Manual configuration by using the Citrix ADC GUI 编辑

If you need to manually configure the Web App Firewall feature, Citrix recommends you to use the Citrix ADC GUI procedure.

To create and configure signatures object

Before you can configure the signatures, you must create a signatures object from the appropriate default signatures object template. Assign the copy a new name, and then configure the copy. You cannot configure or modify the default signatures objects directly. The following procedure provides basic instructions for configuring a signatures object. For more detailed instructions, see Manually Configuring the Signatures Feature.

1. Navigate to Security > Citrix Web App Firewall > Signatures.

2. In the details pane, select the signatures object that you want to use as a template, and then click Add.

   Your choices are:

   • Default Signatures. Contains the signatures rules, the SQL injection rules, and the cross-site scripting rules.
   • XPath Injection. Contains all of the items in the Default Signatures, and in addition, contains the XPath injection rules.
3. In the Add Signatures Object dialog box, type a name for your new signatures object, click OK, and then click Close. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), and underscore (_) symbols.
4. Select the signatures object that you created, and then click Open.

5. In the Modify Signatures Object dialog box, set the Display Filter Criteria options at the left to display the filter items that you want to configure.

   As you modify these options, the results that you specify are displayed in the Filtered Results window at the right. For more information about the categories of signatures, see Signatures.

6. In the Filtered Results area, configure the settings for a signature by selecting and clearing the appropriate check boxes.
7. When finished, finished, click Close.

To create a Web App Firewall profile by using the GUI

Creating a Web App Firewall profile requires that you specify only a few configuration details.

1. Navigate to Security > Citrix Web App Firewall > Profiles.
2. In the details pane, click Add.

3. In the Create Web App Firewall Profile dialog box, type a name for your profile.

   The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.

4. Choose the profile type from the drop-down list.
5. Click Create, and then click Close.

To configure a Web App Firewall profile by using the GUI

1. Navigate to Security > Citrix Web App Firewall > Profiles.
2. In the details pane, select the profile that you want to configure, and then click Edit.
3. In the Configure Web App Firewall Profile dialog box, on the Security Checks tab, configure the security checks.
   • To enable or disable an action for a check, in the list, select or clear the check box for that action.

   • To configure other parameters for those checks that have them, in the list, click the blue chevron to the far right of that check. In the dialog box that appears, configure the parameters. These vary from check to check.

     You can also select a check and, at the bottom of the dialog box, click Open to display the Configure Relaxation dialog box or Configure Rule dialog box for that check. These dialog boxes also vary from check to check. Most of them include a Checks tab and a General tab. If the check supports relaxations or user-defined rules, the Checks tab includes an Add button, which opens yet another dialog box, in which you can specify a relaxation or rule for the check. (A relaxation is a rule for exempting specified traffic from the check.) If relaxations have already been configured, you can select one and click Open to modify it.

   • To review learned exceptions or rules for a check, select the check, and then click Learned Violations. In the Manage Learned Rules dialog box, select each learned exception or rule in turn.

     • To edit the exception or rule, and then add it to the list, click Edit & Deploy.
     • To accept the exception or rule without modification, click Deploy.
     • To remove the exception or rule from the list, click Skip.
   • To refresh the list of exceptions or rules to be reviewed, click Refresh.
   • To open the Learning Visualizer and use it to review learned rules, click Visualizer.
   • To review the log entries for connections that matched a check, select the check, and then click Logs. You can use this information to determine which checks are matching attacks so that you can enable blocking for those checks. You can also use this information to determine which checks are matching legitimate traffic, so that you can configure an appropriate exemption to allow those legitimate connections. For more information about the logs, see Logs, Statistics, and Reports.
   • To completely disable a check, in the list, clear all of the check boxes to the right of that check.
4. On the Settings tab, configure the profile settings.

   • To associate the profile with the set of signatures that you previously created and configured, under Common Settings, choose that set of signatures in the Signatures drop-down list.

     Note:

     You may must use the scroll bar on the right of the dialog box to scroll down to display the Common Settings section.

   • To configure an HTML or XML Error Object, select the object from the appropriate drop-down list.

     Note:

     You must first upload the error object that you want to use in the Import pane.

   • To configure the default XML Content Type, type the content type string directly into the Default Request and Default Response text boxes, or click Manage Allowed Content Types to manage the list of allowed content types.

5. If you want to use the learning feature, click Learning, and configure the learning settings for the profile. For more information, see Configure and Learning feature.

6. Click OK to save your changes and return to the Profiles pane.

Configuring a Web App Firewall rule or relaxation

You configure two different types of information in this dialog box, depending upon which security check you are configuring. In most cases, you configure an exception (or relaxation) to the security check. If you are configuring the Deny URL check or the Field Formats check, you configure an addition (or rule). The process for either of these is the same.

