Product Documentation
ADC
14.1 - Current Release 13.1 13.0 12.1
View PDF

Creating and configuring Web App Firewall policies

September 1, 2021
Contributed by:
S S

A firewall policy consists of two elements: arule, and an associatedprofile. The rule selects the HTTP traffic that matches the criteria that you set, and sends that traffic to the Web App Firewall for filtering. The profile contains the filtering criteria that the Web App Firewall uses.

The policy rule consists of one or more expressions in the Citrix ADC expressions language. The Citrix ADC expressions syntax is a powerful, object-oriented programming language that enables you to precisely designate the traffic that you want to process with a specific profile. For users who are not completely familiar with the Citrix ADC expressions language syntax, or who prefer to configure their Citrix ADC appliance by using a web-based interface, the GUI provides two tools: the Prefix menu and the Add Expression dialog box. Both help you to write expressions that select exactly the traffic that you want to process. Experienced users who are thoroughly familiar with the syntax may prefer to use the Citrix ADC command line to configure their Citrix ADC appliances.

Note:除了默认表达式语法,for backward compatibility the Citrix ADC operating system supports the Citrix ADC classic expressions syntax on Citrix ADC Classic and nCore appliances and virtual appliances. Classic expressions are not supported on Citrix ADC Cluster appliances and virtual appliances. Current Citrix ADC users who want to migrate existing configurations to the Citrix ADC Cluster must migrate any policies that contain classic expressions to the default expressions syntax.

For detailed information about the Citrix ADC expressions languages, see “Policies and Expressions.”

You can create a firewall policy by using the GUI or the Citrix ADC command line.

To create and configure a policy by using the command line interface

At the command prompt, type the following commands:

  • add appfw policy
  • save ns config

Example

The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog. This is an appropriate policy to protect a blog hosted on a specific hostname.

add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog

To create and configure a policy by using the GUI

  1. Navigate toSecurity>Web App Firewall>Policies.

  2. In the details pane, do one of the following:

    • To create a new firewall policy, clickAdd. TheCreate Web App Firewall Policyis displayed.
    • To edit an existing firewall policy, select the policy, and then clickEdit.

    TheCreate Web App Firewall PolicyorConfigure Web App Firewall Policyis displayed.

  3. If you are creating a new firewall policy, in theCreate Web App Firewall Policydialog box, Policy Name text box, type a name for your new policy.

    可以以字母开头的名字,号码,或underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.

    If you are configuring an existing firewall policy, this field is read-only. You cannot modify it.

  4. Select the profile that you want to associate with this policy from the Profile drop-down list. You can create a new profile to associate with your policy by clicking New, and you can modify an existing profile by clicking Modify.

  5. In the Expression text area, create a rule for your policy.

    • You can type a rule directly into the text area.
    • You can click Prefix to select the first term for your rule, and follow the prompts.
    • You can click Add to open the Add Expression dialog box, and use it to construct the rule.

  6. ClickCreateorOK, and then clickClose.

To create or configure an Web App Firewall rule (expression)

The policy rule, also called theexpression, defines the web traffic that the Web App Firewall filters by using the profile associated with the policy. Like other Citrix ADC policy rules (orexpressions), Web App Firewall rules use Citrix ADC expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.

  1. If you have not already done so, navigate to the appropriate location in theWeb App Firewallwizard or the Citrix ADC GUI to create your policy rule:

    • If you are configuring a policy in theWeb App Firewallwizard, in the navigation pane, clickWeb App Firewall, then in the details pane clickWeb App Firewall Wizard, and then navigate to theSpecify Rulescreen.
    • If you are configuring a policy manually, in the navigation pane, expandWeb App Firewall, thenPolicies, and thenFirewall. In the details pane, to create a new policy, clickAdd. To modify an existing policy, select the policy, and then clickOpen.

  2. On theSpecify Rulescreen, theCreate Web App Firewall Profiledialog box, or theConfigure Web App Firewall Profiledialog box, clickPrefix, and then choose the prefix for your expression from the drop-down list. Your choices are:

    • HTTP.HTTP协议。选择这个如果你想考试ine some aspect of the request that pertains to the HTTP protocol.
    • SYS.The protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT.The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER.The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.

