Unlike most wizards, the Application Firewall wizard is designed not just to simplify the initial configuration process, but also to modify previously created configurations and to maintain your Application Firewall setup. A typical user runs the wizard multiple times, skipping some of the screens each time.
To run the Application Firewall wizard, first open the configuration utility. Next, in the navigation pane, expand Application Firewall, and then in the details pane click Application Firewall Wizard. (For more information about the configuration utility, see "The Application Firewall User Interfaces.") Then:
The Application Firewall wizard displays the following screens, in the following order:
Introduction screen. Provides an introduction to the Application Firewall wizard. There is nothing that you can configure on this screen.
Specify Name screen. On this screen, when creating a new security configuration, you specify the name that the wizard is to assign to the configuration. The name can begin with a letter, number, or the underscore symbol, and can consist of from 1 to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols. Choose a name that makes it easy for others to tell what content your new security configuration protects.
When creating an existing configuration, you select Modify Existing Configuration and then, in the Name drop-down list, select the name of the existing configuration that you want to modify.
You also select a profile type on this screen. The profile type determines the types of advanced protection (security checks) that can be configured. Because certain kinds of content are not vulnerable to certain types of security threats, restricting the list of available checks saves time during configuration. The types of Application Firewall profiles are:
Specify Rule screen. On this screen, you specify the policy rule (expression) that defines the traffic to be examined by this security configuration. If you are creating an initial configuration to protect your Web sites and Web services, you can simply accept the default value, true, which selects all web traffic .
If you want this security configuration to examine, not all HTTP traffic that is routed through the appliance, but specific traffic, you can write a policy rule specifying the traffic that you want it to examine. Rules are written in Citrix NetScaler expressions language, which is a fully functional object-oriented programming language.
Select Signature Protections screen. On this screen, you select the categories of signatures that you want to use to protect your web sites and web services. The default categories are:
CGI. Protection against attacks on web sites that use CGI scripts in any language, including PERL scripts, Unix shell scripts, and Python scripts.
Cold Fusion. Protection against attacks on web sites that use the Adobe Systems® ColdFusion® Web development platform.
FrontPage. Protection against attacks on web sites that use the Microsoft® FrontPage® Web development platform.
PHP. Protection against attacks on web sites that use the PHP open-source Web development scripting language.
Client side. Protection against attacks on client-side tools used to access your protected web sites, such as Microsoft Internet Explorer, Mozilla Firefox, the Opera browser, and the Adobe Acrobat Reader.
Microsoft IIS. Protection against attacks on Web sites that run the Microsoft Internet Information Server (IIS).
Miscellaneous. Protection against attacks on other server-side tools, such as Web servers and database servers.
If you are creating a new security configuration, the signature categories that you select are enabled, and by default they are recorded in a new signatures object. The new signatures object is assigned the same name that you entered on the Specify name screen as the name of the security configuration.
If you have previously configured signatures objects and want to use one of them as the signatures object associated with the security configuration that you are creating, click Select Existing Signature and select a signatures object from the Signatures list.
If you are modifying an existing security configuration, you can click Select Existing Signature and assign a different signatures object to the security configuration.
Select Signature Actions screen. On this screen, you select the actions associated with the signature categories that you selected on the Select signature protections screen. If you are creating an initial configuration, you might want to accept the defaults, which enable the Log and Stats actions but not the Block action. You can decide later, after reviewing the collected logs and statistics, which signatures you should use to block traffic, and then enable the Block action for those signatures. Signatures are designed to catch specific known attacks on your web sites, and therefore they have extremely low false positive rates. However, with any new configuration, you should probably observe how the settings you chose are working before you use them to block traffic.
If you select More for one of the signature categories, the Configure Actions for Signatures dialog box appears. Its contents are the same as the contents of the Modify Signatures Object dialog box, as described in "To Configure a Signatures Object."
If the signatures object has already logged connections, you can click Logs to display the Syslog Viewer with the logs, as described in "Logs, Statistics, and Reports." If a signature is blocking legitimate access to your protected web site or web service, you can create and implement a relaxation for that signature by selecting a log that shows the unwanted blocking, and then clicking Deploy.
To enable or disable an action for a check, in the list, select or clear the check box for that action to the right of that check.
To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check. You can also select a check and, at the bottom of the dialog box, click Open to display a dialog box for modifying any of the options for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation for the check. A relaxation is a rule for exempting specified traffic from the check.
For information about the settings available for a check, see the detailed description of that check.
To review the recommendations generated by the learning engine for a specific check, select that check and then click Learned Violations to open the Manage Learned Rules dialog box for that check. For more information on how learning works and how to configure exceptions (relaxations) or deploy learned rules for a check, see "Manual Configuration By Using the Configuration Utility" under To configure and use the learning feature
To view all logs for a specific check, select that check, and then click Logs to display the Syslog Viewer, as described in "Logs, Statistics, and Reports." If a security check is blocking legitimate access to your protected web site or web service, you can create and implement a relaxation for that security check by selecting a log that shows the unwanted blocking, and then clicking Deploy.
Following are four procedures that show how to perform specific types of configuration by using the Application Firewall wizard.
For more information about signatures, see "Signatures."
You typically do not need to configure the security checks during initial configuration.
For more information about which signatures to consider for blocking and how to determine when you can safely enable blocking for a signature, see "Signatures."
For information about the security checks, see "Advanced Protections" and its subtopics.
For general information about the actions, see "Advanced Protections" and its subtopics. For information about the learning feature, which is available for some security checks, see "To configure and use the Learning feature."
The following procedure describes how to use the Application Firewall wizard to create a specialized security configuration to protect only specific content. In this case, you create a new security configuration instead of modifying the initial configuration. This type of security configuration requires a custom rule, so that the policy applies the configuration to only the selected Web traffic.
For a description of policies and policy rules, see "Policies."
For detailed information about signatures, see "Signatures."
For detailed information about the security checks, see "Advanced Protections" and its subtopics.
For information about each security check to help you determine which actions to enable, see the Advanced Protections section.