Manual configuration By using the command line interface
Note:
If you need to manually configure the Web App Firewall feature, Citrix recommends you to use the Citrix ADC GUI procedure.
You can configure many Web App Firewall features from the Citrix ADC command line. There are important exceptions, however. You cannot enable signatures from the command line. There are over 1,000 default signatures in seven categories. The task is too complex for the command line interface. You can configure the check actions and parameters for security checks from the command line, but cannot enter manual relaxations. While you can configure the adaptive learning feature and enable learning from the command line, you cannot review learned relaxations or learned rules and approve or skip them. The command line interface is intended for advanced users who are thoroughly familiar with the Citrix ADC appliance and the Web App Firewall feature.
To manually configure the Web App Firewall by using the Citrix ADC command line, use a telnet or secure shell client of your choice to log on to the Citrix ADC command line.
To create a profile by using the command line interface
At the command prompt, type the following commands:
add appfw profile[-defaults ( basic | advanced )] set appfw profile-type ( HTML | XML | HTML XML ) save ns config
Example
The following example adds a profile named pr-basic, with basic defaults, and assigns a profile type of HTML. This is the appropriate initial configuration for a profile to protect an HTML website.
add appfw profile pr-basic -defaults basic set appfw profile pr-basic -type HTML save ns config To configure a profile by using the command line interface
At the command prompt, type the following commands:
set appfw profilewhere[ ...] save ns config
Example
The following example shows how to configure an HTML profile created with basic defaults to begin protecting a simple HTML-based website. This example turns on logging and maintenance of statistics for most security checks, but enables blocking only for those checks that have low false positive rates and require no special configuration. It also turns on transformation of unsafe HTML and unsafe SQL, which prevents attacks but does not block requests to your websites. With logging and statistics enabled, you can later review the logs to determine whether to enable blocking for a specific security check.
集appfw概要-startURLAction日志数据集pfw profile -denyURLAction block log stats set appfw profile -cookieConsistencyAction log stats set appfw profile -crossSiteScriptingAction log stats set appfw profile -crossSiteScriptingTransformUnsafeHTML ON set appfw profile -fieldConsistencyAction log stats set appfw profile -SQLInjectionAction log stats set appfw profile -SQLInjectionTransformSpecialChars ON set appfw profile -SQLInjectionOnlyCheckFieldsWithSQLChars ON set appfw profile -SQLInjectionParseComments checkall set appfw profile -fieldFormatAction log stats set appfw profile -bufferOverflowAction block log stats set appfw profile -CSRFtagAction log stats save ns config To create and configure a policy
At the command prompt, type the following commands:
add appfw policysave ns config
Example
The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog. This is an appropriate policy to protect a blog hosted on a specific host name.
add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog To bind a Web App Firewall policy
At the command prompt, type the following commands:
bind appfw globalsave ns config
Example
The following example binds the policy named pl-blog and assigns it a priority of 10.
bind appfw global pl-blog 10 save ns config To configure session limit per PE
At the command prompt, type the following commands:
set appfw settings
Example
The following example configures the session limit per PE.
> set appfw settings -sessionLimit 500000` Done Default value:100000 Max value:500000 per PE