Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

Manual configuration by using the Citrix ADC GUI

September 14, 2021
Contributed by:
S C S

If you need to manually configure the Web App Firewall feature, Citrix recommends you to use the Citrix ADC GUI procedure.

To create and configure signatures object

Before you can configure the signatures, you must create a signatures object from the appropriate default signatures object template. Assign the copy a new name, and then configure the copy. You cannot configure or modify the default signatures objects directly. The following procedure provides basic instructions for configuring a signatures object. For more detailed instructions, seeManually Configuring the Signatures Feature.

  1. Navigate toSecurity > Citrix Web App Firewall > Signatures.

  2. In the details pane, select the signatures object that you want to use as a template, and then clickAdd.

    Your choices are:

    • Default Signatures.Contains the signatures rules, the SQL injection rules, and the cross-site scripting rules.
    • XPath Injection.Contains all of the items in the Default Signatures, and in addition, contains the XPath injection rules.
  3. In theAdd Signatures Objectdialog box, type a name for your new signatures object, click OK, and then clickClose. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), and underscore (_) symbols.
  4. Select the signatures object that you created, and then clickOpen.

  5. In theModify Signatures Objectdialog box, set theDisplay Filter Criteriaoptions at the left to display the filter items that you want to configure.

    As you modify these options, the results that you specify are displayed in the Filtered Results window at the right. For more information about the categories of signatures, seeSignatures.

  6. In theFiltered Resultsarea, configure the settings for a signature by selecting and clearing the appropriate check boxes.
  7. When finished, finished, clickClose.

To create a Web App Firewall profile by using the GUI

Creating a Web App Firewall profile requires that you specify only a few configuration details.

  1. Navigate toSecurity > Citrix Web App Firewall > Profiles.
  2. In the details pane, clickAdd.

  3. In theCreate Web App FirewallProfile dialog box, type a name for your profile.

    的name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.

  4. Choose the profile type from the drop-down list.
  5. ClickCreate, and then clickClose.

To configure a Web App Firewall profile by using the GUI

  1. Navigate toSecurity > Citrix Web App Firewall > Profiles.
  2. In the details pane, select the profile that you want to configure, and then clickEdit.
  3. In theConfigure Web App Firewall Profiledialog box, on theSecurity Checkstab, configure the security checks.
    • To enable or disable an action for a check, in the list, select or clear the check box for that action.

    • To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check.

      你也可以选择一个检查,底部the dialog box, click Open to display the Configure Relaxation dialog box or Configure Rule dialog box for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations or user-defined rules, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation or rule for the check. (A relaxation is a rule for exempting specified traffic from the check.) If relaxations have already been configured, you can select one and click Open to modify it.

    • To review learned exceptions or rules for a check, select the check, and then click Learned Violations. In the Manage Learned Rules dialog box, select each learned exception or rule in turn.

      • To edit the exception or rule, and then add it to the list, clickEdit & Deploy.
      • To accept the exception or rule without modification, clickDeploy.
      • To remove the exception or rule from the list, clickSkip.
    • To refresh the list of exceptions or rules to be reviewed, clickRefresh.
    • To open theLearning Visualizerand use it to review learned rules, clickVisualizer.
    • To review the log entries for connections that matched a check, select the check, and then clickLogs. You can use this information to determine which checks are matching attacks so that you can enable blocking for those checks. You can also use this information to determine which checks are matching legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, seeLogs, Statistics, and Reports.
    • To completely disable a check, in the list, clear all of the check boxes to the right of that check.
  4. On theSettingstab, configure the profile settings.

    • To associate the profile with the set of signatures that you previously created and configured, underCommon Settings, choose that set of signatures in the Signatures drop-down list.

      Note:

      You may must use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.

    • 配置一个HTML或XML错误对象,选择the object from the appropriate drop-down list.

      Note:

      You must first upload the error object that you want to use in the Import pane.

    • To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types.

  5. If you want to use the learning feature, click Learning, and configure the learning settings for the profile. For more information, seeConfigure and Learning feature.

  6. ClickOKto save your changes and return to the Profiles pane.

Configuring a Web App Firewall rule or relaxation

You configure two different types of information in this dialog box, depending upon which security check you are configuring. In most cases, you configure an exception (or relaxation) to the security check. If you are configuring the Deny URL check or the Field Formats check, you configure an addition (or rule). The process for either of these is the same.

