Configuring Web App Firewall profiles

To configure a user-defined Web App Firewall profile, first configure the security checks, which are calleddeep protectionsoradvanced protectionsin the Web App Firewall wizard. Certain checks require configuration if you are to use them at all. Others have default configurations that are safe but limited in scope; your websites might need or benefit from a different configuration that takes advantage of more features of certain security checks.

After you have configured the security checks, you can also configure some other settings that control the behavior, not of a single security check, but the Web App Firewall feature. The default configuration is sufficient to protect most websites, but you must review them to make sure that they are right for your protected websites.

Note:

The profile name length and all import object name length can be set up to 127 characters.

For more information about the Web App Firewall security checks, seeAdvanced Protections.

To configure an Web App Firewall profile by using the command line

At the command prompt, type the following commands:

• set appfw profile [ ...]

  where:

  • = a parameter and any associated options.
  • = a second parameter and any associated options.
  • … = additional parameters and options.

  For descriptions of the parameters to use when configuring specific security checks, seeAdvanced Protections.

• save ns config

Example

The following example shows how to enable blocking for the HTML SQL Injection and HTML Cross-Site Scripting checks in a profile named pr-basic. This command enables blocking for those actions while making no other changes to the profile.

set appfw profile pr-basic -crossSiteScriptingAction block -SQLInjectionAction block 

Bind relaxation rule to a Web App Firewall profile

When Web App Firewall detects a violation, the user has the ability to bypass the action applied through relaxation rules. Relaxation rule is an exception applied to the detected security violation. For example, the Start URL relaxation rules protect against forceful browsing. Known web server vulnerabilities that are exploited by hackers can be detected and blocked by enabling a set of default Deny URL rules. Commonly launched attacks, such as Buffer Overflow, SQL, or Cross-site scripting can also be easily detected.

To bind security exemption or relaxation rules by using the CLI

At the command prompt, type:

bind appfw profile  ((-startURL  [-resourceId ]) | -denyURL  | (-fieldConsistency   [-isRegex ( REGEX | NOTREGEX )]) | (-cookieConsistency  [-isRegex ( REGEX | NOTREGEX )]) | (-SQLInjection   [-isRegex ( REGEX | NOTREGEX )] [-location ] [-valueType  .... 

To bind security exemption or relaxation rules by using the GUI

1. Navigate toSecurity > Citrix Web App Firewall > Profiles.
2. In the details pane, select a profile and clickEdit.
3. In theCitrix Web App Firewall Profilepage, clickRelaxation Rulesfrom theAdvanced Settingsection.
4. In theRelaxation Rulessection, clickStartURLand clickEdit.
5. In theStart URL Relaxation Rulespage, clickAdd.

6. In theStart URL Relaxation Rulepage, set the following parameters:

   1. Enabled. Select the checkbox to enable the relaxation rule
   2. Start URL. Enter the regular expression value
   3. Comments. Provide a short description about the relaxation rule.
7. ClickCreateandClose.

To configure an Web App Firewall profile by using the GUI

1. Navigate toSecurity > Citrix Web App Firewall > Profiles.
2. In the details pane, select the profile that you want to configure, and then clickEdit.

3. In theConfigure Web App Firewall Profiledialog box, on theSecurity Checkstab, configure the security checks.

   • To enable or disable an action for a check, in the list, select or clear the check box for that action.

   • To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check.

     You can also select a check and, at the bottom of the dialog box, click Open to display theConfigure Relaxationdialog box orConfigure Ruledialog box for that check. These dialog boxes also vary from check to check. Most of them include aCheckstab and aGeneraltab. If the check supports relaxations or user-defined rules, theCheckstab includes anAddbutton, which opens yet another dialog box, in which you can specify a relaxation or rule for the check. (A relaxation is a rule for exempting specified traffic from the check.) If relaxations have already been configured, you can select one and clickOpento modify it.

   • To review learned exceptions or rules for a check, select the check, and then clickLearned Violations. In theManage Learned Rulesdialog box, select each learned exception or rule in turn.

     • To edit the exception or rule, and then add it to the list, clickEdit & Deploy.
     • To accept the exception or rule without modification, clickDeploy.
     • To remove the exception or rule from the list, clickSkip.

   • To refresh the list of exceptions or rules to be reviewed, clickRefresh.

   • open the Learning Visualizer and use it to review learned rules, clickVisualizer.

   • review the log entries for connections that matched a check, select the check, and then click Logs. You can use this information to determine which checks are matching attacks, so that you can enable blocking for those checks. You can also use this information to determine which checks are matching legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, seeLogs, Statistics, and Reports.

   • To completely disable a check, in the list, clear all of the check boxes to the right of that check.

4. On theSettingstab, configure the profile settings.

   • To associate the profile with the set of signatures that you previously created and configured, under Common Settings, choose that set of signatures in theSignaturesdrop-down list.

     Note:

     You may must use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.

   • To configure an HTML or XML Error Object, select the object from the appropriate drop-down list.

     Note:

     You must first upload the error object that you want to use in the Imports pane. For more information about importing error objects, seeImports.

   • To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types.»More….
5. If you want to use the learning feature, click Learning, and configure the learning settings for the profile, as described inConfiguring and Using the Learning Feature.
6. ClickOKto save your changes and return to theProfilespane.