NetScaler has long had the ability to take network traces and analyze it in tools like WireShark. Network traces can be captured in standard tcpdump format or a NetScaler specific format. The NetScaler specific format has additional connection information that makes it easier to troubleshoot issues. For a long while, NetScaler engineers used a modified WireShark version (previously called Ethereal) to view and analyze NetScaler traces.

Recently, our developers contributed this patch to the open source Wireshark development and the next version (1.3.0) of Wireshark will include the ability to understand NetScaler format packet traces. In the interim, the modified Wireshark version is available for download at CTX122313. This version will work on Windows. The article also shows how you can use the NetScaler traces to use the additional data.

To capture a network trace on the NetScaler, you need to log in to the command line interface and get into the shell (by typing shell).
To capture a trace in the NetScaler format, type in
#nstrace.sh -sz 0

-sz 0 captures the full packet. With no argument (default), only the first 164 bytes of the packet are captured.

You can also use the GUI to capture traces (under System/ Diagnostics).
#nstrace.sh -help
details the other options available.

Upload the file to using ftp, scp etc and analyze using the modified Wireshark.

To capture traces in the tcpdump format,
#nstcpdump.sh
(Most standard tcpdump options are supported)

A new whitepaper describing the XML firewall features available in NetScaler version 9.x is available here.
It includes a concise summary of the feature capabilities and the types of applications that the Application firewall can secure. Security is a core component of the Application Delivery Controller (ADC) platform. For a broad overview of the security related features available in the NetScaler, get Citrix NetScaler - A Comprehensive Application Security Solution.

NetScaler Application Firewall devices are commonly deployed as a cluster of devices behind (hopefully) a NetScaler loadbalancer or Application Delivery Controller (ADC), as we like to call them now. Content Switching or URL based routing decisions are typically done on the load balancer, but some topologies require the flexibility of performing this action from the firewall tier itself. In this case, the firewall is directly connected to the web server tier without a loadbalancer in between.

The NetScaler Application Firewall can do content switching using the AppExpert policy engine based on any incoming request parameters to direct traffic to backend servers. Upgrading to the Platinum edition will make all NetScaler features available in an integrated platform enabling consolidation of server tiers. This feature is available in NetScaler 9.0 Build 69.x onwards as well as the 9.1 release.

XML firewall

In 9.0, the Application Firewall can be used to protect applications that use XML payloads. These applications include SOAP-based Web services, AJAX applications and REST-based applications that use XML. XML specific security features include

•     XML Denial of Service protection,
•     XML Well-formedness check,
•     XML attachment detection,
•     Message validation (Schema)
•     Cross Site scripting and SQL Injection protection
•     Web services Interoperability (WSI) check

 XML protection is integrated into the Application Firewall. So all applicable firewall features including Start and Deny URLs, Buffer overflow, Cookie protection and Safe Object checks are available. More details on the XML firewall functionality can be found at XML Security Features in Netscaler 9.0

Application Firewall - Integrated Caching interoperability

The 9.0 release has full interoperability between the Application firewall and the Integrated Caching (IC) module on the Netscaler. In the 8.1 release, the Application firewall supports IC for features that do not require parsing the response body.  In 9.0, this restriction is removed. This results in better performance if the application html pages are cacheable. Features like Form field consistency and URL closure benefit from this new functionality.

URL Transform module

URL transform module provides an easy regular expression based approach to rewrite requests and response URLs. This feature is available separate from the application firewall license. It builds on the application firewall parsing technology to rewrite only valid html links.

Custom error pages

When the Application Firewall detects and blocks an invalid request, it can serve out a custom HTML response that has been uploaded or do a 302 redirect to a configured URL. Previous releases could only do the 302 redirect.