To configure a relaxation rule by using the Citrix ADC GUI

  1. Navigate toSecurity>Citrix Web App Firewall>Profiles.
  2. In theProfilespane, select the profile you want to configure, and then clickEdit.
  3. In theConfigure Web App Firewall Profilepage, clickRelaxation RulefromAdvanced Settingssection. TheRelaxation Rulesection contains the complete list of Web App Firewall relaxation rules.
  4. Click a security rule that you want to configure, and then clickEdit.
  5. 的URL Relaxation Rules page contains a list of actions and that you can configure for this rule and a list of existing relaxations or rules. The list might be empty if you have not either manually added any relaxations or approved any relaxations that were recommended by the learning engine. Beneath the list is a row of buttons that allow you to add, modify, delete, enable, or disable the relaxations on the list.

  6. To add or modify a relaxation or a rule, do one of the following:

    • To add a new relaxation, clickAdd.
    • To modify an existing relaxation, select the relaxation that you want to modify, and then clickOpen.

    Start URL Relaxation Rulepage is displayed. Except for the title, these dialog boxes are identical.

  7. Fill in the dialog box as described below. The dialog boxes for each check are different. The list below covers all elements that might appear in any dialog box.

    • Enabled check box—Select to place this relaxation or rule in active use; clear to deactivate it.
    • Attachment Content Type—The Content-Type attribute of an XML attachment. In the text area, enter a regular expression that matches the Content-Type attribute of the XML attachments to allow.
    • Action URL在文本区域,输入PCRE-format常规实验ression that defines the URL to which data entered into the web form is delivered.
    • Cookie在文本区域,输入PCRE-format常规实验ression that defines the cookie.
    • Field Name—A web form field name element may be labeled Field Name, Form Field, or another similar name. In the text area, enter a PCRE-format regular expression that defines the name of the form field.
    • From Origin URL在文本区域,输入PCRE-format常规实验ression that defines the URL that hosts the web form.
    • From Action URL在文本区域,输入PCRE-format常规实验ression that defines the URL to which data entered into the web form is delivered.
    • Name—An XML element or attribute name. In the text area, enter a PCRE-format regular expression that defines the name of the element or attribute.
    • URL—A URL element may be labeled Action URL, Deny URL, Form Action URL, Form Origin URL, Start URL, or simply URL. In the text area, enter a PCRE-format regular expression that defines the URL.

    • Format—The format section contains multiple settings that include list boxes and text boxes. Any of the following can appear:

      • Type—Select a field type in the Type drop-down list. To add a new field type definition, click Manage—
      • Minimum Length—Type a positive integer that represents the minimum length in characters if you want to force users to fill in this field. Default: 0 (Allows field to be left blank.)
      • Maximum length—To limit the length of data in this field, type a positive integer that represents the maximum length in characters. Default: 65535

    • Location—Choose the element of the request that your relaxation applies to from the drop-down list. For HTML security checks, the choices are:

      • FORMFIELD—Form fields in web forms.
      • HEADER—Request headers.
      • COOKIE—Set-Cookie headers.

      For XML security checks, the choices are:

      • ELEMENT—XML element.
      • ATTRIBUE—XML attribute.
    • Maximum Attachment Size—The maximum size in bytes allowed for an XML attachment.
    • Comments—In the text area, type a comment. Optional.

    Note: For any element that requires a regular expression, you can type the regular expression, use the Regex Tokens menu to insert regular expression elements and symbols directly into the text box, or clickRegex Editorto open theAdd Regular Expressiondialog box, and use it to construct the expression.

  8. 删除一个放松或规则,选择它,n click删除.
  9. To enable a relaxation or rule, select it, and then clickEnable.
  10. To disable a relaxation or rule, select it, and then clickDisable.

  11. To configure the settings and relationships of all existing relaxations in an integrated interactive graphic display, clickVisualizer, and use the display tools.

    Note:

    Visualizerbutton does not appear on all check relaxation dialog boxes.

  12. To review learned rules for this check, click Learning and perform the steps inTo configure and use the Learning feature
  13. ClickOK.

To configure the Learned Rules by using the Citrix ADC GUI

  1. Navigate toSecurity>Citrix Web App Firewall>Profiles.
  2. In theProfilespane, select the profile, and then clickEdit.
  3. In theCitrix Web App Firewall Profilepage, clickLearned RulesfromAdvanced Settings. In theLearned Rulessection you can see a list of security checks that are available in the current profile and that support the learning feature.
  4. To configure the learning thresholds, select a security check, and clickSettings.

  5. In theDynamic Profiling and Learning Rules Settingspage, you can set the settings. For more information, seeDynamic profile settings

    • Minimum number threshold.Depending on which security check’s learning settings you are configuring, the minimum number threshold might refer to the minimum number of total user sessions that must be observed, the minimum number of requests that must be observed, or the minimum number of times a specific form field must be observed, before a learned relaxation is generated. Default: 1

    • Percentage of times threshold.Depending on which security check’s learning settings you are configuring, the percentage of times threshold might refer to the percentage of total observed user sessions that violated the security check, the percentage of requests, or the percentage of times a form field matched a particular field type, before a learned relaxation is generated. Default: 0

  6. To remove all learned data and reset the learning feature, so that it must start its observations again from the beginning, selectRemove All Learned Dataaction.

