- Creating and Configuring Application Firewall Policies
- Binding Application Firewall Policies
- Viewing a Firewall Policy's Bindings
- Supplemental Information about Application Firewall Policies
A firewall policy consists of two elements: a rule, and an associated profile. The rule selects the HTTP traffic that matches the criteria that you set, and sends that traffic to the application firewall for filtering. The profile contains the filtering criteria that the application firewall uses.
The policy rule consists of one or more expressions in the NetScaler expressions language. The NetScaler expressions syntax is a powerful, object-oriented programming language that enables you to precisely designate the traffic that you want to process with a specific profile. For users who are not completely familiar with the NetScaler expressions language syntax, or who prefer to configure their NetScaler appliance by using a web-based interface, the configuration utility provides two tools: the Prefix menu and the Add Expression dialog box. Both help you to write expressions that select exactly the traffic that you want to process. Experienced users who are thoroughly familiar with the syntax may prefer to use the NetScaler command line to configure their NetScaler appliances.
For detailed information about the NetScaler expressions languages, see "Policies and Expressions."
You can create a firewall policy by using the configuration utility or the NetScaler command line.
At the command prompt, type the following commands:
The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog. This is an appropriate policy to protect a blog hosted on a specific hostname.
add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog
The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.
If you are configuring an existing firewall policy, this field is read-only. You cannot modify it.
The policy rule, also called the expression, defines the web traffic that the application firewall filters by using the profile associated with the policy. Like other NetScaler policy rules (or expressions), application firewall rules use NetScaler expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.
After you choose a prefix, the application firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.
If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The application firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.
When you have decided which term you want, double-click it to insert it into the Expression window.
Following are some examples of expressions for specific purposes.
Specific web host. To match traffic from a particular web host:
For shopping.example.com, substitute the name of the web host that you want to match.
Specific web folder or directory. To match traffic from a particular folder or directory on a Web host:
For www.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.
Specific type of content: GIF images. To match GIF format images:
To match other format images, substitute another string in place of .gif.
Specific type of content: scripts. To match all CGI scripts located in the CGI-BIN directory:
For more information about creating policy expressions, see "Policies and Expressions."
If entered at the command line, however, you must type this instead:
The Add Expression dialog box (also referred to as the Expression Editor) helps users who are not familiar with the NetScaler expressions language to construct a policy that matches the traffic that they want to filter.