Product Documentation

The Application Firewall Wizard

Oct 01, 2013

Unlike most wizards, the Application Firewall wizard is designed not just to simplify the initial configuration process, but also to modify previously created configurations and to maintain your Application Firewall setup. A typical user runs the wizard multiple times, skipping some of the screens each time.

Opening the Wizard

To run the Application Firewall wizard, first open the configuration utility. Next, in the navigation pane, expand Application Firewall, and then in the details pane click Application Firewall Wizard. (For more information about the configuration utility, see "The Application Firewall User Interfaces.") Then:

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard. The first screen of the wizard appears.
  3. To advance to the next screen, click Next.

The Wizard Screens

The Application Firewall wizard displays the following screens, in the following order:

  1. Introduction screen. Provides an introduction to the Application Firewall wizard. There is nothing that you can configure on this screen.

  2. Specify Name screen. On this screen, when creating a new security configuration, you specify the name that the wizard is to assign to the configuration. The name can begin with a letter, number, or the underscore symbol, and can consist of from 1 to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols. Choose a name that makes it easy for others to tell what content your new security configuration protects.

    Note: Because the wizard uses this name for both the policy and the profile, it is limited to 31 characters. Manually created policies can have names up to 127 characters in length.

    When creating an existing configuration, you select Modify Existing Configuration and then, in the Name drop-down list, select the name of the existing configuration that you want to modify.

    Note: Only policies that are bound to global or to a bind point appear in this list; you cannot modify an unbound policy by using the Application Firewall wizard. You must either manually bind it to Global or a bind point, or modify it manually. (For manual modification, in the configuration utility's Application Firewall --> Policies --> Firewall pane, select the policy and click Open).

    You also select a profile type on this screen. The profile type determines the types of advanced protection (security checks) that can be configured. Because certain kinds of content are not vulnerable to certain types of security threats, restricting the list of available checks saves time during configuration. The types of Application Firewall profiles are:

    • Web Application (HTML). Any HTML-based Web site that does not use XML or Web 2.0 technologies.
    • XML Application (XML, SOAP). Any XML-based Web service.
    • Web 2.0 Application (HTML, XML, REST). Any Web 2.0 site that combines HTML and XML-based content, such as an ATOM-based site, a blog, an RSS feed, or a wiki.
    Note: If you are unsure which type of content is used on your Web site, you can choose Web 2.0 Application to ensure that you protect all types of Web application content.
  3. Specify Rule screen. On this screen, you specify the policy rule (expression) that defines the traffic to be examined by this security configuration. If you are creating an initial configuration to protect your Web sites and Web services, you can simply accept the default value, true, which selects all web traffic .

    If you want this security configuration to examine, not all HTTP traffic that is routed through the appliance, but specific traffic, you can write a policy rule specifying the traffic that you want it to examine. Rules are written in Citrix NetScaler expressions language, which is a fully functional object-oriented programming language.

    • For a simple description of using the NetScaler expressions syntax to create Application Firewall rules, and a list of useful rules, see "Firewall Policies."
    • For a detailed explanation of how to create policy rules in NetScaler expressions syntax, see "Policies and Expressions."
    Note: In addition to the default expressions syntax, for backward compatibility the NetScaler operating system supports the NetScaler classic expressions syntax on NetScaler Classic and nCore appliances and virtual appliances. Classic expressions are not supported on NetScaler Cluster appliances and virtual appliances. Current users who want to migrate their existing configurations to the NetScaler cluster must migrate any policies that contain classic expressions to the default expressions syntax.
  4. Select Signature Protections screen. On this screen, you select the categories of signatures that you want to use to protect your web sites and web services. The default categories are:

    • CGI. Protection against attacks on web sites that use CGI scripts in any language, including PERL scripts, Unix shell scripts, and Python scripts.

    • Cold Fusion. Protection against attacks on web sites that use the Adobe Systems® ColdFusion® Web development platform.

    • FrontPage. Protection against attacks on web sites that use the Microsoft® FrontPage® Web development platform.

    • PHP. Protection against attacks on web sites that use the PHP open-source Web development scripting language.

    • Client side. Protection against attacks on client-side tools used to access your protected web sites, such as Microsoft Internet Explorer, Mozilla Firefox, the Opera browser, and the Adobe Acrobat Reader.

    • Microsoft IIS. Protection against attacks on Web sites that run the Microsoft Internet Information Server (IIS).

    • Miscellaneous. Protection against attacks on other server-side tools, such as Web servers and database servers.