    Note:

    This button removes only learned recommendations that have not been reviewed and either approved or skipped. It does not remove learned relaxations that have been accepted and deployed.

  7. To restrict the learning engine to traffic from a specific set of IPs, clickTrusted Learning Clients, and add the IP addresses that you want to use to the list.
    1. To add an IP address or IP address range to the Trusted Learning Clients list, clickAdd.
    2. In theAppFirewall Profile to Trusted Clint Bindingpage, clickAdd.
    3. Select theEnabledcheck box to enable the feature.
    4. In Trusted Learning Client** box, type the IP address or an IP address range in CIDR format.
    5. In theCommentstext area, type a comment that describes this IP address or range.
    6. ClickCreateandClose.
  8. To modify an existing IP address or range, click the IP address or range, and then clickEdit. Except for the name, the dialog box that appears is identical to the Add Trusted Learning Clients dialog box.
  9. To disable or enable an IP address or range, but leave it on the list, click the IP address or range, and then clickDisableorEnable, as appropriate.

  10. To remove an IP address or range completely, click the IP address or range, and then click删除.

  11. ClickCloseto return to theCitrix Web App Firewall Profilepage.

To create a Citrix Web App Firewall policy by using the Citrix ADC GUI

  1. Navigate toSecurity>Citrix Web App firewall>Policies.

  2. In thePoliciespage, clickCitrix Web App Firewall Policylink.
  3. In the Citrix Web App Firewall Policies page, clickAdd.

  4. In the Create Citrix Web App Firewall Policy page, set the following parameters.

    1. Name. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.
    2. Profile. Select the profile that you want to associate with this policy from the Profile drop-down list. You can create a profile to associate with your policy by clicking New, and you can modify an existing profile by clickingModify.
    3. Expression. In the Expression text area, create a rule for your policy.
    4. Log Action. Add a log action or you can modify an existing log action.
    5. Comments. A brief description about the policy.
  5. ClickCreateorOK, and then clickClose.WAF policy configuration

To create or configure a Web App Firewall rule (expression)

的policy rule, also called theexpression, defines the web traffic that the Web App Firewall filters by using the profile associated with the policy. Like other Citrix ADC policy rules (orexpressions), Web App Firewall rules use Citrix ADC expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.

  1. If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the Citrix ADC GUI to create your policy rule:

    • If you are configuring a policy in the Web App Firewall wizard, in the navigation pane, clickCitrix Web App Firewall Wizard, then in the details pane clickCitrix Web App Firewall Wizard, and then navigate to theSpecify Ruletab page.

    • In theSpecify Rulepage, choose the prefix for your expression from the drop-down list. Your choices are:

    • HTTP.HTTP协议。选择这个如果你想要的to examine some aspect of the request that pertains to the HTTP protocol.
    • SYS.One or more protected websites. Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT.的computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER.的computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.

    After you choose a prefix, the Web App Firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.

  2. Choose your next term.

    If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The Web App Firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.

    When you have decided which term you want, double-click it to insert it into the Expression window.

  3. Type a period after the term you just chose. You are then prompted to choose your next term, as described in the previous step. When a term requires that you type a value, fill in the appropriate value. For example, if you choose HTTP.REQ.HEADER(“”), type the header name between the quotation marks.

  4. Continue choosing terms from the prompts and filling in any values that are needed, until your expression is finished.

    Following are some examples of expressions for specific purposes.

    • Specific web host.To match traffic from a particular web host:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

For shopping.example.com, substitute the name of the web host that you want to match.

  • Specific web folder or directory.从一个特定的文件夹或direc匹配流量tory on a Web host:

HTTP.REQ.URL.STARTSWITH("https//www.example.com/folder")

For www.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.

  • Specific type of content: GIF images.To match GIF format images:

HTTP.REQ.URL.ENDSWITH(".gif")

To match other format images, substitute another string in place of .gif.

  • Specific type of content: scripts.To match all CGI scripts located in the CGI-BIN directory:

HTTP.REQ.URL.STARTSWITH("https//www.example.com/CGI-BIN")

To match all JavaScripts with .js extensions:

HTTP.REQ.URL.ENDSWITH(".js")

For more information about creating policy expressions, seePolicies and Expressions.

