Jump to content

  • Articles

    Show all categories
    NetScaler Cyber Threat Intelligence
    NetScaler WAF Signatures Update v117
    (limited to CISCO XE Software)
     NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate the maximum severity CVSS 10 zero-day vulnerability in Cisco IOS XE (CVE-2023-20198) which  has been exploited in the wild.
    Cisco has issued a security advisory regarding multiple vulnerabilities in the web UI feature of Cisco IOS XE Software. The most critical vulnerability, CVE-2023-20198, allows a remote, unauthenticated attacker to create an account on an affected system with privilege level 15 access. The attacker can then exploit another component of the web UI feature to elevate privilege to root and write the implant to the file system. Cisco has assigned a CVSS Score of 10.0 to CVE-2023-20198. The company is providing availability of Software Maintenance Upgrade (SMU) files and will update the advisory as additional releases post to Cisco Software Download Center. For steps to close the attack vector for these vulnerabilities, see the Recommendations section of Cisco's advisory. For protection until updating to latest version download and use v117 signature.
      Signatures included in v117:
    Signature rule
    CVE ID
    Description
    998597
    CVE-2023-20198
    WEB-MISC Cisco IOS XE Software - Authentication Bypass Vulnerability (CVE-2023-20198)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 117 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
     Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
     
     
     
    Konstantinos Kaltsas
    Learn how to leverage WAF Policies for protecting your Applications. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to create WAF policies and profiles. How to enable WAF policies on load balancing or content switching virtual server level. How to block or log malicious requests based on different criteria. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.
    Konstantinos Kaltsas
    Learn how to leverage basic Rewrite / Responder Policies for manipulating Requests and Responses. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to create rewrite / responder policies. What is the difference between the two? How to bind a policy on a content switching server. How to manipulate an incoming request based on different criteria. How to redirect a request based on different criteria. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.
    Konstantinos Kaltsas
    Learn how to deploy & configure a Content Switching virtual server for routing traffic to your applications. On this Track we will leverage infrastructure-as-code templates to demonstrate:
    How to deploy a content switching virtual server to route traffic to your apps. How to route traffic based on URL path How to route traffic based on HTTP Header values. Click the Start hands-on Lab at the top of the post to try out!
    Please share your feedback or any issues in the comments section.
    Mayur Vadhar
    NetScaler CPX is a container-based application delivery controller that can be provisioned on a Docker host. NetScaler CPX enables customers to leverage Docker engine capabilities and use NetScaler load balancing and traffic management features for container-based applications. 
     
    In this hands-on lab, learn how to expose microservice application deployed in a Kubernetes Cluster using NetScaler CPX on an existing Kubernetes Cluster.
    The lab will demonstrate how to:
    Deploy a microservice Guestbook application on Kubernetes Deploy NetScaler CPX and expose it using NodePort service Expose Guestbook application via NetScaler CPX through HTTP Expose Guestbook application via NetScaler CPX through HTTPS Redirect incoming HTTP traffic to HTTPS for Guestbook application Click the Start hands-on Lab at the top of the post to try out !Let us know your feedback or any issues in the comments section.
     
    Juliano Reckziegel
    In numerous instances, there's a need to customize the Citrix Gateway login page. Sometimes, it's crucial to include disclaimers, while in other cases, it's essential to direct users to a support link, among other requirements.
    It has come to our attention that many companies have attempted to modify the built-in HTML/JS files for this purpose. However, this approach is neither supported nor sustainable because these customizations can be lost during system upgrades or even routine reboots, unless you utilize the 'rc.netscaler' file.
    An alternative method is to employ rewrite policies or use a JavaScript file within a customized RfWebUI theme. These approaches ensure that your customizations persist through system reboots and upgrades, making them the preferred choice.
    Personally, I prefer employing a JavaScript file because it's compatible with both Citrix Gateway virtual servers and AAA virtual servers, providing a remarkable level of versatility. This is primarily due to its ability to inject HTML code either before, after, or within specific elements or their parent elements. All that's required is the identification of a class name or an ID on the webpage to instruct the browser to insert extra elements precisely at that location.
    Below is an example of a Citrix Gateway landing page with text additions incorporated into an RfWebUI theme without a logo."

