Jump to content
  • 0

Netscaler migration from 9.3 to 11.1 and WAF


Sergey Lisitsyn1709156123

Question

Posted

Hello

We have 2 NS 9.3 that we keep postponing its upgrade due to the app firewall issues post migration. We have a large number of sites on these Netscalers that use app firewall. While on 9.3 they work fine, on 11.1 we have lots of issues to fix... A lot of the sites that are on 9.3 just use default policies but on 11.1 defaults are way more restricted and requires manual intervention...

Anyone went through the upgrade/migration like this recently? Any tips? Citrix support said they have no recommended of way, so pretty much upgrade and suffer. At the moment we are migrating one site at a time onto the different Netscaler and fixing issues as they arrive. But it's painful and time consuming...

5 answers to this question

Recommended Posts

Posted

From 9.3 to 11.1 there are lot of security improvements, features many more. 

 

I would follow below approach if the environment is critical.

 

 

1. Upgrade secondary to 11.1

2. Failover to Secondary unit

3. Do not enable 'BLOCK' option on profile

4. Create trusted client  subnet for instance (10.1.1.0/24) and learn all the website URLS

5. Edit learn URL and Relax all learn URL's using wildcard. 

 

Also 11.1 has new signature database. You will be seeing lot of URL's blocked. As these URL's are environment specific there is no seamless way to migrate.

 

Thanks,

Vamsi

 

 

 

Posted

Thanks, Vamsi

I thought about doing it the same way, but all our sites are public facing, so would have to allow all on all sites and rely on the site owners to do enough testing to capture all exceptions and allow them before blocking again... And all within a short window... 

Looks like we just have to continue doing them 1 site at a time =( 

Posted

You can create Appfirewall policy with FQDN base and keep on adding as soon as the site got optimised

HTTP.REQ.HOSTNAME.EQ("WWW.XYZ.COM")

Time depends on how big is the site and how many URL's are there. 

May be you should have a bot to probe all URL's and learn them ;)

 

Thanks,

Vamsi 

Posted

I have not tried 11.1 for a while now but i have not had anything but problems with AppFW and Netscaler 11.x. For my AppFW customers i have gone the 9.x->10.5->12.0 track.

11.1 might be stable now for all i know , but I would recommend 12.0  58.18 and later. 

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...