- Enabling the Application Firewall
- The Application Firewall Wizard
- Manual Configuration
- Manual Configuration By Using the Configuration Utility
- Manual Configuration By Using the Command Line Interface
If you need to configure the Application Firewall feature manually, Citrix recommends that you use the configuration utility. For a description of the configuration utility, see "The Application Firewall User Interfaces."
Before you can configure the signatures, you must create a new signatures object from the appropriate default signatures object template. Assign the copy a new name, and then configure the copy. You cannot configure or modify the default signatures objects directly. The following procedure provides basic instructions for configuring a signatures object. For more detailed instructions, see "Manually Configuring the Signatures Feature." If you need to create your own, user defined signatures, see "The Signatures Editor."
Your choices are:
As you modify these options, the results that you specify are displayed in the Filtered Results window at the right. For more information about the categories of signatures, see "Signatures."
Creating an application firewall profile requires that you specify only a few configuration details.
The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.
You can also select a check and, at the bottom of the dialog box, click Open to display the Configure Relaxation dialog box or Configure Rule dialog box for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations or user-defined rules, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation or rule for the check. (A relaxation is a rule for exempting specified traffic from the check.) If relaxations have already been configured, you can select one and click Open to modify it.
You configure two different types of information in this dialog box, depending upon which security check you are configuring. In the majority of cases, you configure an exception (or relaxation) to the security check. If you are configuring the Deny URL check or the Field Formats check, you configure an addition (or rule). The process for either of these is the same.
The Add Check Relaxation or Modify Check Relaxation dialog box for the selected check is displayed. Except for the title, these dialog boxes are identical.
Enabled check box—Select to place this relaxation or rule in active use; clear to deactivate it.
Attachment Content Type—The Content-Type attribute of an XML attachment. In the text area, enter a regular expression that matches the Content-Type attribute of the XML attachments to allow.
Action URL—In the text area, enter a PCRE-format regular expression that defines the URL to which data entered into the web form is delivered.
Cookie—In the text area, enter a PCRE-format regular expression that defines the cookie.
Field Name—A web form field name element may be labeled Field Name, Form Field, or another similar name. In the text area, enter a PCRE-format regular expression that defines the name of the form field.
Form Origin URL—In the text area, enter a PCRE-format regular expression that defines the URL that hosts the web form.
Form Action URL—In the text area, enter a PCRE-format regular expression that defines the URL to which data entered into the web form is delivered.
Name—An XML element or attribute name. In the text area, enter a PCRE-format regular expression that defines the name of the element or attribute.
URL—A URL element may be labeled Action URL, Deny URL, Form Action URL, Form Origin URL, Start URL, or simply URL. In the text area, enter a PCRE-format regular expression that defines the URL.
Format—The format section contains multiple settings that include list boxes and text boxes. Any of the following can appear:
Location—Choose the element of the request that your relaxation will apply to from the drop-down list. For HTML security checks, the choices are:
For XML security checks, the choices are:
Maximum Attachment Size—The maximum size in bytes allowed for an XML attachment.
Minimum number threshold. Depending on which security check’s learning settings you are configuring, the minimum number threshold might refer to the minimum number of total user sessions that must be observed, the minimum number of requests that must be observed, or the minimum number of times a specific form field must be observed, before a learned relaxation is generated. Default: 1
Percentage of times threshold. Depending on which security check’s learning settings you are configuring, the percentage of times threshold might refer to the percentage of total observed user sessions that violated the security check, the percentage of requests, or the percentage of times a form field matched a particular field type, before a learned relaxation is generated. Default: 0
The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.
If you are configuring an existing firewall policy, this field is read-only. You cannot modify it.
The policy rule, also called the expression, defines the web traffic that the application firewall filters by using the profile associated with the policy. Like other NetScaler policy rules (or expressions), application firewall rules use NetScaler expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.
After you choose a prefix, the application firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.
If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The application firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.
When you have decided which term you want, double-click it to insert it into the Expression window.
Following are some examples of expressions for specific purposes.
Specific web host. To match traffic from a particular web host:
For shopping.example.com, substitute the name of the web host that you want to match.
Specific web folder or directory. To match traffic from a particular folder or directory on a Web host:
For www.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.
Specific type of content: GIF images. To match GIF format images:
To match other format images, substitute another string in place of .gif.
Specific type of content: scripts. To match all CGI scripts located in the CGI-BIN directory:
For more information about creating policy expressions, see "Policies and Expressions."
If entered at the command line, however, you must type this instead:
The Add Expression dialog box (also referred to as the Expression Editor) helps users who are not familiar with the NetScaler expressions language to construct a policy that matches the traffic that they want to filter.