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.f93c244386e4a397b3eaed66104b277b.jpg" data-ratio="48" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Caching
    Before I proceed to explain how to achieve the desired outcome, let's first address caching. NetScaler boasts an advanced caching feature that can optimize user access and reduce the amount of data downloads needed to render the authentication page. Interestingly, the Citrix Gateway login page employs this feature by default, even when it's not explicitly enabled, and it stores the landing page files within the "loginstaticobjects" content group.
    To confirm this, you can access the NetScaler GUI and navigate to Optimization -> Integrated Caching -> View Cache Objects. Here, you'll notice that a variety of file types, such as .html, .js, .css, .gif, .png, and .json files, are automatically cached. Here are a few examples of the files that are cached without manual intervention.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.7b17427b1e7781ce116ef87ea96b6e4a.jpg" data-ratio="61.8" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Additionally, these types of objects are also cached by the end user's browser. Consequently, if you wish to modify messages and immediately see the changes, you'll need to clear both the NetScaler cache and the browser cache.
    To clear the NetScaler cache, you can use the following command:
    flush contentGroup loginstaticobjects For browser cache clearance, there are multiple methods available. One approach I use on Chrome and Edge is to open the developer tools, right-click on the reload icon, and select "Empty cache and hard reset."

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.c2341779c2bbf1ae8528b68445a6375d.jpg" data-ratio="48.9" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Finding the anchor element
    The next step is to pinpoint the specific page element where we want to inject HTML code—whether it's before, after, or within that element. To accomplish this, you can use either Chrome or Edge. Simply right-click anywhere on the page and choose "Inspect" to identify the element that will serve as our anchor.
    In the example below, I've identified a hidden div at the top of the login page with the ID "customExplicitAuthHeader."

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.403902608c794c42528f8646de140225.jpg" data-ratio="62.7" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     
    No need to worry about this; I've already selected a couple of existing elements, and I'll share them here.
    TEXT1
    Let's proceed with the first customization and add TEXT1 to the page as followed:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.4e13ff418698b967fcab23d84ba0c59f.jpg" data-ratio="49.9" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    To achieve this, create a new RfWebUI theme and modify the initially empty script.js file located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML1 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center"><BR><BR>TEXT1<BR><BR> </div>';
    element = document.getElementById("customExplicitAuthHeader");
    element.insertAdjacentHTML('afterend',HTML1); In this example, we find the anchor element based on its id customExplicitAuthHeader and we add a new <div> after it.
    TEXT2 and TEXT3
    The next customizations involve adding TEXT2 and TEXT3:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.d028f22d38a52a81b7225f60474c68ff.jpg" data-ratio="50.7" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Again, modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML2 = '<span style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center; position: absolute; top: 50%">TEXT2</span>';
    const HTML3 = '<span style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center; position: absolute; top: 50%">TEXT3</span>';
    elements = document.getElementsByClassName('logon-spacer');
    elements[0].insertAdjacentHTML('afterbegin',HTML2);
    elements[1].insertAdjacentHTML('afterbegin',HTML3); In this example, we find the anchor element based on class name logon-spacer, when we use class name, JavaScript will return an array, this is the reason we use [0] and [1] to indicate the first spaces located in the left of the authentication form and the second spaces located on the right of it. The HTML code added here is a <span> to be inside of the existing element.
    TEXT4 and TEXT5
    Now, let's add TEXT4 and TEXT5.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.ac0076b984f60cf74bf88b3376805e36.jpg" data-ratio="50.2" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML4 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: left"><BR><BR>TEXT4<BR><BR> </div>';
    const HTML5 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: left"><BR><BR>TEXT5<BR><BR> </div>';
    elements = document.getElementsByClassName('form-container');
    elements[0].insertAdjacentHTML('beforebegin',HTML4);
    elements[0].insertAdjacentHTML('afterend',HTML5); In this example, we find the anchor element based on class name form-container and we inject a new <div> for TEXT4 before the element and a second <div> for TEXT5 after it.
    TEXT6 and TEXT7
    Moving on, now we will add TEXT6 and TEXT7:

