Product Documentation

Manual Configuration By Using the Command Line Interface

Dec 17, 2013

You can configure many application firewall features from the NetScaler command line. There are important exceptions, however. You cannot enable signatures from the command line. There are over 1,000 default signatures in seven categories; the task is simply too complex for the command line interface. You can configure the check actions and parameters for security checks from the command line, but cannot enter manual relaxations. While you can configure the adaptive learning feature and enable learning from the command line, you cannot review learned relaxations or learned rules and approve or skip them. The command line interface is intended for advanced users who are thoroughly familiar with the NetScaler appliance and the application firewall feature.

To manually configure the application firewall by using the NetScaler command line, use a telnet or secure shell client of your choice to log on to the NetScaler command line.

To create a profile by using the command line interface

At the command prompt, type the following commands:

  • add appfw profile <name> [-defaults ( basic | advanced )]
  • set appfw profile <name> -type ( HTML | XML | HTML XML )
  • save ns config

Example

The following example adds a profile named pr-basic, with basic defaults, and assigns a profile type of HTML. This is the appropriate initial configuration for a profile to protect an HTML Web site.

add appfw profile pr-basic -defaults basic 
set appfw profile pr-basic -type HTML 
save ns config

To configure a profile by using the command line interface

At the command prompt, type the following commands:

  • set appfw profile <name> <arg1> [<arg2> ...] where <arg1> represents a parameter and <arg2> represents either another parameter or the value to assign to the parameter represented by <arg1>. For descriptions of the parameters to use when configuring specific security checks, see Advanced Protections and its subtopics. For descriptions of the other parameters, see "Parameters for Creating a Profile."
  • save ns config

Example

The following example shows how to configure an HTML profile created with basic defaults to begin protecting a simple HTML-based Web site. This example turns on logging and maintenance of statistics for most security checks, but enables blocking only for those checks that have extremely low false positive rates and require no special configuration. It also turns on transformation of unsafe HTML and unsafe SQL, which prevents attacks but does not block requests to your Web sites. With logging and statistics enabled, you can later review the logs to determine whether to enable blocking for a specific security check.

set appfw profile -startURLAction log stats 
set appfw profile -denyURLAction block log stats 
set appfw profile -cookieConsistencyAction log stats 
set appfw profile -crossSiteScriptingAction log stats  
set appfw profile -crossSiteScriptingTransformUnsafeHTML ON 
set appfw profile -fieldConsistencyAction log stats 
set appfw profile -SQLInjectionAction log stats 
set appfw profile -SQLInjectionTransformSpecialChars ON 
set appfw profile -SQLInjectionOnlyCheckFieldsWithSQLChars ON 
set appfw profile -SQLInjectionParseComments checkall 
set appfw profile -fieldFormatAction log stats 
set appfw profile -bufferOverflowAction block log stats 
set appfw profile -CSRFtagAction log stats 
save ns config

To create and configure a policy

At the command prompt, type the following commands:

  • add appfw policy <name> <rule> <profile>
  • save ns config

Example

The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog. This is an appropriate policy to protect a blog hosted on a specific hostname.

add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog

To bind an Application Firewall policy

At the command prompt, type the following commands:

  • bind appfw global <policyName> <priority>
  • save ns config

Example

The following example binds the policy named pl-blog and assigns it a priority of 10.

bind appfw global pl-blog 10 
save ns config