To configure a relaxation rule by using the Citrix ADC GUI

1. Navigate to Security > Citrix Web App Firewall > Profiles.
2. In the Profiles pane, select the profile you want to configure, and then click Edit.
3. In the Configure Web App Firewall Profile page, click Relaxation Rule from Advanced Settings section. The Relaxation Rule section contains the complete list of Web App Firewall relaxation rules.
4. Click a security rule that you want to configure, and then click Edit.
5. The URL Relaxation Rules page contains a list of actions and that you can configure for this rule and a list of existing relaxations or rules. The list might be empty if you have not either manually added any relaxations or approved any relaxations that were recommended by the learning engine. Beneath the list is a row of buttons that allow you to add, modify, delete, enable, or disable the relaxations on the list.

6. To add or modify a relaxation or a rule, do one of the following:

   • To add a new relaxation, click Add.
   • To modify an existing relaxation, select the relaxation that you want to modify, and then click Open.

   The Start URL Relaxation Rule page is displayed. Except for the title, these dialog boxes are identical.

7. Fill in the dialog box as described below. The dialog boxes for each check are different. The list below covers all elements that might appear in any dialog box.

   • Enabled check box—Select to place this relaxation or rule in active use; clear to deactivate it.
   • Attachment Content Type—The Content-Type attribute of an XML attachment. In the text area, enter a regular expression that matches the Content-Type attribute of the XML attachments to allow.
   • Action URL—In the text area, enter a PCRE-format regular expression that defines the URL to which data entered into the web form is delivered.
   • Cookie—In the text area, enter a PCRE-format regular expression that defines the cookie.
   • Field Name—A web form field name element may be labeled Field Name, Form Field, or another similar name. In the text area, enter a PCRE-format regular expression that defines the name of the form field.
   • From Origin URL—In the text area, enter a PCRE-format regular expression that defines the URL that hosts the web form.
   • From Action URL—In the text area, enter a PCRE-format regular expression that defines the URL to which data entered into the web form is delivered.
   • Name—An XML element or attribute name. In the text area, enter a PCRE-format regular expression that defines the name of the element or attribute.
   • URL—A URL element may be labeled Action URL, Deny URL, Form Action URL, Form Origin URL, Start URL, or simply URL. In the text area, enter a PCRE-format regular expression that defines the URL.

   • Format—The format section contains multiple settings that include list boxes and text boxes. Any of the following can appear:

     • Type—Select a field type in the Type drop-down list. To add a new field type definition, click Manage—
     • Minimum Length—Type a positive integer that represents the minimum length in characters if you want to force users to fill in this field. Default: 0 (Allows field to be left blank.)
     • Maximum length—To limit the length of data in this field, type a positive integer that represents the maximum length in characters. Default: 65535

   • Location—Choose the element of the request that your relaxation applies to from the drop-down list. For HTML security checks, the choices are:

     • FORMFIELD—Form fields in web forms.
     • HEADER—Request headers.
     • COOKIE—Set-Cookie headers.

     For XML security checks, the choices are:

     • ELEMENT—XML element.
     • ATTRIBUE—XML attribute.
   • Maximum Attachment Size—The maximum size in bytes allowed for an XML attachment.
   • Comments—In the text area, type a comment. Optional.

   Note: For any element that requires a regular expression, you can type the regular expression, use the Regex Tokens menu to insert regular expression elements and symbols directly into the text box, or click Regex Editor to open the Add Regular Expression dialog box, and use it to construct the expression.

8. To remove a relaxation or rule, select it, and then click Delete.
9. To enable a relaxation or rule, select it, and then click Enable.
10. To disable a relaxation or rule, select it, and then click Disable.

11. To configure the settings and relationships of all existing relaxations in an integrated interactive graphic display, click Visualizer, and use the display tools.

    Note:

    The Visualizer button does not appear on all check relaxation dialog boxes.

12. To review learned rules for this check, click Learning and perform the steps in To configure and use the Learning feature
13. Click OK.

To configure the Learned Rules by using the Citrix ADC GUI

1. Navigate to Security > Citrix Web App Firewall > Profiles.
2. In the Profiles pane, select the profile, and then click Edit.
3. In the Citrix Web App Firewall Profile page, click Learned Rules from Advanced Settings. In the Learned Rules section you can see a list of security checks that are available in the current profile and that support the learning feature.
4. To configure the learning thresholds, select a security check, and click Settings.

5. In the Dynamic Profiling and Learning Rules Settings page, you can set the settings. For more information, see Dynamic profile settings

   • Minimum number threshold. Depending on which security check’s learning settings you are configuring, the minimum number threshold might refer to the minimum number of total user sessions that must be observed, the minimum number of requests that must be observed, or the minimum number of times a specific form field must be observed, before a learned relaxation is generated. Default: 1

   • Percentage of times threshold. Depending on which security check’s learning settings you are configuring, the percentage of times threshold might refer to the percentage of total observed user sessions that violated the security check, the percentage of requests, or the percentage of times a form field matched a particular field type, before a learned relaxation is generated. Default: 0

6. To remove all learned data and reset the learning feature, so that it must start its observations again from the beginning, select Remove All Learned Data action.

   Note:

   This button removes only learned recommendations that have not been reviewed and either approved or skipped. It does not remove learned relaxations that have been accepted and deployed.

