Netscaler WAF step by step guide

We will focus on WAF implementation on Standalone WAF edition NetScaler in this blog.

Netscaler WAF feature is available with below licensing models

  • Citrix NetScaler MPX and VPX, Platinum Edition,
  • NetScaler MPX appliances running Enterprise Edition with Optional Module
  • Stand- alone WAF edition based on NetScaler MPX appliances

We have seen lots of documentation listing the WAF implementation with Platinum edition and optional module with Enterprise Edition, However this blog is completely focused on Stand alone Netscaler WAF edition on NetScaler MPX appliances which is widely being used now a days.

The tricky part with all these three licensing models is that Platinum and Enterprise edition with WAF Optional modules of NetScalers have lots of features which we use in daily basis like load balancing and other stuff, However the surprising part is Stand alone WAF edition will have content switching but not load balancing in the licensed features, however we can use the virtual server bind to content switching vServer in WAF stand alone edition which we will cover in this blog.

WAF implementation is very easy and straight forward with NetScaler when compared with other WAF devices which we need to spend couple of days to do minimum configuration where as with NetScaler we can do WAF implementation in just couple of minutes.

Questions to ask before doing Netscaler WAF implementation:

  • Backend Web server OS: Windows, Linux, Unix, others
  • Web Server Type : IIS , Apache
  • Application Type : ASP. NET, PHP, ActiveX, Apache Tomcat, Domino, and WebLogic
  • No of Web servers: Load balancing and content switching required.
  • SSL: Do you require SSL? If so, what key size (512, 1024, 2048, 4096) is used for signing certificates?
  • Application Traffic Volume: Average traffic of applications and high utilization timeframes.
  • Backend Database and Connectivity: MS-SQL, MySQL, Oracle, , Sybase or postgress

Available Licensed features with Netscaler Standalone WAF edition.

Step By Step Configuration of WAF

These steps will apply to all editions, however standalone WAF edition will have very minimal features required only for WAF.

  1. Infrastructure and virtual server Details
  2. Create WAF policies
  3. Create load balancing server
  4. Create load balancing server group
  5. Create load balancing virtual server
  6. Create content switch virtual server and Assign WAF policy
  7. Test the URL

Infrastructure and virtual server Details

  • Webserver IP : 192.168.1.100
  • WebServer : IIS based Web server
  • Content Switch virtual server IP : 192.168.1.110

Note: In my case both webserver and virtual server VIP are in same subnet, however it can be in different subnets.

Create WAF policies

Before creating a WAF policy check if your backend server will fall under one of these categories, by default all web servers will fall under web application category.

  1. Web Application (HTML)
  2. XML Application (XML,SOAP)
  3. Web 2.0 Application (HTML,XML,REST)

go to Configuration – Security – Application Firewall – Application Firewall Wizard (select)

  • Name: WEB-WAF-STD
  • Type: Web
  • Next to continue

Specify Rule section – Leave default true – Next to continue

Select Signature Section

  • Create New Signature
  • Simple for standard WAF / Advanced for High security

Specify Signature Protection Section

The default ones works very well, so leave default – Next to continue

Specify Deep Protection Section

The default ones works very well, so leave default – Finish to complete

To verify and review the WAF policies

go to Configuration – security – application firewall – Profiles

WAF policy we created will show here along with some default ones.

With this we are done with WAF policy creation now we will move to other steps.

Create load balancing server

Traffic Management – Virtual servers – Servers – Add (select)

  • Name: A-WEB-Server
  • IP: 192.168.1.100
  • Ok to Continue

Create load balancing server group

Traffic Management – Virtual servers – service groups – Add (select)

  • Name: A-Web-Server-Group
  • Protocol:SSL
  • Cache Type: Default (Server)
  • Ok to Continue

Select any where on members section to add members.

Select server based – click on select server

Select the web-server created in before step – Select

Review right server is selected – Port 443 – Create ( Port depends on application in my case it is 443, it can be different as per your backed server)

Select Monitor on Right side – it will be added to your service group.

Select on Monitor section

Select Monitor – Click to select

Select TCP – select to continue

verify TCP from monitors – Bind

The service group will be created – Refresh so that effective state will come up.

Create load balancing virtual server

Traffic management – Virtual servers & Services – Virtual Servers – Add ( Select)

  • Name : A-WEB-vServer
  • Protocol : SSL
  • IP: Non addressable ( it can be with IP also, in this case you need two IP’s, One for vServer and another for Content switch vServer)

Select the load balancing service group section

Click to select

Select group created before – Select

Review the group name – Bind

Warning : Feature(s) not licensed [LB] , Ignore this as we will use content switch vServer on top of this.

