Jump to content
  • 0

Netscaler migration from 9.3 to 11.1 and WAF

Sergey Lisitsyn1709156123



We have 2 NS 9.3 that we keep postponing its upgrade due to the app firewall issues post migration. We have a large number of sites on these Netscalers that use app firewall. While on 9.3 they work fine, on 11.1 we have lots of issues to fix... A lot of the sites that are on 9.3 just use default policies but on 11.1 defaults are way more restricted and requires manual intervention...

Anyone went through the upgrade/migration like this recently? Any tips? Citrix support said they have no recommended of way, so pretty much upgrade and suffer. At the moment we are migrating one site at a time onto the different Netscaler and fixing issues as they arrive. But it's painful and time consuming...

Link to comment

5 answers to this question

Recommended Posts

From 9.3 to 11.1 there are lot of security improvements, features many more. 


I would follow below approach if the environment is critical.



1. Upgrade secondary to 11.1

2. Failover to Secondary unit

3. Do not enable 'BLOCK' option on profile

4. Create trusted client  subnet for instance ( and learn all the website URLS

5. Edit learn URL and Relax all learn URL's using wildcard. 


Also 11.1 has new signature database. You will be seeing lot of URL's blocked. As these URL's are environment specific there is no seamless way to migrate.







Link to comment


This topic is now archived and is closed to further replies.

  • Create New...