7. To restrict the learning engine to traffic from a specific set of IPs, click Trusted Learning Clients, and add the IP addresses that you want to use to the list.
   1. To add an IP address or IP address range to the Trusted Learning Clients list, click Add.
   2. In the AppFirewall Profile to Trusted Clint Binding page, click Add.
   3. Select the Enabled check box to enable the feature.
   4. In Trusted Learning Client** box, type the IP address or an IP address range in CIDR format.
   5. In the Comments text area, type a comment that describes this IP address or range.
   6. Click Create and Close.
8. To modify an existing IP address or range, click the IP address or range, and then click Edit. Except for the name, the dialog box that appears is identical to the Add Trusted Learning Clients dialog box.
9. To disable or enable an IP address or range, but leave it on the list, click the IP address or range, and then click Disable or Enable, as appropriate.

10. To remove an IP address or range completely, click the IP address or range, and then click Delete.

11. Click Close to return to the Citrix Web App Firewall Profile page.

To create a Citrix Web App Firewall policy by using the Citrix ADC GUI

1. Navigate to Security > Citrix Web App firewall > Policies.

2. In the Policies page, click Citrix Web App Firewall Policy link.
3. In the Citrix Web App Firewall Policies page, click Add.

4. In the Create Citrix Web App Firewall Policy page, set the following parameters.

   1. Name. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 128 letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore (_) symbols.
   2. Profile. Select the profile that you want to associate with this policy from the Profile drop-down list. You can create a profile to associate with your policy by clicking New, and you can modify an existing profile by clicking Modify.
   3. Expression. In the Expression text area, create a rule for your policy.
   4. Log Action. Add a log action or you can modify an existing log action.
   5. Comments. A brief description about the policy.
5. Click Create or OK, and then click Close.

To create or configure a Web App Firewall rule (expression)

The policy rule, also called the expression, defines the web traffic that the Web App Firewall filters by using the profile associated with the policy. Like other Citrix ADC policy rules (or expressions), Web App Firewall rules use Citrix ADC expressions syntax. This syntax is powerful, flexible, and extensible. It is too complex to describe completely in this set of instructions. You can use the following procedure to create a simple firewall policy rule, or you can read it as an overview of the policy creation process.

1. If you have not already done so, navigate to the appropriate location in the Web App Firewall wizard or the Citrix ADC GUI to create your policy rule:

   • If you are configuring a policy in the Web App Firewall wizard, in the navigation pane, click Citrix Web App Firewall Wizard, then in the details pane click Citrix Web App Firewall Wizard, and then navigate to the Specify Rule tab page.

   • In the Specify Rule page, choose the prefix for your expression from the drop-down list. Your choices are:

   • HTTP. The HTTP protocol. Choose this if you want to examine some aspect of the request that pertains to the HTTP protocol.
   • SYS. One or more protected websites. Choose this if you want to examine some aspect of the request that pertains to the recipient of the request.
   • CLIENT. The computer that sent the request. Choose this if you want to examine some aspect of the sender of the request.
   • SERVER. The computer to which the request was sent. Choose this if you want to examine some aspect of the recipient of the request.

   After you choose a prefix, the Web App Firewall displays a two-part prompt window that displays the possible next choices at the top, and a brief explanation of what the selected choice means at the bottom.

2. Choose your next term.

   If you chose HTTP as your prefix, your only choice is REQ, which specifies the Request/Response pair. (The Web App Firewall operates on the request and response as a unit instead of on each separately.) If you chose another prefix, your choices are more varied. For help on a specific choice, click that choice once to display information about it in the lower prompt window.

   When you have decided which term you want, double-click it to insert it into the Expression window.

3. Type a period after the term you just chose. You are then prompted to choose your next term, as described in the previous step. When a term requires that you type a value, fill in the appropriate value. For example, if you choose HTTP.REQ.HEADER(“”), type the header name between the quotation marks.

4. Continue choosing terms from the prompts and filling in any values that are needed, until your expression is finished.

   Following are some examples of expressions for specific purposes.

   • Specific web host. To match traffic from a particular web host:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

For shopping.example.com, substitute the name of the web host that you want to match.

• Specific web folder or directory. To match traffic from a particular folder or directory on a Web host:

HTTP.REQ.URL.STARTSWITH("https//www.example.com/folder")

For www.example.com, substitute the name of the web host. For folder, substitute the folder or path to the content that you want to match. For example, if your shopping cart is in a folder called /solutions/orders, you substitute that string for folder.

• Specific type of content: GIF images. To match GIF format images:

HTTP.REQ.URL.ENDSWITH(".gif")

To match other format images, substitute another string in place of .gif.

• Specific type of content: scripts. To match all CGI scripts located in the CGI-BIN directory:

HTTP.REQ.URL.STARTSWITH("https//www.example.com/CGI-BIN")

To match all JavaScripts with .js extensions:

HTTP.REQ.URL.ENDSWITH(".js")

For more information about creating policy expressions, see Policies and Expressions.

Note:

If you use the command line to configure a policy, remember to escape any double quotation marks within Citrix ADC expressions. For example, the following expression is correct if entered in the GUI:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

If entered at the command line, however, you must type this instead:

HTTP.REQ.HEADER("Host").EQ("shopping.example.com")

![Policy expression configuration](/en-us/citrix-adc/media/waf-rule.png)