  • This warning is coming as load balancing is not a licensed feature in WAF edition.

Click on server certificate

Click to Select the certificate

Select your certificate – I am using default, in your case it will be a valid certificate.

Review the certificate Name – Bind

Continue – Click Done to finish virtual server creation

The created virtual server will show as below.

Create content switch virtual server and Assign WAF policy

Traffic management – Content Switching – Virtual server – Add (select)

  • Name: A-Webserver-CSvServer
  • Protocol:SSL
  • Target Type : None
  • IP: 192.168.1.110 ( this is my VIP users will connect to)
  • Port: 443
  • OK to continue

Select the Default Virtual server Bound – With this we will bind previously created virtual server to content switch vserver.

Binding virtual server

  • Choose virtual server :Load balancing virtual server
  • Default load balancing virtual server : A-WEB-vServer ( this server we created before)

Click OK to continue

Click on Policies on the Right top – this will add policies section to our CvServer

Select ( + ) sign to add a policy for WAF.

Policies

  • Choose Policy : App firewall
  • Choose Type: Request
  • Continue

Click on Select Policy section.

Select the WAF policy that we had created earlier WEB-WAF-STD and Select

Review and Click Bind. In some cases if you have multiple WAF policies, you will play with Priority section and add them all.

Click on Done to complete the Content Switch Virtual server configuration.

Now our Content switch virtual server with WAF policies are created. Refresh using Right circle icon so that server status will come up.

Test the URL

Now if this is for external users will NAT public IP with our VIP 192.168.1.110 and create Public DNS record. If it is for internal Just create DNS record pointing to VIP 192.168.1.110 and your website should be accessible.

Netscaler will check the traffic with all the setting under our WAF profile for this virtual server.

We hope this post is useful, Leave your comments and feedback below.

 

Siva Sankar

Siva Sankar works as Solution Architect in Abu Dhabi with primary focus on SDDC, Automation,Network Virtualization, Digital Workspace, VDI, HCI and Virtualization products from VMWare, Citrix and Microsoft.

13 thoughts on “Netscaler WAF step by step guide

  • March 10, 2019 at 8:49 am
    Permalink

    Excellent article. I have few questions.
    1. Is it necessary to create content Switching virtual server? Can’t we bind the AppFwl policy to the load balanced virtual server directly?

    2. Both basic and deep protection features are in logging mode only. Nothing is being blocked. It would be great if you could show how to block and add exception to some IPs.

    Reply
    • March 12, 2019 at 8:04 pm
      Permalink

      Dear

      you can bind the policies to lb virtual server; no issues. But the article i had cover is standalone WAF Netscaler which is not platinum or enterprise with WAF, so it will not have LB feature it will have only content switch feature enabled, so lb we have to bind to cs vserver.

      you can enable the policies for which traffic needs to be blocked. regarding exceptions will try to cover in future post.

      thanks
      siva

      Reply
  • May 9, 2019 at 8:53 am
    Permalink

    Really great document. Appriciate your effort. Just one question here: How to see the alerts or the traffic logs?

    Reply
  • June 7, 2019 at 1:11 pm
    Permalink

    Hi Siva,

    Thanks for above information.
    I have a question related to Logs of WAF.

    We do mock Drill in our environment by attacking vulnerable web site( OWASP etc). But Citrix WAF does not show payload in the logs(CLI & NMAS as well).

    What extra configuration need to do to see payload in logs, please guide.

    Reply
  • December 17, 2019 at 9:03 am
    Permalink

    so regarding the learning mode is it possible to switch to deep protection mode using the reference got from learning mode

    Reply
  • August 11, 2020 at 6:34 pm
    Permalink

    One important note when using this example on a platinum licensed ADC is that the wizard automatically binds the Web Firewall policy globally on completion. So, you’ll want to unbind that if you only want certain LB or CS vservers to have the policy.

    This confused me the first time I deployed a “test” policy on the box and saw hits on it without binding to a vserver.

    Reply
  • October 14, 2020 at 11:36 pm
    Permalink

    Thanks for this Siva. I was wondering if a Webapp firewall policy be on bound to the Content Switching Virtual Server or the Load Balancing Virtual Servers behind it?

    Reply
  • December 21, 2021 at 5:46 pm
    Permalink

    Sir do you have all Citrix load balancer video if available I will buy to prepare the certification

    Reply

Leave a Reply

Your email address will not be published.

Show Buttons
Hide Buttons