Jump to content
Welcome to our new Citrix community!

  • Akhil Nair
    • Validation Status: Validated
      Has Video?: No


    Key Use Cases:







    Unified Application Security - A new config workflow that consolidates all WAF and Bot capabilities into a single pane of glass while abstracting the need to learn about how security works. End users will have access to templates such as OWASP Top-10 checks and CVE related checks. It is available in ADM Service and available in ADM on-prem starting from version 14.1 12.x Builds.


    WAF Recommendation Scanner on ADM on-prem - Available as part of the Unified Application Security workflow, users can now scan their external/internal web apps and the scanner will automatically suggest WAF checks based on the Web App’s underlying technology. Available in ADM on-prem starting from version 14.1 12.x Builds.


    API Security: API aware NetScaler as proxy - API Spec files can now be uploaded on ADCs directly to validate every endpoint and ensure that it conforms to the schema. Additionally, you can apply WAF or AAA policies and use PI expressions to apply security, authenticate endpoints or route API traffic

    Other use cases:

    Protect internal apps accessed via Gateway (SPA/Storefront) from malicious attacks - You can now protect all your applications that are behind the VPN virtual server by binding the Web App Firewall policy to the VPN virtual server.

    For example - 

    A company hosts three critical applications (SAP, Workday, and Tally) behind a VPN virtual server. 

    • Create multiple profiles based on the required application. Configure the profile with the necessary security checks based on the application’s need.

    • Add the app firewall policies that are applicable for each application and associate the policy with the profile.
      add appfw policy sap_policy true HTTP.REQ.URL.CONTAINS (sap.com) pr-basic1

    add appfw policy workday_policy true HTTP.REQ.URL.CONTAINS (workday.com) pr-basic2

    add appfw policy tally_policy true HTTP.REQ.URL.CONTAINS (tally.com) pr-basic3

    • Bind the created policy to VPN vserver

    Bot related expressions - You can now use bot related expressions in your policies for routing or taking a certain action on your traffic.

    For example - 

    • HTTP.REQ.BOT.IS_SUSPECTED - Returns true if the client is suspected as a BOT.

    • HTTP.REQ.BOT.TYPE.EQ(<bot type>) - Returns true if the client BOT type is the same as the argument. Possible values of BOT types: GOOD, BAD, and UNKNOWN.

    Security violations display OWASP tags - In the NetScaler Console GUI, the security violations now display OWASP tags. It supports the OWASP 2017 and OWASP 2021 lists and these tags help you determine whether the violation belongs to the OWASP top 10 list.

    Create or Update API definitions from discovered API endpoints - NetScaler admins can create or update an existing API Definition from the discovered API endpoints. This removes the need for admins to wait for API Schema file from the app owners/developers

    Proxy auth support for signatures and IP Reputation - In cases where NetScaler cannot connect to the internet directly or if the customer needs an added layer of security, one can configure a proxy server for retrieving latest WAF and Bot signatures and IP Reputation feeds.

    Custom keyword support for JSON payload - SQL injection and command injection have a predefined set of keywords or patterns that they look for in the incoming requests. However, if the end user wants to add additional keywords to reduce false positives, they can leverage this feature to add custom keywords of their choice.

    CLI/API support to enable WAF signatures - You can now enable individual signatures in your NetScaler Web App Firewall through CLI commands or API calls.

    For example:

    • import appfw signature DEFAULT object_name -sigRuleId 1001 9882 2000 1250 810 -Enabled ON -Action LOG BLOCK

    • import appfw signature DEFAULT object_name -sigCategory web-misc -Enabled ON -Action LOG BLOCK

    Configurable payload size for inspection - Post Body Limit (Bytes) - Limits the request payload (in bytes) inspected by Web Application Firewall. 

    • Default value: 20000000 Minimum value: 0 Maximum Value: 10 GB

    User Feedback

    Recommended Comments

    There are no comments to display.

    Create an account or sign in to comment

    You need to be a member in order to leave a comment

    Create an account

    Sign up for a new account in our community. It's easy!

    Register a new account

    Sign in

    Already have an account? Sign in here.

    Sign In Now

  • Create New...