Product Documentation

Exporting and Importing an Application Firewall Profile

Jan 12, 2016
You can replicate the entire configuration of an application firewall profile (including all bound objects, such as HTML error object, XML error object, WSDL or XML schema, signatures, and so on) across multiple appliances. You can select a target profile and export the configuration to save it in your computer’s local file system, or you can transfer the archived configuration to store it on a server. Similarly, you can browse your computer’s local file system or import the archive from the server to select a previously exported profile and import it into your NetScaler appliance. 
 

The option to export the entire profile configuration and then import it into another appliance can be useful in various use cases. For example, you might want to configure an application firewall profile in a test bed set-up to test and validate that it is working as expected. Once you are satisfied, you can export the profile and import the profile configuration to your production NetScaler appliances. This functionality is also useful for backing up your configuration. You can export the profile before making changes, so that you can easily roll back the configuration to a known state if necessary. 

注意

Application firewall profiles that are exported and archived from one build cannot be restored to a system running a different build, because changes introduced in the newer releases can lead to compatibility issues. If you attempt to restore an archived profile to a different build than the one from which it was exported, an error message is logged in ns.log.  

The export and import profile functionality is available in both the configuration utility (GUI) and the command line interface (CLI).  The configuration utility is recommended, because it offers easy to use Action options. With a click of a button you can Export or Import the entire configuration of a profile. 

Exporting Application Firewall Profiles with the CLI

If you use CLI to export a profile, you must archive the configuration and then export it. To import a profile, you must import the archive into the NetScaler appliance and then execute the restore command to extract the configuration. The following set of CLI commands can be used for exporting, importing and managing the profile configurations. 

CLI commands to export archives:

  • archive appfw profile <name> <archivename> [-comment <string>]
  • export appfw archive <name> <target>

CLI commands to import archives:

  • import appfw archive <src> <name> [-comment <string>]
  • restore appfw profile <archivename>

CLI commands to manage archives:

  • show appfw archive
  • rm appfw archive <name>

Exporting a profile from one appliance and importing it to another requires five steps in CLI. The first 3 steps are performed on the source appliance on which profile configuration is originally created, and the next 2 steps are performed on the target appliance on which the profile configuration is to be replicated.

Export profile from the source NetScaler appliance:

Step 1: Create an archive of the configured profile.

Step 2: Export the archive to the NetScaler file system.

Step 3: Use a file transfer utility such as scp to transfer the exported archive file from NetScaler appliance A to the target NetScaler appliance.

Import profile to the target NetScaler appliance:

Step 4: Execute the import command to import the archived file. You can import the archive from your NetScaler’s local file system, or you can use HTTP or HTTPS protocol to import the archive from a server by using the URL.

Step 5: Execute the restore command to restore the profile configuration from the imported archive

To export an application firewall profile by using the command line interface

First, archive the profile’s configuration, and then export the archive to a target location. At the command prompt, type the following commands:

archive appfw profile <profileName> <archiveName>

where:

  • <profileName> is the name of the profile to archive.
  • <archiveName> is the name of the archive file to create.

Execution of the above command creates 2 instances of the archive file. One in /var/tmp folder and another in the /var/archive/appfw folder. 

export appfw archive <archiveName> <target>

where:

  • <archiveName> is the name of the archive to export. (The same name as in the previous command.
  • <target> is a file path starting with local: as the prefix, followed by <archiveName>.

Execution of the export command saves the exported archive file on the file system of your NetScaler appliance in the /var/tmp folder. 

Examples:

> archive appfw profile test_pr archived_test_pr

> export appfw archive archived_test_pr local:dutA_test_pr

After the above two commands are executed, the /var/tmp folder contains the archived_test_pr  file and the exported copy, dutA_test_pr, which are identical in size. From the CLI, you can drop into the shell to navigate to the folder to verify that these files are there.

After exporting the archive file, you can use scp or some other such file transfer utility to transfer a copy of the archive file from the NetScaler appliance on which they were created to your target NetScaler appliance.

Importing Application Firewall Profiles with the CLI

After you have successfully scp’d the archived file from the source appliance to the target appliance, you are ready to import the profile’s archive, and then execute the restore command to replicate the profile’s configuration on the target appliance.

