The Web App Firewall wizard

Unlike most wizards, the Citrix Web App Firewall Wizard is designed not just to simplify the initial configuration process, but also to modify previously created configurations and to maintain your Web App Firewall setup. A typical user runs the wizard multiple times, skipping some of the screens each time.

The Web App Firewall Wizard automatically creates profiles, policies, and signatures.

Opening the wizard

To run the Web App Firewall Wizard, open the GUI and follow these steps:

1. Navigate toSecurity>Application Firewall．
2. In the details pane, underGetting Started, clickApplication Firewall Wizard．The wizard opens.

For more information about the GUI, see “The Web App Firewall Configuration Interfaces．”

The Wizard screens

The Web App Firewall wizard displays the following screens on a tabular page:

1. Specify Name:on this screen, when creating a new security configuration, specify a meaningful name and the appropriate type (HTML, XML or WEB 2.0) for your profile. The default policy and signatures are auto-generated by using the same name.

Profile Name

可以以字母开头的名字,号码,或underscore symbol, and can consist of from 1 to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols. Choose a name that makes it easy for others to tell what content your new security configuration protects.

Note:

Because the wizard uses this name for both the policy and the profile, it is limited to 31 characters. Manually created policies can have names up to 127 characters in length.

When modifying an existing configuration, you select Modify Existing Configuration and then, in the Name drop-down list, select the name of the existing configuration that you want to modify.

Note:

Only policies that are bound to global or to a bind point appear in this list; you cannot modify an unbound policy by using the Application Firewall wizard. You must either manually bind it to Global or a bind point, or modify it manually. (For manual modification, in the GUI)Application Firewall>Policies>Firewallpane, select the policy and clickOpen．

Profile Type

You also select a profile type on this screen. The profile type determines the types of advanced protection (security checks) that can be configured. Because certain kinds of content are not vulnerable to certain types of security threats, restricting the list of available checks saves time during configuration. The types of Web App Firewall profiles are:

• Web Application (HTML). Any HTML-based website that does not use XML or Web 2.0 technologies.
• XML Application (XML, SOAP). Any XML-based Web service.
• Web 2.0 Application (HTML, XML, REST). Any Web 2.0 site that combines HTML and XML-based content, such as an ATOM-based site, a blog, an RSS feed, or a wiki.

Note:If you are unsure which type of content is used on your website, you can choose Web 2.0 Application to ensure that you protect all types of web application content.

2. Specify Rule:在这个屏幕中,您指定的政策规则(表达ssion) that defines the traffic the current configuration examines. If you create an initial configuration to protect your websites and web services, you can accept the default value,true, which selects all web traffic .

If you want this security configuration to examine, not all HTTP traffic that is routed through the appliance, but specific traffic, you can write a policy rule specifying the traffic that you want it to examine. Rules are written in Citrix ADC expressions language, which is a fully functional object-oriented programming language.

Note:In addition to the default expressions syntax, for backward compatibility the Citrix ADC operating system supports the Citrix ADC classic expressions syntax on Citrix ADC Classic and nCore appliances and virtual appliances. Classic expressions are not supported on Citrix ADC Cluster appliances and virtual appliances. Current users who want to migrate their existing configurations to the Citrix ADC cluster must migrate any policies that contain classic expressions to the default expressions syntax.

• For a simple description of using the Citrix ADC expressions syntax to create Web App Firewall rules, and a list of useful rules, seeFirewall Policies．
• For a detailed explanation of how to create policy rules in Citrix ADC expressions syntax, seePolicies and Expressions．

4. Select Signatures: on this screen, you select the categories of signatures that you want to use to protect your websites and web services.

This is not a mandatory step, and you can skip it if you want to and go to theSpecify Deep Protectionsscreen. If the Select Signatures screen is skipped, only a profile and associated policies are created, and the signatures are not created.

You can selectCreate New SignatureorSelect Existing Signature．

If you are creating a new security configuration, the signature categories that you select are enabled, and by default they are recorded in a new signatures object. The new signatures object is assigned the same name that you entered on the Specify name screen as the name of the security configuration.

If you have previously configured signatures objects and want to use one of them as the signatures object associated with the security configuration that you are creating, clickSelect Existing Signatureand select a signatures object from the Signatures list.

If you are modifying an existing security configuration, you can click Select Existing Signature and assign a different signatures object to the security configuration.

If you click Create New Signature, you can choose the edit mode asSimpleorAdvanced．

1. Specify Signature Protections (Simple mode)

The simple mode allows for easy configuration of the signature, with a preset list of protection definitions for common applications such as IIS (Internet Information Server), PHP and ActiveX. The default categories in Simple mode are:

• CGI. Protection against attacks on websites that use CGI scripts in any language, including PERL scripts, Unix shell scripts, and Python scripts.

• Cold Fusion. Protection against attacks on websites that use the Adobe Systems® ColdFusion® Web development platform.

• FrontPage. Protection against attacks on websites that use the Microsoft® FrontPage® Web development platform.

• PHP. Protection against attacks on websites that use the PHP open-source Web development scripting language.

• Client side. Protection against attacks on client-side tools used to access your protected websites, such as Microsoft Internet Explorer, Mozilla Firefox, the Opera browser, and the Adobe Acrobat Reader.

• Microsoft IIS. Protection against attacks on websites that run the Microsoft Internet Information Server (IIS)

• Miscellaneous. Protection against attacks on other server-side tools, such as Web servers and database servers.

On this screen, you select the actions associated with the signature categories that you selected on the Select Signatures screen. The actions that you can configure are:

• Block
• Log
• Stats

By default the Log and Stats actions are enabled but not the Block action. To configure actions, clickSettings．You can change the action settings of all the selected categories by using theActiondrop-down list.