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.5462e96c26065cac7ad076f68f65aa92.jpg" data-ratio="50.2" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML6 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center"><BR><BR>TEXT6<BR><BR> </div>';
    const HTML7 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center"><BR><BR>TEXT7<BR><BR> </div>';
    element = document.getElementById("pluginExplicitAuthTop").parentNode;
    element.insertAdjacentHTML('beforebegin',HTML6);
    element.insertAdjacentHTML('afterend',HTML7); Here we select the parent element of the element with id pluginExplicitAuthTop and we create a <div> for TEXT6 before and another <div> for TEXT7 after.
    TEXT8
    Now, let's add TEXT8: 

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.05a610087542e75e639930fb6359758d.jpg" data-ratio="50.3" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML8 = '<div style="color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center"><BR><BR>TEXT8<BR><BR> </div>';
    Items = document.getElementById('customExplicitAuthFooter');
    Items.insertAdjacentHTML('beforebegin',HTML8); TEXT8 is very similar to TEXT1, the anchor element is select based on ID customExplicitAuthFooter and a new <div> is inserted before it.
    TEXT9 and TEXT10
    Finally, we have TEXT9 and TEXT10.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.84bd273858102051b6c92e80ae178ff3.jpg" data-ratio="50.5" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Modify the script.js file from the new RfWebUI theme created located at /var/netscaler/logon/themes/NAME_OF_YOUR_NEW_RfWebUI_THEME/:
    const HTML9 = '<div class="field CredentialTypenone"><div><span style="display: block; color: lightgrey; margin: 0 auto; font-size: 12px; text-align: center">TEXT9</span></div></div>';
    const HTML10 = '<div class="field CredentialTypenone"><div><span style="display: block; color: lightgrey; margin: 0 auto; font-size: 12px; text-align: right">TEXT10</span></div></div>';

    checkForm();

    function checkForm () {
      if ( document.forms[0] ) { //Check if form exists
          div = document.getElementById("passwd").parentNode.parentNode;
          div.insertAdjacentHTML('beforebegin',HTML9);
          div.insertAdjacentHTML('afterend',HTML10);
      } else {
        setTimeout(checkForm, 50); //wait 50 ms, then try again
      }
    } If you need to insert HTML code within the authentication form, a slightly different approach is required due to its dynamic creation. In this scenario, we will first check if the authentication form already exists before injecting the new HTML code. If it doesn't exist, we will wait for 50 milliseconds before checking again.
    Conclusion
    In these instances, I applied a few styles to position the text as needed. However, it's essential to keep in mind that you have the option to utilize CSS for a cleaner separation of JS code and styling. To achieve this, simply make the necessary adjustments in the style.css file within the newly created RfWebUI theme.
    Please exercise caution with the character ' because the HTML code is encapsulated within two single quotation marks. To use it correctly, insert a backslash () before the single quote character to escape it.
    Remember that the objective here is not to offer JavaScript programming best practices but rather to showcase its capabilities and provide initial guidance to assist you in customizing your portal in a manner that ensures the changes endure through reboots and upgrades.
    In conclusion, the power to enhance and tailor your Citrix Gateway login page lies in your hands. Armed with the knowledge of how to insert HTML code via JavaScript, you can seamlessly integrate links, provide additional information, or offer valuable guidance to your users during their authentication process. The ability to customize this crucial portal empowers you to create a more user-friendly and informative experience that aligns with your organization's specific needs. So, embrace this opportunity and embark on the journey to create a login page that truly reflects your vision and aids your users every step of the way. Your portal's potential is limited only by your imagination, so go ahead and make it your own.
     
