Netscaler WAF step by step guide
We will focus on WAF implementation on Standalone WAF edition NetScaler in this blog.
Netscaler WAF feature is available with below licensing models
- Citrix NetScaler MPX and VPX, Platinum Edition,
- NetScaler MPX appliances running Enterprise Edition with Optional Module
- Stand- alone WAF edition based on NetScaler MPX appliances
We have seen lots of documentation listing the WAF implementation with Platinum edition and optional module with Enterprise Edition, However this blog is completely focused on Stand alone Netscaler WAF edition on NetScaler MPX appliances which is widely being used now a days.
The tricky part with all these three licensing models is that Platinum and Enterprise edition with WAF Optional modules of NetScalers have lots of features which we use in daily basis like load balancing and other stuff, However the surprising part is Stand alone WAF edition will have content switching but not load balancing in the licensed features, however we can use the virtual server bind to content switching vServer in WAF stand alone edition which we will cover in this blog.
WAF implementation is very easy and straight forward with NetScaler when compared with other WAF devices which we need to spend couple of days to do minimum configuration where as with NetScaler we can do WAF implementation in just couple of minutes.
Questions to ask before doing Netscaler WAF implementation:
- Backend Web server OS: Windows, Linux, Unix, others
- Web Server Type : IIS , Apache
- Application Type : ASP. NET, PHP, ActiveX, Apache Tomcat, Domino, and WebLogic
- No of Web servers: Load balancing and content switching required.
- SSL: Do you require SSL? If so, what key size (512, 1024, 2048, 4096) is used for signing certificates?
- Application Traffic Volume: Average traffic of applications and high utilization timeframes.
- Backend Database and Connectivity: MS-SQL, MySQL, Oracle, , Sybase or postgress
Available Licensed features with Netscaler Standalone WAF edition.
Step By Step Configuration of WAF
These steps will apply to all editions, however standalone WAF edition will have very minimal features required only for WAF.
- Infrastructure and virtual server Details
- Create WAF policies
- Create load balancing server
- Create load balancing server group
- Create load balancing virtual server
- Create content switch virtual server and Assign WAF policy
- Test the URL
Infrastructure and virtual server Details
- Webserver IP : 192.168.1.100
- WebServer : IIS based Web server
- Content Switch virtual server IP : 192.168.1.110
Note: In my case both webserver and virtual server VIP are in same subnet, however it can be in different subnets.
Create WAF policies
Before creating a WAF policy check if your backend server will fall under one of these categories, by default all web servers will fall under web application category.
- Web Application (HTML)
- XML Application (XML,SOAP)
- Web 2.0 Application (HTML,XML,REST)
go to Configuration – Security – Application Firewall – Application Firewall Wizard (select)
- Name: WEB-WAF-STD
- Type: Web
- Next to continue
Specify Rule section – Leave default true – Next to continue
Select Signature Section
- Create New Signature
- Simple for standard WAF / Advanced for High security
Specify Signature Protection Section
The default ones works very well, so leave default – Next to continue
Specify Deep Protection Section
The default ones works very well, so leave default – Finish to complete
To verify and review the WAF policies
go to Configuration – security – application firewall – Profiles
WAF policy we created will show here along with some default ones.
With this we are done with WAF policy creation now we will move to other steps.
Create load balancing server
Traffic Management – Virtual servers – Servers – Add (select)
- Name: A-WEB-Server
- IP: 192.168.1.100
- Ok to Continue
Create load balancing server group
Traffic Management – Virtual servers – service groups – Add (select)
- Name: A-Web-Server-Group
- Protocol:SSL
- Cache Type: Default (Server)
- Ok to Continue
Select any where on members section to add members.
Select server based – click on select server
Select the web-server created in before step – Select
Review right server is selected – Port 443 – Create ( Port depends on application in my case it is 443, it can be different as per your backed server)
Select Monitor on Right side – it will be added to your service group.
Select on Monitor section
Select Monitor – Click to select
Select TCP – select to continue
verify TCP from monitors – Bind
The service group will be created – Refresh so that effective state will come up.
