Product Documentation
ADC
Current Release 13.1 13.0 12.1
View PDF

Creating and configuring Web App Firewall policies

September 14, 2021
Contributed by:
S C

A firewall policy consists of two elements: arule, and an associatedprofile. The rule selects the HTTP traffic that matches the criteria that you set, and sends that traffic to the Web App Firewall for filtering. The profile contains the filtering criteria that the Web App Firewall uses.

The policy rule consists of one or more expressions in the Citrix ADC expressions language. The Citrix ADC expressions syntax is a powerful, object-oriented programming language that enables you to precisely designate the traffic that you want to process with a specific profile. For users who are not familiar with the Citrix ADC expressions language syntax, or who prefer to configure their Citrix ADC appliance by using a web-based interface, the GUI provides two tools: thePrefixmenu and theAdd Expressiondialog box. Both help you to write expressions that select exactly the traffic that you want to process. Experienced users who are thoroughly familiar with the syntax may prefer to use the Citrix ADC command line to configure their Citrix ADC appliances.

Note:

In addition to the default expressions syntax, for backward compatibility the Citrix ADC operating system supports the Citrix ADC classic expressions syntax on Citrix ADC Classic and nCore appliances and virtual appliances. Classic expressions are not supported on Citrix ADC Cluster appliances and virtual appliances. Current Citrix ADC users who want to migrate existing configurations to the Citrix ADC Cluster must migrate any policies that contain classic expressions to the default expressions syntax.

For detailed information about the Citrix ADC expressions languages, seePolicies and Expressions.

You can create a firewall policy by using the GUI or the Citrix ADC command line.

To create and configure a policy by using the command line interface

At the command prompt, type the following commands:

  • add appfw policy
  • save ns config

Example

The following example adds a policy named pl-blog, with a rule that intercepts all traffic to or from the host blog.example.com, and associates that policy with the profile pr-blog. This is an appropriate policy to protect a blog hosted on a specific host name.

add appfw policy pl-blog "HTTP.REQ.HOSTNAME.DOMAIN.EQ("blog.example.com")" pr-blog

To create and configure a policy by using the GUI

  1. Navigate toSecurity>Web App Firewall>Policies.

  2. In the details pane, do one of the following:

    • To create a firewall policy, clickAdd. TheCreate Web App Firewall Policyis displayed.
    • To edit an existing firewall policy, select the policy, and then clickEdit.

    TheCreate Web App Firewall PolicyorConfigure Web App Firewall Policyis displayed.

  3. If you are creating a firewall policy, in theCreate Web App Firewall Policydialog box, Policy Name text box, type a name for your new policy.

    The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.

    If you are configuring an existing firewall policy, this field is read-only. You cannot modify it.

  4. Select the profile that you want to associate with this policy from the Profile drop-down list. You can create a profile to associate with your policy by clicking New, and you can modify an existing profile by clicking Modify.

  5. In the Expression text area, create a rule for your policy.

    • You can type a rule directly into the text area.
    • You can click Prefix to select the first term for your rule, and follow the prompts.
    • You can click Add to open the Add Expression dialog box, and use it to construct the rule.

  6. ClickCreateorOK, and then clickClose.

To create or configure a Web App Firewall rule (expression)

The policy rule, also called theexpression, defines the web traffic that the Web App Firewall filters by using the profile associated with the policy. Like other Citrix ADC policy rules (orexpressions), Web应用防火墙规则使用Citrix ADC表达ssions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.

  1. If you have not already done so, navigate to the appropriate location in theWeb App Firewallwizard or the Citrix ADC GUI to create your policy rule:

    • If you are configuring a policy in theWeb App Firewallwizard, in the navigation pane, clickWeb App Firewall, then in the details pane clickWeb App Firewall Wizard, and then navigate to theSpecify Rulescreen.
    • If you are configuring a policy manually, in the navigation pane, expandWeb App Firewall, thenPolicies, and thenFirewall. In the details pane, to create a policy, clickAdd. To modify an existing policy, select the policy, and then clickOpen.

  2. On theSpecify Rulescreen, theCreate Web App Firewall Profiledialog box, or theConfigure Web App Firewall Profiledialog box, clickPrefix, and then choose the prefix for your expression from the drop-down list. Your choices are:

    • HTTP.Choose an HTTP protocol if you want to examine some aspect of the request that pertains to the protocol.
    • SYS.Choose protected websites if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT.Choose a client that sent the request. Choose this if you want to examine some aspect of the sender of the request.
    • SERVER.Choose a client to which the request was sent and if you want to examine some aspect of the recipient of the request.

