of content: GIF images. To match GIF format images:

       HTTP.REQ.URL.ENDSWITH(".gif")
      

      To match other format images, substitute another string in place of .gif.

    • Specific type of content: scripts. To match all CGI scripts located in the CGI-BIN directory:

       HTTP.REQ.URL.STARTSWITH("https//www.example.com/CGI-BIN")
      

      To match all JavaScripts with .js extensions:

       HTTP.REQ.URL.ENDSWITH(".js")
      

      For more information about creating policy expressions, see “Policies and Expressions.”

    Note: If you use the command line to configure a policy, remember to escape any double quotation marks within NetScaler expressions. For example, the following expression is correct if entered in the GUI:

    HTTP.REQ.HEADER("Host").EQ("shopping.example.com")
    

    If entered at the command line, however, you must type this instead:

    HTTP.REQ.HEADER("Host").EQ("shopping.example.com")
    

To add a firewall rule (expression) by using the Add Expression dialog box

The Add Expression dialog box (also referred to as the Expression Editor) helps users who are not familiar with the NetScaler expressions language to construct a policy that matches the traffic that they want to filter.

  1. If you have not already done so, navigate to the appropriate location in the App Firewall wizard or the NetScaler GUI:
    • If you are configuring a policy in the App Firewall wizard, in the navigation pane, click App Firewall, then in the details pane click App Firewall Wizard, and then navigate to the Specify Rule screen.
    • If you are configuring a policy manually, in the navigation pane, expand App Firewall, then Policies, and then Firewall. In the details pane, to create a new policy, click Add. To modify an existing policy, select the policy, and then click Open.
  2. On the Specify Rule screen, in the Create App Firewall Profile dialog box, or in the Configure App Firewall Profile dialog box, click Add.
  3. In the Add Expression dialog box, in the Construct Expression area, in the first list box, choose one of the following prefixes:
    • HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol. The default choice.
    • SYS. The protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.
  4. In the second list box, choose your next term. The available terms differ depending on the choice you made in the previous step, because the dialog box automatically adjusts the list to contain only those terms that are valid for the context. For example, if you selected HTTP in the previous list box, the only choice is REQ, for requests. Because the App Firewall treats requests and associated responses as a single unit and filters both, you do not need to specific responses separately. After you choose your second term, a third list box appears to the right of the second. The Help window displays a description of the second term, and the Preview Expression window displays your expression.
  5. In the third list box, choose the next term. A new list box appears to the right, and the Help window changes to display a description of the new term. The Preview Expression window updates to display the expression as you have specified it to that point.
  6. Continue choosing terms, and when prompted filling in arguments, until your expression is complete. If you make a mistake or want to change your expression after you have already selected a term, you can simply choose another term. The expression is modified, and any arguments or additional terms that you added after the term that you modified are cleared.
  7. When you have finished constructing your expression, click OK to close the Add Expression dialog box. Your expression is inserted into the Expression text area.