Create load balancing virtual server
Traffic management – Virtual servers & Services – Virtual Servers – Add ( Select)
- Name : A-WEB-vServer
- Protocol : SSL
- IP: Non addressable ( it can be with IP also, in this case you need two IP’s, One for vServer and another for Content switch vServer)
Select the load balancing service group section
Click to select
Select group created before – Select
Review the group name – Bind
Warning : Feature(s) not licensed [LB] , Ignore this as we will use content switch vServer on top of this.
- This warning is coming as load balancing is not a licensed feature in WAF edition.
Click on server certificate
Click to Select the certificate
Select your certificate – I am using default, in your case it will be a valid certificate.
Review the certificate Name – Bind
Continue – Click Done to finish virtual server creation
The created virtual server will show as below.
Create content switch virtual server and Assign WAF policy
Traffic management – Content Switching – Virtual server – Add (select)
- Name: A-Webserver-CSvServer
- Protocol:SSL
- Target Type : None
- IP: 192.168.1.110 ( this is my VIP users will connect to)
- Port: 443
- OK to continue
Select the Default Virtual server Bound – With this we will bind previously created virtual server to content switch vserver.
Binding virtual server
- Choose virtual server :Load balancing virtual server
- Default load balancing virtual server : A-WEB-vServer ( this server we created before)
Click OK to continue
Click on Policies on the Right top – this will add policies section to our CvServer
Select ( + ) sign to add a policy for WAF.
Policies
- Choose Policy : App firewall
- Choose Type: Request
- Continue
Click on Select Policy section.
Select the WAF policy that we had created earlier WEB-WAF-STD and Select
Review and Click Bind. In some cases if you have multiple WAF policies, you will play with Priority section and add them all.
Click on Done to complete the Content Switch Virtual server configuration.
Now our Content switch virtual server with WAF policies are created. Refresh using Right circle icon so that server status will come up.
Test the URL
Now if this is for external users will NAT public IP with our VIP 192.168.1.110 and create Public DNS record. If it is for internal Just create DNS record pointing to VIP 192.168.1.110 and your website should be accessible.
Netscaler will check the traffic with all the setting under our WAF profile for this virtual server.
We hope this post is useful, Leave your comments and feedback below.
Excellent article. I have few questions.
1. Is it necessary to create content Switching virtual server? Can’t we bind the AppFwl policy to the load balanced virtual server directly?
2. Both basic and deep protection features are in logging mode only. Nothing is being blocked. It would be great if you could show how to block and add exception to some IPs.
Dear
you can bind the policies to lb virtual server; no issues. But the article i had cover is standalone WAF Netscaler which is not platinum or enterprise with WAF, so it will not have LB feature it will have only content switch feature enabled, so lb we have to bind to cs vserver.
you can enable the policies for which traffic needs to be blocked. regarding exceptions will try to cover in future post.
thanks
siva
Really great document. Appriciate your effort. Just one question here: How to see the alerts or the traffic logs?
Dear
You can see from netscaler logs or from NMAS. below will help.
https://docs.citrix.com/en-us/netscaler/12/application-firewall/logs.html
Thanks,
Siva
Hi Siva,
Thanks for above information.
I have a question related to Logs of WAF.
We do mock Drill in our environment by attacking vulnerable web site( OWASP etc). But Citrix WAF does not show payload in the logs(CLI & NMAS as well).
What extra configuration need to do to see payload in logs, please guide.
Dear
I recommend open a case with CTX team.
thanks
siva
so regarding the learning mode is it possible to switch to deep protection mode using the reference got from learning mode
Dear
Yes its possible.
Thanks
Siva
One important note when using this example on a platinum licensed ADC is that the wizard automatically binds the Web Firewall policy globally on completion. So, you’ll want to unbind that if you only want certain LB or CS vservers to have the policy.
This confused me the first time I deployed a “test” policy on the box and saw hits on it without binding to a vserver.
True, thanks for highlighting that.
Thanks for this Siva. I was wondering if a Webapp firewall policy be on bound to the Content Switching Virtual Server or the Load Balancing Virtual Servers behind it?
True,
WAF policy can be bound to both of them.
Sir do you have all Citrix load balancer video if available I will buy to prepare the certification