    If you are creating a new security configuration, the signature categories that you select are enabled, and by default they are recorded in a new signatures object. The new signatures object is assigned the same name that you entered on the Specify name screen as the name of the security configuration.

    If you have previously configured signatures objects and want to use one of them as the signatures object associated with the security configuration that you are creating, click Select Existing Signature and select a signatures object from the Signatures list.

    If you are modifying an existing security configuration, you can click Select Existing Signature and assign a different signatures object to the security configuration.

  5. Select Signature Actions screen. On this screen, you select the actions associated with the signature categories that you selected on the Select signature protections screen. If you are creating an initial configuration, you might want to accept the defaults, which enable the Log and Stats actions but not the Block action. You can decide later, after reviewing the collected logs and statistics, which signatures you should use to block traffic, and then enable the Block action for those signatures. Signatures are designed to catch specific known attacks on your web sites, and therefore they have extremely low false positive rates. However, with any new configuration, you should probably observe how the settings you chose are working before you use them to block traffic.

    If you select More for one of the signature categories, the Configure Actions for Signatures dialog box appears. Its contents are the same as the contents of the Modify Signatures Object dialog box, as described in "To Configure a Signatures Object."

    If the signatures object has already logged connections, you can click Logs to display the Syslog Viewer with the logs, as described in "Logs, Statistics, and Reports." If a signature is blocking legitimate access to your protected web site or web service, you can create and implement a relaxation for that signature by selecting a log that shows the unwanted blocking, and then clicking Deploy.

  6. Select Advanced Protections screen. On this screen, you choose the advanced protections (also called security checks or simply checks) that you want to use to protect your web sites and web services. The checks are divided into categories. Which categories are available (and which checks are available within a category) depends on the profile type that you chose on the Specify Name screen. All checks are available for Web 2.0 Application profiles. If you chose that profile type, the Select advanced protections screen displays the following categories of security checks:
    • Top--level protections (Some checks appear at the top level, not in any category.)
    • Data Leak Prevention Protections
    • Advanced Form Protections
    • URL Protections
    • XML Protections
    To display the individual checks in a category, click the icon to the left of the category. To apply a security check to your filtered data, select the check box next to the name of the security check. For descriptions of the security checks see "Advanced Protections" and its subtopics.
  7. Select Advanced Actions screen. On this screen, you configure the actions for the advanced protections that you have enabled.
    Note: If no advanced protections are enabled, the Wizard skips the Advanced Actions screen and goes directly to the Summary screen.
    The actions that you can configure are:
    • Block. Block connections that match the signature. Disabled by default.
    • Log. Log connections that match the signature for later analysis. Enabled by default.
    • Stats. Maintain statistics, for each signature, that show how many connections it matched and provide certain other information about the types of connections that were blocked. Disabled by default.
    • Learn. Observe traffic to this Web site or Web service, and use connections that repeatedly violate this check to generate recommended exceptions to the check, or new rules for the check. Available only for some checks.

    To enable or disable an action for a check, in the list, select or clear the check box for that action to the right of that check.

    To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check. You can also select a check and, at the bottom of the dialog box, click Open to display a dialog box for modifying any of the options for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation for the check. A relaxation is a rule for exempting specified traffic from the check.

    For information about the settings available for a check, see the detailed description of that check.

    To review the recommendations generated by the learning engine for a specific check, select that check and then click Learned Violations to open the Manage Learned Rules dialog box for that check. For more information on how learning works and how to configure exceptions (relaxations) or deploy learned rules for a check, see "Manual Configuration By Using the Configuration Utility" under To configure and use the learning feature

    To view all logs for a specific check, select that check, and then click Logs to display the Syslog Viewer, as described in "Logs, Statistics, and Reports." If a security check is blocking legitimate access to your protected web site or web service, you can create and implement a relaxation for that security check by selecting a log that shows the unwanted blocking, and then clicking Deploy.

  8. Summary screen. On this screen, you review your configuration choices to verify that they are what you want. If you want to make changes, you click Back until you have returned to the appropriate screen, and make your changes. If the configuration is as you want it, you click Finish to save it , and then click Exit to close the Application Firewall wizard.

Following are four procedures that show how to perform specific types of configuration by using the Application Firewall wizard.

To configure the Application Firewall: Initial Configuration

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard.
  3. On the Application Firewall wizard, Introduction screen, in the lower right-hand corner, click Next.
  4. On the Specify Name screen, in the Name text box, type a name for your new security configuration, and from the Type drop-down list, select the type of security configuration. Then, click Next.
  5. On the Specify Rule screen, click Next again.
    Note: The default rule, true, protects all Web traffic that is sent via your NetScaler appliance or virtual appliances. You can create specific security configurations to protect specific parts of your Web sites or Web applications later.
  6. On the Select Signature Protections screen, select check boxes to specify the groups of signatures that are appropriate for protecting the content on your protected web sites, and then click Next.