1. Specify Signature Protections (Advanced mode)

The advanced mode allows for more granular control over the signature definitions and provides significantly more information. Use the advanced mode if you want complete control over signature definition.

The contents of this screen are the same as the contents of the Modify Signatures Object dialog box, as described inConfiguring or Modifying a Signatures Object．In this screen, you can configure actions either by clicking theActionsdrop-down list or the actions menu, which appears as a cirle with three dots.

7. Specify Deep Protections:on this screen, you choose the advanced protections (also called security checks or simply checks) that you want to use to protect your websites and web services. Which checks are available depends on the profile type that you chose on the Specify Name screen. All checks are available for Web 2.0 Application profiles.

For more information, seeOverview of Security Checksand seeAdvanced Form Protections Checks．

You configure the actions for the advanced protections that you have enabled.The actions that you can configure are:

• Block: blocks connections that match the signature. Disabled by default.
• Log: logs connections that match the signature for later analysis. Enabled by default.
• Stats: maintains statistics, for each signature, that show how many connections it matched and provide certain other information about the types of connections that were blocked. Disabled by default.
• Learn. Observe traffic to this website or web service, and use connections that repeatedly violate this check to generate recommended exceptions to the check, or new rules for the check. Available only for some checks. For more information about the learning feature seeConfiguring and Using the Learning Feature, and how learning works and how to configure exceptions (relaxations) or deploy learned rules for a check, seeManual Configuration By Using the GUI．

To configure actions, select the protection by clicking the check box, and then clickAction Settingsto select the required actions. Select other parameters, if required, and then clickOKto close the Action Settings window.

To view all logs for a specific check, select that check, and then clickLogsto display the Syslog Viewer, as described inWeb App Firewall Logs．If a security check is blocking legitimate access to your protected website or web service, you can create and implement a relaxation for that security check by selecting a log that shows the unwanted blocking, and then clickingDeploy．

After you completing specifying Action Settings, clickFinishto complete the wizard.

Following are four procedures that show how to perform specific types of configuration by using the Web App Firewall wizard.

Create a new configuration

Follow these steps to create a new firewall configuration and signature objects, by using the Applicaiton Firewall wizard.

1. Navigate toSecurity>Application Firewall．

2. In the details pane, underGetting Started, click **Application Firewall. The wizard opens.

   

3. On theSpecify Namescreen, select **Create New Configuration.

4. In theNamefield, type a name, and then clickNext．

5. In theSpecify Rulescreen, clickNextagain.

6. In theSelect Signaturesscreen, selectCreate New SignatureandSimpleas the edit mode, and then clickNext．

7. In theSpecify Signature Protectionsscreen, configure the required settings. For more information about which signatures to consider for blocking and how to determine when you can safely enable blocking for a signature, seeSignatures．

8. In theSpecify Deep Protectionsscreen configure the required actions and parameters inAction Settings．

9. When you complete, clickFinishto close the Application Firewall wizard.

Modify an existing configuration

Follow these steps to modify an existing configuration and existing signature categories.

1. Navigate toSecurity>Application Firewall．
2. In the details pane, underGetting Started, clickApplication Firewall Wizard．The wizard opens.
3. On theSpecify Namescreen, select Modify Existing Configuration and, in theNamedrop-down list, choose the security configuration that you created during new configuration, and then clickNext．
4. In theSpecify Rulescreen, click Next to keep the default value “true.” If you want to modify the rule, follow the steps described inConfigure a Custom Policy Expresssion．
5. In theSelect Signaturesscreen, clickSelect Existing Signature．From theExisting Signaturedrop-down list, select the appropriate option, and then clickNext．The advanced signature protection screen appears.Note:If you select an existing signature, the default edit mode for signature protected is advanced.
6. In the Specify Signature Protections screen, configure the required settings and clickNext．更多信息,签名consider for blocking and how to determine when you can safely enable blocking for a signature, seeSignatures．
7. In theSpecify Deep Protectionsscreen, configure the settings and clickNext．
8. After you complete, clickFinishto close theWeb App Firewall Wizard．

Create a new configuration without signatures

Follow these steps to use the Application Firewall Wizard to skip the Select Signatures screen and create a new configuration with just the profile and the associated policies but without any signatures.

1. Navigate toSecurity>Application Firewall．
2. In the details pane, underGetting Started, clickApplication Firewall Wizard．The wizard opens.
3. On theSpecify Namescreen, selectCreate New Configuration．
4. In theNamefield, type a name, and then clickNext．
5. In theSpecify Rulescreen, clickNext again.
6. In theSelect Signaturesscreen, clickSkip.
7. In theSpecify Deep Protectionsscreen configure the required actions and parameters inAction Settings．
8. When you complete, clickFinishto close the Application Firewall Wizard.

Configure a custom policy expression

Follow these steps to use the Application Firewall Wizard to create a specialized security configuration to protect only specific content. In this case, you create a new security configuration instead of modifying the initial configuration. This type of security configuration requires a custom rule, so that the policy applies the configuration to only the selected Web traffic.

1. Navigate toSecurity>Application Firewall．
2. In the details pane, underGetting Started, clickApplication Firewall Wizard．
3. On the Specify Name screen, type a name for your new security configuration in the Name text box, select the type of security configuration from the Type drop-down list, and then clickNext．
4. On theSpecify Rulescreen, enter a rule that matches only that content that you want this web application to protect. Use theFrequently Used Expressionsdrop-down list and theExpression Editorto create a custom expression. When you complete, clickNext．
5. In theSelect Signaturesscreen, select the edit mode, and then clickNext．
6. In theSpecify Signature Protectionsscreen, configure the required settings.
7. In theSpecify Deep Protectionsscreen configure the required actions and parameters inAction Settings．
8. When you complete, clickFinishto close theApplication Firewall Wizard．