    Guest

    Kubecon 2023

    By Guest, in NetScaler Cloud Native,

    /applications/core/interface/js/spacer.png" data-src="/monthly_2024_01/image.thumb.jpg.d3d652121b1456cbd8d24a99f37ceb56.jpg" data-ratio="56.3" width="1000" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">

    Kubecon and CloudNativeCon are the Cloud Native Computing Foundation’s (CNCF) flagship conference that gathers adopters and technologists from leading open-source and cloud-native communities together. It is THE conference for gathering developers, IT professionals, and C-level leaders across the ecosystem to share learnings, highlight innovation, and discuss the future of cloud-native computing, including emerging trends in microservices architectures and container orchestration with technologies like Kubernetes, Prometheus, and many more.Komal Bhardwaj and I will be attending the conference in Chicago from the 6th through the 9th of November. We would love to connect with NetScaler customers or partners attending the conference. You can schedule a time on my calendar here: https://calendly.com/richard-faulkner-iho/kubecon-meet-up. You can schedule a meeting with Komal here: https://calendly.com/komal-bhardwaj-netscaler/30min. I look forward to seeing you there!

     
    Guest
    POC Guide: Deploying a NetScaler VPX on Nutanix AHV
    Special Thanks To: David Brett, Nagaraj Harikar, and Abhishek Gautam
    Overview
    This proof of concept guide is designed to provide a step-by-step method to deploy an instance of the NetScaler VPX on Nutanix AHV and prepare it for use. NetScaler VPX running on Nutanix AHV is supported through the Citrix Ready Program. This guide will assist in deploying a VPX appliance using Prism Element with some basic best practices. This guide will NOT cover the specific needs for every deployment. It is recommended that deployments and testing are conducted to define the best method for a particular need. 
     Nutanix Acropolis Hypervisor (AHV) is a modern and secure virtualization platform that powers VMs and containers for applications and cloud-native workloads on-premises and in public clouds that can run any application at any scale.
    Prerequisites
    This guide assumes the following prerequisites have been completed:
    Nutanix AHV is configured and ready for use Nutanix Prism Element will be used for the deployment (not Prism Central) Sufficient resources are available to support the recommended VM configuration The NetScaler VPX requires a minimum of 2 vCPUs and 2 GB of RAM (4 GB RAM or more is recommended). At least one vNIC (2 or more vNICs recommended for Management and Production networks) At least 20 GB of disk space A basic understanding of Nutanix AHV A basic understanding of Nutanix Prism Element Familiarity with the Acropolis Command Line Interface (ACLI) Familiarity with the initial setup of a NetScaler VPX appliance. Considerations for NetScaler VPX appliances
    A proof of concept deployment is set up to try out different functions of the VPX appliance. With a POC deployment, customers can:
    Try different features Familiarize themselves with the environment Try different configurations to see how they impact performance, usability, etc. A POC is not intended for production workloads and should only be utilized for learning and feasibility purposes. 
    Therefore, a virtual appliance running with (2) vCPUs, (4) GB RAM, and 20 GB of disc drive should be sufficient. In a production environment, it is recommended to provision the appliance with adequate resources for the expected workload. With a virtual appliance on Nutanix AHV, scaling up or down on resources is very easy, making the virtual appliance very flexible. To determine the required resources for your workload, use the following NetScaler Form Factors Datasheet
    Deploying the NetScaler VPX
    Download the VPX virtual appliance (the example below shows the latest 14.1 version of the firmware, however other versions are available for AHV should this meet your business requirements)/applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.bb1c757e0893d8afb1c71effee4cfe58.jpg" data-ratio="55.74" width="531" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Download the “Citrix ADC VPX for KVM” file. /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.4bea10cb105684b86059397aecfd9a69.jpg" data-ratio="31.48" width="648" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    On the first extraction, it will become a “tar” file. Extract that until you see the “.qcow2” and “.xml” files./applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.d3c00ec0851aa00f1fb21a0cd1d07245.jpg" data-ratio="13.39" width="732" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Login to Prism Element (not Prism Central) From Home, select Settings Choose Image Configuration Give the image a name Select the “DISK” image type Pick a storage container Choose “Upload a file” and navigate to the NetScaler VPX “.qcow2” file Choose “Save” to create the image /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.748cfb8e6aaba32a6562ea846280ecfa.jpg" data-ratio="77.79" width="671" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    7. Once the file uploads, you should see the image listed and the status should show as  “ACTIVE”, this may take some time as Prism Element processes the image file.