Log onto the target appliance. Drop into the shell and cd to the /var/tmp folder to verify that the size of the scp’d file on this appliance matches the size of the original archived file on the source appliance. Exit the shell to return to the command line. 

To import a profile by using the CLI

At the command prompt, type the following commands:

import appfw archive <src> <name> [-comment <string>]

where

  • <src> is the location of the archive file after it has been transferred from the source appliance on which it was created. You can use a local file system and file name. If you have placed the archive on a server, you can use a URL to import the archived file. If the path or file name contains spaces, enclose the URL in straight double quotation marks.
  • <name> is the name of the archive file to be imported.
  • <string> is an optional description of the purpose of the Archive.

restore appfw profile <archiveName> 

Examples:

A. Import from local file followed by restore

 > import appfw archive local:dutA_test_pr dut2_test_pr

> restore appfw profile dut2_test_pr

B. Import from URL followed by restore

> import appfw archive http://10.217.30.16/FFC/Profile_ImportExport/dutA_test_pr.tgz my_archive

> restore appfw profile my_archive

This example restores the test_pr profile along with all bound objects (such as signatures, html error page, relaxation rules and so on) on the target NetScaler appliance. 

You can use the following CLI commands to access man pages for additional details.

  • man archive appfw profile
  • man export appfw archive
  • man import appfw archive
  • man restore appfw profile
  • man show appfw archive
  • man rm appfw archive

Exporting and Importing Application Firewall Profiles with the Configuration Utility

The configuration utility (GUI) is easier to use than the CLI. The utility performs both archive and export operations when you click Export. Similarly it executes both import and restore when you click Import. The configuration utility can access the local file system of the computer from which you access the utility. You can export a copy of the archive and save it on your local computer. You can then import this copy directly in the target appliance without having to manually transfer the archive file from one appliance to the other(s). 

To export an application firewall profile by using the configuration utility

  1. Navigate to Configuration > Security > Application Firewall > Profiles.
  2. In the details pane, select a profile to export. Click Actions and select Export to download and save a copy in your computer’s local file system.

To import an application firewall profile by using the configuration utility

  1. Navigate to ConfigurationSecurity > Application Firewall > Profiles.
  2. In the details pane, click Actions and select Import. In the Import Application firewall Profile pane, the Import From* selection box gives you 2 options:

URL: You can choose to import an archive by specifying a URL. When this option is selected, you must provide an absolute path for the archived file in the URL input box.

File: You can choose to import an archive from the local File. When this option is selected, a Local File selection field is displayed. You can browse your computer’s local files to select the target archive file.

Click Create to import the specified archive. Successful completion of the import operation creates the profile configuration on the target appliance. 

Highlights      

  • You can replicate the entire configuration (including all import objects as well as configured relaxation rules for the profile) on multiple appliances, without needing to repeat configuration steps, by using export and import profile functionality.
  • The imported objects, such as signatures, WSDL, Schema, error page and so on, are included in the archived tar file and replicated on the target appliance.
  • Customized field types are included in the archived tar file and replicated on the target appliance.
  • The policy bindings of the archived profile are not replicated when the configuration is restored. You must configure the policy and bind it to the profile after importing the profile to the appliance.
  • The name of the archive file can be up to 31 character long. As with profile names, an archive name must begin with an alphanumeric character or underscore and contain only alphanumeric and underscore (_), number (#), period (.), space ( ),  colon (:), at (@), equals (=) or hyphen (-) characters.
  • Comments associated with the archive should be descriptive enough to convey the purpose of the archived configuration. The maximum allowed length for a comment is 255 characters.
  • The “clear config –force basic” command does not remove the archived profiles.
  • The import and export profile functionality is supported in high availability (HA) deployments. 

Debugging Tips

  • Monitor the /var/log/ns.log during command executions to see if there are any ERROR messages.
  • Additional logs (_restore.log, remove.log, import.log) are generated in the /var/tmp/folder. They can help debug issues during the corresponding operations. When these logs reach one MB in size, the log messages are purged to shrink the log file to one fourth of the original size.
  • If the import command fails when you are using the URL option instead of the local file system, verify that DNS name server and route settings are accurately configured. 
  • If you are using the HTTPS protocol to import the archive, the command might fail if the HTTPS server requires client certificate authentication.