    After you choose a prefix, the Web App Firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.

  3. Choose your next term.

    If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The Web App Firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.

    When you have decided which term you want, double-click it to insert it into theExpressionwindow.

  4. Type a period after the term you just chose. You are then prompted to choose your next term, as described in the previous step. When a term requires that you type a value, fill in the appropriate value. For example, if you choose HTTP.REQ.HEADER(“”), type the header name between the quotation marks.

  5. Continue choosing terms from the prompts and filling in any values that are needed, until your expression is finished.

    Following are some examples of expressions for specific purposes.

    • Specific web host.To match traffic from a particular web host:

      HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

      For shopping.example.com, substitute the name of the web host that you want to match.

    • Specific web folder or directory.To match traffic from a particular folder or directory on a Web host:

      HTTP.REQ.URL.STARTSWITH("https//www.example.com/folder")

      Forwww.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.

    • Specific type of content: GIF images.To match GIF format images:

      HTTP.REQ.URL.ENDSWITH(".gif")

      To match other format images, substitute another string in place of .gif.

    • Specific type of content: scripts.To match all CGI scripts located in the CGI-BIN directory:

      HTTP.REQ.URL.STARTSWITH("https//www.example.com/CGI-BIN")

      To match all JavaScripts with .js extensions:

      HTTP.REQ.URL.ENDSWITH(".js")

      For more information about creating policy expressions, see “Policies and Expressions.”

    Note:如果你使用命令行配置一个波利奇y, remember to escape any double quotation marks within Citrix ADC expressions. For example, the following expression is correct if entered in the GUI:

    HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

    If entered at the command line, however, you must type this instead:

    HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

To add a firewall rule (expression) by using the Add Expression dialog box

The Add Expression dialog box (also referred to as the Expression Editor) helps users who are not familiar with the Citrix ADC expressions language to construct a policy that matches the traffic that they want to filter.

  1. If you have not already done so, navigate to the appropriate location in theWeb App Firewallwizard or the Citrix ADC GUI:
    • If you are configuring a policy in theWeb App Firewallwizard, in the navigation pane, clickWeb App Firewall, then in the details pane clickWeb App Firewall Wizard, and then navigate to theSpecify Rulescreen.
    • If you are configuring a policy manually, in the navigation pane, expandWeb App Firewall, thenPolicies, and thenFirewall. In the details pane, to create a new policy, clickAdd. To modify an existing policy, select the policy, and then clickOpen.
  2. On theSpecify Rulescreen, in theCreate Web App Firewall Profiledialog box, or in theConfigure Web App Firewall Profiledialog box, clickAdd.
  3. In theAdd Expression dialogbox, in the Construct Expression area, in the first list box, choose one of the following prefixes:
    • HTTP.HTTP协议。选择这个如果你想考试ine some aspect of the request that pertains to the HTTP protocol. The default choice.
    • SYS.The protected Web site(s). Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT.The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER.The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.
  4. In the second list box, choose your next term. The available terms differ depending on the choice you made in the previous step, because the dialog box automatically adjusts the list to contain only those terms that are valid for the context. For example, if you selected HTTP in the previous list box, the only choice is REQ, for requests. Because the Web App Firewall treats requests and associated responses as a single unit and filters both, you do not need to specific responses separately. After you choose your second term, a third list box appears to the right of the second. The Help window displays a description of the second term, and thePreview Expressionwindow displays your expression.
  5. In the third list box, choose the next term. A new list box appears to the right, and the Help window changes to display a description of the new term. ThePreview Expressionwindow updates to display the expression as you have specified it to that point.
  6. Continue choosing terms, and when prompted filling in arguments, until your expression is complete. If you make a mistake or want to change your expression after you have already selected a term, you can simply choose another term. The expression is modified, and any arguments or additional terms that you added after the term that you modified are cleared.
  7. When you have finished constructing your expression, clickOKto close theAdd Expressiondialog box. Your expression is inserted into theExpressiontext area.
Creating and configuring Web App Firewall policies
September 1, 2021
Contributed by:
S S
September 1, 2021
Contributed by:
S S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.