    For more information about signatures, see "Signatures."

  7. On the Select Signature Actions screen, select or clear the associated check boxes to choose the signature actions that you want for each signature category that you selected in the previous step, and then click Next.
  8. On the Select Advanced Protections screen, click Next again.

    You typically do not need to configure the security checks during initial configuration.

  9. On the Summary screen, review your choices to verify that they are what you want. Then, click Finish, or click Back to return to a previous screen and make changes. When you are finished, click Exit to close the Application Firewall wizard.

To configure the Application Firewall: Enabling Blocking for Signatures

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard.
  3. On the Application Firewall wizard, Introduction screen, in the lower right-hand corner, click Next.
  4. On the Specify Name screen, select Modify Existing Configuration and, in the Name drop-down list, choose the security configuration that you created during simple configuration, and then click Next.
  5. In the Specify Rule screen, click Next again.
  6. In the Select Signature Protections screen, click Next again.
  7. In the Select Signature Actions screen, enable blocking for your chosen signatures by selecting the Block check box to the left of each of those signature.

    For more information about which signatures to consider for blocking and how to determine when you can safely enable blocking for a signature, see "Signatures."

  8. In the Select advanced protections screen, click Next.
  9. On the Summary screen, review your choices to verify that they appear correct. Then, click Finish, or click Back to return to the Select Signature Actions screen and make changes. When you are finished, click Exit to close the Application Firewall wizard.

To configure the Application Firewall: Enabling and Configuring advanced protection

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard.
  3. On the Application Firewall wizard, Introduction screen, in the lower right-hand corner, click Next.
  4. On the Specify Name screen, select Modify Existing Configuration and, in the Name drop-down list, choose the security configuration that you created during simple configuration. Then, click Next.
  5. On the Specify Rule screen, click Next again.
  6. On the Select Signature Protections screen, click Next.
  7. On the Select Signature Actions screen, click Next again.
  8. On the Select advanced protections screen, select the check box beside each security check that you want to enable, and then click Next.

    For information about the security checks, see "Advanced Protections" and its subtopics.

  9. On the Select Deep Actions screen, select check boxes to specify the actions that you want the Application Firewall to perform for each security check, and then click Next.

    For general information about the actions, see "Advanced Protections" and its subtopics. For information about the learning feature, which is available for some security checks, see "To configure and use the Learning feature."

  10. On the Summary screen, review your choices to verify that they appear correct. Then, click Finish, or click Back to return to the Select Signature Actions screen and make changes. When you are finished, click Exit to close the Application Firewall wizard.

To configure the Application Firewall: Creating A Policy

The following procedure describes how to use the Application Firewall wizard to create a specialized security configuration to protect only specific content. In this case, you create a new security configuration instead of modifying the initial configuration. This type of security configuration requires a custom rule, so that the policy applies the configuration to only the selected Web traffic.

  1. Navigate to Security > Application Firewall.
  2. In the details pane, under Getting Started, click Application Firewall Wizard.
  3. On the Application Firewall wizard, Introduction screen, in the lower right-hand corner, click Next.
  4. On the Specify Name screen, type a name for your new security configuration in the Name text box, select the type of security configuration from the Type drop-down list, and then click Next.
  5. On the Specify Rule screen, enter a rule that matches only that content that you want this Web application to protect, and then click Next.

    For a description of policies and policy rules, see "Policies."

  6. On the Select Signature Protections screen, choose the appropriate groups of signatures to protect the content on your protected web sites by selecting the check box beside each group of signatures, and then click Next.

    For detailed information about signatures, see "Signatures."

  7. On the Select Signature Actions screen, select or clear the associated check boxes to choose the signature actions that you want for each signature category that you selected in the previous step, and then click Next. For a detailed description of actions, see "Signatures."
  8. In the Select Advanced Protections screen, select the check box beside each security check that you want to enable, and then click Next.

    For detailed information about the security checks, see "Advanced Protections" and its subtopics.

  9. In the Select Advanced Actions screen, select check boxes to specify the actions that you want the Application Firewall to perform for each security check. Then, click Next.

    For information about each security check to help you determine which actions to enable, see the Advanced Protections section.

  10. On the Summary screen, review your choices to verify that they appear correct. Then, click Finish, or click Back to return to the Select Signature Actions screen and make changes. When you are finished, click Exit to close the wizard.