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.0c1797029bd64be6ec2450ec1e6cf349.jpg" data-ratio="6.63" width="603" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    8. Navigate to VM and then click Create VM

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.8f388827cff461bf8082799e4b328fd6.jpg" data-ratio="36.45" width="107" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">

    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.04c0ef05f5cfc23ec989c33c989e37bc.jpg" data-ratio="80.04" width="491" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    9. On the Create VM Screen, remove the CD ROM Drive
    10 Add a new disk
    Select “Clone from the image service” from the drop-down menu In the Bus Type, select “SCSI” Note: The NetScaler VPX has been deployed with PCI, SCSI, SATA, and IDE bus disks without issue Choose the NetScaler image that was uploaded Choose “Add” /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.1157d9d7dd7c9c10969e5b2a5fcdbbfe.jpg" data-ratio="116.4" width="494" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    11. The disk will then be added/applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.618b9623e18a0ebe7c08d08df078111b.jpg" data-ratio="71.63" width="490" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    12. Add VLANs as necessary. A minimum of two VLANs (Management and LAN) are  recommended
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.9236ccbb20f3ad2198bd76892141cf7d.jpg" data-ratio="103.06" width="490" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    13. Do not set affinity now, as it will be set later in this guide14. Choose "Save"
    Once the VM is listed and shows as powered off, we must add a serial port. The VM appliance will not boot without a serial port connection, and Nutanix AHV does not add a serial port by default.To add the Serial Port SSH into the CVM using the username “nutanix” and the password you set for that account (You can find a list of CVM IP addresses in the “Hardware” section of the Prism Element console) Enter the ACLI  acli
    Enter the following command to create the serial port where <vmname> is the name you gave to the VPX Appliance vm.serial_port_create <vmname> type=kServer index=0
    /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.bb4acb87756681a950c2c87e27548f8c.jpg" data-ratio="22.7" width="326" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    At this point, you can snapshot the VM to be used as a template later should you wish to deploy more instances (an HA pair, for example).
     
    Initial Configuration
    Power on the VM Launch the VNC console /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.e1648c092933a9cc2a3fbba148286847.jpg" data-ratio="62.03" width="345" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Watch the VM Boot /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.4eae06d1b25af47681aa42658f8242b2.jpg" data-ratio="61.87" width="716" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Log in with the default credentials of nsrootnsroot You will be prompted to change the password. It is recommended that you change it at this time Manually run the “config ns” command from the CLI Assign the IP Enter the NetMask Choose “Apply changes and exit” /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.6d8ebdf08db1c29dafe48447ea030da2.jpg" data-ratio="49.37" width="711" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    6. Restart the VMWhen the appliance reboots, log back into the CLI and add the default route using the command below, replacing <default_route> with the default route assigned to the network that your NSIP resides on.
     
    route add 0.0.0.0 0.0.0.0 <default_route>
     
    Save the configuration using the command below to ensure the default route persists during a reboot save ns config
    Now you can connect to the GUI After this point, the configuration proceeds like any other NetScaler setup. 
    Additional Considerations
    High CPU usage
    CPU usage will show high by default on NetScaler VPX appliances. If you desire to enable CPU sharing, then you should enable CPU Yield.
    From the GUI Navigate to Settings and click the “Change VPX Settings link/applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.c641a583e49a2ea89e1b1f6dd8178d1a.jpg" data-ratio="40.87" width="1243" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
    Change “CPU Yield” to Yes Save the configuration /applications/core/interface/js/spacer.png" data-src="/monthly_2023_10/image.jpg.ab3173df542069505c7a747a8f4088fc.jpg" data-ratio="161.01" width="318" class="ipsImage ipsImage_thumbnailed" alt="image.jpg">
     2. From the CLIset ns vpxparam -cpuyield YES
    Running a pair of appliances for high availability (HA)
    If you are going to run an HA pair of appliances, it is recommended that you set anti-affinity rules so the appliances will always be run on separate AHV hosts
    To accomplish this:
    Login to the CVM via SSH Create the VM group where <vmgroupname> is the name you give to the group of NetScalers you deployed on AHV vm_group.create <vmgroupname>
    Add the existing NetScalers to the group where <vmgroupname> is the name from the previous step, and <vm1name> and <vm2name> are the NetScaler VMs to be added to the group vm_group.add_vms <vmgroupname> vm_list=<vm1name>,<vm2name>
    Set the Anti-affinity rule where <vmgroupname> is the name given in step 2 above vm_group.antiaffinity_set <vmgroupname>
     