    After you choose a prefix, the Web App Firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.

  3. Choose your next term.

    If you chose the HTTP protocol as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The Web App Firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.

    当你决定你想要哪一项,双-click it to insert it into theExpressionwindow.

  4. Type a period after the term you just chose. You are then prompted to choose your next term, as described in the previous step. When a term requires that you type a value, fill in the appropriate value. For example, if you choose HTTP.REQ.HEADER(“”), type the header name between the quotation marks.

  5. Continue choosing terms from the prompts and filling in any values that are needed, until your expression is finished.

    Following are some examples of expressions for specific purposes.

    • Specific web host.To match traffic from a particular web host:

      HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

      Forshopping.example.com, substitute the name of the web host that you want to match.

    • Specific web folder or directory.To match traffic from a particular folder or directory on a Web host:

      HTTP.REQ.URL.STARTSWITH("https//www.example.com/folder")

      For www.example.com, substitute the name of the web host. For the folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.

    • Specific type of content: GIF images.To match GIF format images:

      HTTP.REQ.URL.ENDSWITH(".gif")

      To match other format images, substitute another string in place of .gif.

    • Specific type of content: scripts.To match all CGI scripts located in the CGI-BIN directory:

      HTTP.REQ.URL.STARTSWITH("https//www.example.com/CGI-BIN")

      To match all JavaScript with .js extensions:

      HTTP.REQ.URL.ENDSWITH(".js")

      For more information about creating policy expressions, seePolicies and Expressions.

    Note:

    If you use the command line to configure a policy, remember to escape any double quotation marks within Citrix ADC expressions. For example, the following expression is correct if entered in the GUI:

    HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

    If entered at the command line, however, you must type the following command instead:

    HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

To add a firewall rule (expression) by using the Add Expression dialog box

TheAdd Expressiondialog box (also referred to as the Expression Editor) helps users who are not familiar with the Citrix ADC expressions language to construct a policy that matches the traffic that they want to filter.

  1. If you have not already done so, navigate to the appropriate location in theWeb App Firewallwizard or the Citrix ADC GUI:
    • If you are configuring a policy in theWeb App Firewallwizard, in the navigation pane, clickWeb App Firewall, then in the details pane clickWeb App Firewall Wizard, and then navigate to theSpecify Rulescreen.
    • If you are configuring a policy manually, in the navigation pane, expandWeb App Firewall, thenPolicies, and thenFirewall. In the details pane, to create a policy, clickAdd. To modify an existing policy, select the policy, and then clickOpen.
  2. On theSpecify Rulescreen, in theCreate Web App Firewall Profiledialog box, or in theConfigure Web App Firewall Profiledialog box, clickAdd.
  3. In theAdd Expression dialogbox, in the Construct Expression area, in the first list box, choose one of the following prefixes:
    • HTTP.Choose HTTP protocol if you want to examine some aspect of the request that pertains to the HTTP protocol. The default choice.
    • SYS.Choose protected websites if you want to examine some aspect of the request that pertains to the recipient of the request.
    • CLIENT.Choose the computer that sent the request if you want to examine some aspect of the sender of the request.
    • SERVER.Choose the computer to which the request was sent and to examine some aspect of the recipient of the request.
  4. 在second list box, choose your next term. The available terms differ depending on the choice you made in the previous step, because the dialog box automatically adjusts the list to contain only those terms that are valid for the context. For example, if you selected HTTP in the previous list box, the only choice is REQ, for requests. Because the Web App Firewall treats requests and associated responses as a single unit and filters both, you do not need to specific responses separately. After you choose your second term, a third list box appears to the right of the second. The Help window displays a description of the second term, and thePreview Expressionwindow displays your expression.
  5. In the third list box, choose the next term. A new list box appears to the right, and the Help window changes to display a description of the new term. ThePreview Expressionwindow updates to display the expression as you have specified it to that point.
  6. Continue choosing terms, and when prompted filling in arguments, until your expression is complete. If you make a mistake or want to change your expression after you have already selected a term, you can simply choose another term. The expression is modified, and any arguments or more terms that you added after the term that you modified are cleared.
  7. When you have finished constructing your expression, clickOKto close theAdd Expressiondialog box. Your expression is inserted into theExpressiontext area.
Creating and configuring Web App Firewall policies
September 14, 2021
Contributed by:
S C
September 14, 2021
Contributed by:
S C

In this article

Site feedback | Privacy and legal terms | Cookie preferences | Consent settings | docs.cloud.com
© 1999-Cloud Software Group, Inc. All rights reserved.