Creating Web App Firewall profiles

You can create a Web App Firewall profile in one of two ways: by using the command line, and by using the GUI. Creating a profile by using the command line requires that you specify options on the command line. The process is similar to that ofconfiguring a profile, and with a few exceptions the two commands take the same parameters.

Creating a profile by using the GUI requires that you specify only two options. You specify basic or advanceddefaults, the default configuration for the various security checks and settings that are part of a profile, and choose the profiletypeto match the type of content that the profile is intended to protect. You can also, optionally, add a comment. After you create the profile, you must then configure it by selecting it in the data pane, and then clickingEdit.

If you plan to use the learning feature or to enable and configure many advanced protections, you must choose advanced defaults. In particular, if you plan to configure either of the SQL injection checks, either of the cross-site scripting checks, any check that provides protection against Web form attacks, or the cookie consistency check, you must plan to use the learning feature. Unless you include the proper exceptions for your protected websites when configuring these checks, they can block legitimate traffic. Anticipating all exceptions without creating any that are too broad is difficult. The learning feature makes this task much easier. Otherwise, basic defaults are quick and must provide the protection that your web applications need.

There are three profile types:

• HTML.Protects standard HTML-based websites.
• XML.Protects XML-based web services and websites.
• Web 2.0 (HTML XML).Protects websites that contain both HTML and XML elements, such as ATOM feeds, blogs, and RSS feeds.

There are also a few restrictions on the name that you can give to a profile. A profile name cannot be the same as the name assigned to any other profile or action in any feature on the NetScaler appliance. Certain action or profile names are assigned to built-in actions or profiles, and can never be used for user profiles. A complete list of disallowed names can be found in the Web App Firewall ProfileSupplemental Information. If you attempt to create a profile with a name that has already been used for an action or a profile, an error message is displayed and the profile is not created.

To create a Web App Firewall profile by using the command line interface

At the command prompt, type the following commands:

• add appfw profile [-defaults ( **basic** | **advanced** )]
• set appfw profile -type ( **HTML** | **XML** | **HTML XML** )
• set appfw profile -comment ""
• save ns config

Example

The following example adds a profile named pr-basic, with basic defaults, and assigns a profile type of HTML. This is the appropriate initial configuration for a profile to protect an HTML website.

add appfw profile pr-basic -defaults basic -comment "Simple profile for websites." set appfw profile pr-basic -type HTML save ns config 

To create a Web App Firewall profile by using the GUI

Complete the following procedure to create a Web App Firewall profile:

1. Navigate toSecurity > Citrix Web App Firewall > Profiles.
2. In the details pane, clickAdd.

3. In theCreate Web App Firewall Profilepage, set the following basic parameters:

   1. Name
   2. Profile Type
   3. Comments
   4. Defaults
   5. Description
4. ClickOK.

5. In the高级设置section, complete the following configurations:

   1. Security Checks
   2. Profile Settings
   3. Dynamic Profiling
   4. Relaxation Rules
   5. Deny Rules
   6. Learned Rule
   7. Extended Logging

   

6. In theSecurity Checkssection, select a security protection and click Action Settings.

7. In the security check page, set the parameters.

   Note:TheActive Rulesetting is available only forHTML SQL Injectioncheck to allow > or deny signature rules.

8. ClickOKandClose.

9. In theProfile Settingssection, set the profile parameters. For more information, seeConfigure Web App Firewall Profile settingstopic.
10. In theDynamic Profilingsection, select a security check to add dynamic profile settings. For more information, seeDynamic Profiletopic.
11. In theRelaxation Rulessection, clickEditto add a relaxation rule for a security check. For more information, seeRelaxation Rulefor details.
12. In theDeny Rulessection, add a deny rule for the HTML SQL Injection check. For more information, seeHTML Deny Rulestopic.
13. In theLearnt Rulesection, set the learning settings. For more information, seeWeb App Firewall Learningtopic.
14. In theExtended loggingsection, clickAddfor masking sensitive data. For more information, seeExtended loggingtopic.

15. Click完成, and then clickClose.