    Disaster Recovery and GSLB
    Suppose multiple sites are to be used, and Global Server Load Balancing (GSLB) is utilized for access. In that case, it is recommended that an HA pair of NetScalers be deployed on AHV at both locations. You can then use Nutanix technologies such as DR replication to ensure the availability of your NetScaler pair should you experience a cluster outage. More information on Nutanix DR replication can be found here.
    Resources
    NetScaler Form Factors Datasheet
    FAQ on Deploying a NetScaler VPX
     
     
     
    NetScaler Cyber Threat Intelligence
    NetScaler WAF Signatures Update v116
    (limited to SharePoint and Atlassian)
     NetScaler has released a new version of its integrated Web App Firewall signatures to help customers mitigate two vulnerabilities in two software with high penetration. The first vulnerability is related to a Microsoft SharePoint Server chain attack that exploits CVE-2023-24955, while the second vulnerability deals with a critical Atlassian Confluence Server vulnerability, namely CVE-2023-22525. 
    CVE-2023-22525 is a critical vulnerability in Atlassian Confluence Server. The vulnerability allows an attacker to execute remote code on the affected system, which could lead to data theft or system compromise. The vulnerability affects Confluence Server versions 6.1.0 to 7.13.20, 7.19.8, and 8.2.0 1. Atlassian has released a patch for this vulnerability, and users are advised to update their systems as soon as possible. The vulnerability is caused by an input validation error when Confluence Server processes user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted request to the affected server. Once the attacker has successfully exploited the vulnerability, they can execute arbitrary code on the affected system with the privileges of the Confluence Server process. To mitigate this vulnerability, Atlassian recommends that users upgrade their Confluence Server installations to version 7.13.21, 7.19.9, or 8.2.1. If upgrading is not possible, users can apply a workaround by disabling the “Widget Connector” feature in Confluence Server or enable our WAF signature.
    CVE-2023-24955 is a remote code execution vulnerability affecting Microsoft SharePoint Server. The vulnerability was assigned a CVSSv3 score of 7.2 and could allow an authenticated Site Owner to execute code on an affected SharePoint Server. The vulnerability was part of a chain attack that also involved another vulnerability, CVE-2023-29357, which is an elevation of privilege vulnerability in Microsoft SharePoint Server that was assigned a CVSSv3 score of 9.8 and rated critical (part of v112 WAF signature version). A proof-of-concept exploit chain has been released for these two vulnerabilities that can be exploited to achieve unauthenticated RCE against Microsoft SharePoint Server.
     Signatures included in v115:
    Signature rule
    CVE ID
    Description
    998598
    CVE-2023-24955
    WEB-MISC Microsoft SharePoint Server - Remote Code Execution Vulnerability (CVE-2023-24955)
    998599
    CVE-2023-22515
    WEB-MISC Atlassian Confluence Server - Broken Access Control Vulnerability via /setup/*.action (CVE-2023-22515)
    998600
    CVE-2023-22515
    WEB-MISC Atlassian Confluence Server - Broken Access Control Vulnerability via /server-info.action (CVE-2023-22515)
     NetScaler customers can quickly import the above signatures to help reduce risk and lower exposure associated with these vulnerabilities. Signatures are compatible with NetScaler (formerly Citrix ADC) software version 11.1, 12.0, 12.1, 13.0 and 13.1. NOTE: Software versions 11.1 and 12.0 are end of life, and you should consider upgrading for continued support. Learn more about the NetScaler software release lifecycle.
     If you are already using NetScaler Web App Firewall with the signature auto-update feature enabled, verify that your signature file version is 115 or later and then follow these steps.
    Search your signatures for <number> Select the results with ID  Choose “Enable Rules” and click OK  
    NetScaler WAF Best Practices
    NetScaler recommends that WAF users always download the latest signature version, enable signature auto-update, and subscribe to receive signature alert notifications. NetScaler will continue to monitor this dynamic situation and provide updates as new mitigations become available.
    Handling false positives
    If app availability is affected by false positives that result from the above mitigation policies, relaxations can be applied. NetScaler recommends the following modifications to the policy.
     
