Configure domains for WAF service

Domains are a way to segment network traffic for different applications. You can use traffic domains to create multiple isolated environments within a Citrix ADC appliance network. An application belonging to a specific traffic domain communicates with entities and processes traffic within that domain. The traffic belonging to one traffic domain cannot cross the boundary of another traffic domain.

Use the following steps to add security service domains by using specific application firewall functionality.

    1.  On the Web App Security Service Domains page, click the Action tab to select desired Application Firewall features.

localized image

The stand-alone objects to be created in order to construct a Domain, Application and Profile are:

  • SSL Cert Key: created with SSL certificate and key in addition to the pass phrase. This object is required to create a domain.
  • Profile: This object is required to create a domain. An application is equivalent to a policy which is bound to a domain. Each domain contains a list of applications with priorities assigned to each one of them. In addition, an application consists of a flag for turning on the IP Reputation feature.
  • HTML Error Page and Signatures: These objects are optional if creating a profile.

These objects can be reused and shared between domains and applications and are available under the Action ** menu.

localized image

    2. Click Add. The Add Web App Security Service Domain page is displayed. Type the Name, Description, and Domain. Upload the SSL Certificate and SSL key files, for example; waf.cert and waf.key. Enter an SSL Pass Phrase and then click Create. The domain is added to the list of domains as shown below. If you want to add multiple domains; Click Add, and specify the same SSL CertKey.

localized image

Upload SSL certificate

  1. To upload SSL certificate and key, you can click the “+” sign in the SSL Cert Keys Name field. The Add SSL Cert Keys page is displayed.

localized image

2. After a certificate is uploaded, select the SSL Cert Key when adding a new domain.

localized image

 3. Create a Domain. Type Name, Domain name, and description for the domain. Click Create.

localized image

A confirmation page is displayed.

localized image

localized image

4. Select the newly created domain and click Edit to edit it. If you hover over the row of a domain, a circle with three dots icon appears on the left-most column where you can directly select an action to click.

localized image

localized image

Note

You should allow traffic only from the NetScaler IP address to the back end server and block traffic from all other IP addresses.

localized image

Configure Security service application

  1. Click Add to add an application. Add profile name, description, and URL for the Application. Click Create and Close.

2. After you have finished editing the domain information, click OK. A confirmation page displaying the edited information for the domain is displayed. Click Close.

3. You can also choose the newly added Domain and click Manage Applications. Ensure that you change the CNAME provided by the WAF service for newly created domain. This changes the DNS record address for the CNAME. The IP address of the back-end server is populated as shown below. Click Close. You can copy “CNAME to clipboard” to setup DNS.

localized image

4. Select a profile name. You would need to add a profile name by adding it from the Applications page as shown below.

localized image

localized image

You can also perform more actions using the Action tab on the Manage application service page.

localized image

 5. To edit a profile, select it and click Edit.

localized image

Manage Web App Security service applications

  1. Choose an application, and click Manage Security Profile, the following Application Firewall profile information is displayed as shown below.

localized image

Application Security service profile:

localized image

 2.  On the Security Checks page, create security profiles. This page displays the Application Firewall standard GUI interface options for you to add security profiles. Add Application Name, URL, and Priority.

  1. Choose the security profile which you want to edit.
  2. Edit the White List URLs and click OK.

Security check actions views: URL Whitelist Settings and URL Blacklist Settings.

Use the check box to uncheck “Block” and “Log” settings for whitelist and blacklist URL settings.

localized image

Buffer overflow settings:

localized image

Content-type Settings: Use the check box to deselect “Block” and “Log” settings.

HTML cross-site scripting settings:

localized image

HTML SQL injection settings:

localized image

Save & Close your changes for Security checks.

Profile settings page:

localized image

Profile Signatures page:

localized image

Relaxation rules page: All relaxation rules are enabled by default when you add them. When you need to delete a relaxation rule, you disable it first and then remove it.

localized image

URL whitelist relaxation rules:

localized image

localized image

URL Blacklist Relaxation Rules 

localized image

localized image

Content-type Relaxation Rules 

localized image

localized image

HTML cross-Site scripting relaxation rules:

localized image

localized image

HTML SQL injection relaxation rules:

localized image

localized image

Configure domains for WAF service