NetScaler Application Security

Hi, we recent decided both internal and external users using Netscaler access storefront and enable MFA. One problem is when user click sign out in Citrix receiver, it only log off from storefront, but receiver still keep netscaler connection. How can I setup when user click sign out , it will log off from storefront and disconnect Netscaler connection at the same time? thanks

Does Citrix Netscaler support content switching and websockets?

In Netscaler ADC VPX 12, we have a log message due to a DENY_URL relaxation rule: default APPFW Message 392589284 0 : "PCRE match limit exceeded with regex (83, ^http(s)?:\/\/www\.aaaa\.it\/bbbb\/it.+\?.+[^&](?=.*\bOR\b)(?=.*['\;]).*$) for subject (210, https://www.aaaa.it/bbbb/it/mg_1_7.page?facetNode_1=0_2&facetNode_2=0_2_2_7&facetNode_3=2_8&facetNode_4=2_8_28&facetNo). " Why? Is WAF protection guaranteed? Regards Cristina

Hi, I have a text in body filed which gives XSS attack for following text "I messaged you about yesterday with the <5mm rectal carcinoid tumor that was found" Here for <5mm it is giving XSS attack if I learn and relax 5mm it is giving every word after 5mm XSS attack It is not possible to relax each word. Any better way to relax? I tried following options which didn't work bind appfw profile appfw_basic_htmlxml_testprofile -crossSiteScripting body "^https://xxx.domain.ca/messaging/sendmessage$" -valueType Tag 5mm -comment "Deployed from learned data" bind appfw profile appfw_basic_htmlxml_testprofile -cros…

Hello guy! I have a problem. I have one question: " If I have a url https://webmail.abc.com/eyz . I need config only request to URL it then it allow. If user access other URL, user will block. " On citrix device, How do you do feauture it ? Please help me ? Thanks

Good day, Citrix Netscaler VPX is used as a web applications firewall and the citrix netscaler freezes periodically and web applications do not work, while the graphical interface works. Helps reboot. After reboot, it works for several days and then freezes again. Nothing is written in the logs. What could be the cause of freezes and how to solve it ?

Hi All, I upgraded a netscaler from version 10.5 to 11.1 After the upgrade the appfw started to block some traffic. I already deployed relaxation rules but no luck so far. One of the challenges is that the "learn" option is grey out so I can't learn and deploy a relaxation rule that matches the exact block. I am getting several blocks with similar messages SQL SQL check failed for field http://xmlschema.acc.co.nz/claimmanagement/EClaim_Message20060519:Cause_Of_Injury="..and injured little toe right foot The Eclaim_Message number will vary so as the cause of injury. I am trying to identify which field I need to crea…

In Netscaler ADC VPX 12, we have a serious problem due to a responder policy that does not work in a certain case. This is the scenario: After a http to to https redirection (following https://support.citrix.com/article/CTX120664) the request is redirect to a virtual server (VIP_www.XXX.it_28.21:443). 4 responder policies are binded to virtual server VIP_www.XXX.it_28.21:443, all with action = DROP and GOTO Expression = END and an appfw policy is binded too. The first responder policy is IP reputation policy (Expression = CLIENT.IP.SRC.IPREP_IS_MALICIOUS). The second one blocks the access to administrative paths to all the ip except 3 specific ones. The expressi…

Good afternoon, I launched one website through citrix waf. at first everything is ok, users log in under their accounts, work, etc. But when they try to log in under another account or under a freshly created account they are not allowed. What is the problem, and how to solve it without any idea at all. Without citrix works. It works through citrix if you disable firewall policies. I played with the rules, went through everything I could, it still doesn’t work

Hi All, We have deployed one application in Web Application Firewall. When we use WAF Profile, data can't be fetched. However there is no security check with blocking enabled and also tried with removing Signatures as well I also checked logs but there is no blocking can be observed in the logs. Working Scenarios on the same application : Non-Working Scenario: When I click Cooling Period option, I am not able to see any data and it goes in hang state with "Processing" Below are the logs for the same Can someone suggest m…

In Netscaler ADC, I can find in Default Signature the SQL keyword checked in SQL Injection (SELECT, INSERT, DROP..). I can't find nothing about LDAP Injection. What I can do to check the LDAP Injection? Regards, Cristina

In Netscaler ADC, how obtain SQL/XSS Paths in a file? Actually, I can read them only from 'Edit Application Firewall Signatures' in GUI

Hi, in learned rules I can find only ^http://$ in form-origin URL. Why? The web app is https but some application redirects call the url in http. The automatic redirect from http to https is currently managed by the web server Is this the reason?

Hi forum! I want to drop or reset the connection when the WAF blocks a page - anyone done this? Thanks :)

I have a problem on a site, when trying to enter the site directly the server redirects us to a new url example: client types www.example.com the backend redirects him to www.web02: 1212 but the customer through citrix should only see www.example.com we made a rewrite based on the location header it works but I have problems on the site, sometimes it does not work and it is necessary to close the browser and reopen again also there is a Captch that we do not show when we cancel the rewrite and we leave the site accessible via www.web02: 1212 the captcha walk. how can i solve this,how can make a rewrite that change the response from the backend to the client…

Hi, Our web application url is static but it includes the some parameters and its values are dynamic. how can i set relaxtion rule for this url.The url is similar to the below. http://abc.com/aaaaaaa_reqid=1234/ccccccc_personid=22/cccccccc_companyid=255 Thanks,

Hello We have 2 NS 9.3 that we keep postponing its upgrade due to the app firewall issues post migration. We have a large number of sites on these Netscalers that use app firewall. While on 9.3 they work fine, on 11.1 we have lots of issues to fix... A lot of the sites that are on 9.3 just use default policies but on 11.1 defaults are way more restricted and requires manual intervention... Anyone went through the upgrade/migration like this recently? Any tips? Citrix support said they have no recommended of way, so pretty much upgrade and suffer. At the moment we are migrating one site at a time onto the different Netscaler and fixing issues as they arrive. But …

Hi, I am looking for how to configure appfw XML SQL Injection relaxation rules for the following block message. default APPFW APPFW_XML_SQL 25562097 0 : 10.5.13.107 994063054-PPE1 - appfw_basic_profile https://x.ca/ws/UserManagementServiceSei SQL SQL check failed for field value="..and Joint Centre [WDFAGBOY](;)" <blocked>

Hi All, I'm facing with Response code issue when WAF violation occur. Issue detail: - I was imported HTML Error Page into Netscaler and bound it to App Firewall Profile. - When violation occur, netscaler was blocked and show Block page to client but with response code is "200 OK" - In this case, I want to change this value of response code from 200 to 4xx. Can I do that ? Thank You and Best Regards, Dat

Hi, does anybody have a working relaxation rule for the User-Agent header field for IE/Safari ? Log entry looks like this: ...msg=SQL Keyword check failed for header User-Agent\="..like Gecko) Version/9.1 Safari/601.5.17(;)" It's also happening for IE, because of the "like" in the User-Agent. Of course "Check Request Headers" is set to True. Regards, Sven

I have a bunch of responder policies that use StringMaps to do a 301 redirect when users try to access certain URL’s. It works great, however I must perform two bindings on the StringMap to match the path plus the same item with a trailing backslash. What I would like to do is to create a rewrite policy to remove trailing backslashes. The problem is I am unable to find any documentation or forum posts that give me enough information to figure out how to do this. For a starting reference point; the following is the StringMap & Responder config that I currently have. Doing a single URL is manageable, however I have thousands, and the inability to strip the trail…