    Modifications to NetScaler Web App Firewall Policy:
    add policy patset exception_list
    # (Example: bind policy patset exception_list “/exception_url”) 
    Prepend the existing WAF policy with:
    HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT
    # (Example :  set appfw policy my_WAF_policy q^HTTP.REQ.URL.CONTAINS_ANY(“exception_list”).NOT && <existing rule>^
    NOTE: Any endpoint covered by the exception_list may expose those assets to risks 
    Additional Information
    NetScaler Web App Firewall benefits from a single code base across all its form-factors (physical, virtual, bare-metal, and containers). This signature update applies to all form factors and deployment models of NetScaler Web App Firewall.
    Learn more about NetScaler Web app Firewall, read our alert articles and bot signature articles to learn more about NetScaler WAF signatures, and find out how you can receive signature alert notifications.
    Please join the NetScaler Community today and engage with your peers to learn more about how they are protecting their businesses with NetScaler WAF. 
     
     
     
     
     
    Harihara Sudhan
    Author : Farhan Ali
     
    If your AWS default route is being modified after reboot, there could be several reasons for this behavior. Here are some common causes and troubleshooting steps:
    1. Internet Connectivity:The reason default route is getting modified could be if the Netscaler is not able to contact the meta-data server during boot up. To check if the internet connectivity is present/not, execute the below commands:
    show route Now, check the route for 169.254.169.254 and verify the route is proper via management 1/1 interface.If the route is missing, then create a static route for 169.254.169.254 via management interface gateway (normally it will be VPC subnet ending with .1 i.e x.x.x.1 where x.x.x is VPC subnet). Verify if the instance is created with metadata option IMDSv2 only. If yes, then stop the instance and change the setting to imdsv1 and v2 both OR upgrade to 13.1.46.x and above release.
    2. Automation Scripts or Configuration Management Tools: Check if you have any automation scripts or configuration management tools (e.g., AWS CloudFormation, AWS OpsWorks, Ansible) running that might be modifying the route during bootstrapping or configuration updates.
    3. User Actions: Ensure that no one with appropriate permissions is manually modifying the default route. AWS IAM (Identity and Access Management) policies should be reviewed to see who has permission to modify route tables.
    4. Instance Metadata Service: Make sure that there are no scripts or services running on the instance that are fetching instance metadata and modifying routes based on that information.
    5. Incorrect Route Table Association: Ensure that the instance is associated with the correct route table. If it's associated with multiple route tables, there might be conflicts in route configurations.
    6. Network ACLs and Security Groups: Check if there are any network ACLs or security group rules that might be affecting the routing behavior.
    7. VPC Peering or VPN Connections: If you have VPC peering or VPN connections set up, verify that the routes and configurations are correct in those connections.
    8. AWS Managed Services: Some AWS managed services might automatically modify routes based on certain conditions. For example, AWS Direct Connect or AWS VPN might modify routes based on BGP advertisements.
    9. Ephemeral Storage: If your instance is using ephemeral storage for configuration or scripts, ensure that the changes are persisted or re-applied after reboot.
    10. Check Route Table Logs: AWS CloudTrail logs can provide insights into who made changes to route tables and when they were made. Check the CloudTrail logs for any relevant events.

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...