Note:

If you use the command line to configure a policy, remember to escape any double quotation marks within Citrix ADC expressions. For example, the following expression is correct if entered in the GUI:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

If entered at the command line, however, you must type this instead:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

![Policy expression configuration](/en-us/citrix-adc/media/waf-rule.png)

To add a firewall rule (expression) by using the Add Expression dialog box

Add Expressiondialog box (also referred to as the Expression Editor) helps users who are not familiar with the Citrix ADC expressions language to construct a policy that matches the traffic that they want to filter.

  1. If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the Citrix ADC GUI:
    • If you are configuring a policy in theWeb App Firewallwizard, in the navigation pane, clickWeb App Firewall, then in the details pane clickWeb App FirewallWizard, and then navigate to theSpecify Rulescreen.
    • If you are configuring a policy manually, in the navigation pane, expandWeb App Firewall, thenPolicies, and thenFirewall. In the details pane, to create a policy, clickAdd. To modify an existing policy, select the policy, and then clickOpen.
  2. On theSpecify Rulescreen, in theCreate Web App Firewall Profiledialog box, or in theConfigure Web App Firewall Profiledialog box, clickAdd.
  3. In theAdd Expressiondialog box, in the Construct Expression area, in the first list box, choose one of the following prefixes:
    • HTTP.HTTP协议。选择这个如果你想要的to examine some aspect of the request that pertains to the HTTP protocol. The default choice.
    • SYS.One or more protected websites. Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT.的computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER.的computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.
  4. 在第二个列表框,选择你的下一项。的available terms differ depending on the choice you made in the previous step, because the dialog box automatically adjusts the list to contain only those terms that are valid for the context. For example, if you selected HTTP in the previous list box, the only choice is REQ, for requests. Because the Web App Firewall treats requests and associated responses as a single unit and filters both, you do not need to specific responses separately. After you choose your second term, a third list box appears to the right of the second. The Help window displays a description of the second term, and the Preview Expression window displays your expression.
  5. In the third list box, choose the next term. A new list box appears to the right, and the Help window changes to display a description of the new term. The Preview Expression window updates to display the expression as you have specified it to that point.
  6. Continue choosing terms, and when prompted filling in arguments, until your expression is complete. If you make a mistake or want to change your expression after you have already selected a term, you can simply choose another term. The expression is modified, and any arguments or more terms that you added after the term that you modified is cleared.
  7. When you have finished constructing your expression, click OK to close the Add Expression dialog box. Your expression is inserted into the Expression text area.

To bind a Web App Firewall policy by using the Citrix ADC GUI

  1. Do one of the following:
    • Navigate toSecurity>Web App Firewall, and in the details pane, clickapplication firewall policy manager.
    • Navigate toSecurity>Citrix Web App Firewall>Policies>Firewall, and in the “Citrix Web App Firewall Policies” pane, clickPolicy Manager.
  2. In theApplication Firewall Policy Managerdialog, choose the bind point to which you want to bind the policy from the drop-down list. The choices are:
    • Override Global.Policies that are bound to this bind point process all traffic from all interfaces on the Citrix ADC appliance, and are applied before any other policies.
    • LB Virtual Server.Policies that are bound to a load balancing virtual server are applied only to traffic that is processed by that load balancing virtual server, and are applied before any Default Global policies. After selecting LB Virtual Server, you must also select the specific load balancing virtual server to which you want to bind this policy.
    • CS Virtual Server.Policies that are bound to a content switching virtual server are applied only to traffic that is processed by that content switching virtual server, and are applied before any Default Global policies. After selecting CS Virtual Server, you must also select the specific content switching virtual server to which you want to bind this policy.
    • Default Global.Policies that are bound to this bind point process all traffic from all interfaces on the Citrix ADC appliance.
    • Policy Label.Policies that are bound to a policy label process traffic that the policy label routes to them. The policy label controls the order in which policies are applied to this traffic.
    • None.Do not bind the policy to any bind point.
  3. ClickContinue. A list of existing Web App Firewall policies appears.
  4. Select the policy you want to bind by clicking it.
  5. Make any additional adjustments to the binding.
    • To modify the policy priority, click the field to enable it, and then type a new priority. You can also selectRegenerate Prioritiesto renumber the priorities evenly.
    • To modify the policy expression, double-click that field to open theConfigure Web App Firewall Policydialog box, where you can edit the policy expression.
    • To set the Goto Expression, double-click field in theGoto Expressioncolumn heading to display the drop-down list, where you can choose an expression.
    • To set the Invoke option, double-click field in the Invoke column heading to display the drop-down list, where you can choose an expression.
  6. Repeat steps 3 through 6 to add any additional Web App Firewall policies you want to globally bind.
  7. ClickOK. A message appears in the status bar, stating that the policy has been successfully bound.
Manual configuration by using the Citrix ADC GUI
September 14, 2021
Contributed by:
S C S
September 14, 2021
Contributed by:
S C S

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.