How to add an endpoint to be managed by the Web App Firewall?

[Valentin Todorov]

Hello,

 

I installed a Citrix ADC VPX virtual appliance and now want to add computers to have their traffic managed by the WAF policy. How can I do it - is it with the Citrix Gateway plug-in?

I downloaded an installed the Citrix Gateway on one of the computers, but when I try to connect I get a Logon failure (attached the image).

 

 

Valentin

[Paul Blitz]

The Citrix Gateway and the Web Application Firewall are two completely different features:

 

- Citrix Gateway is all about providing a secure connection into the corporate network (in one of many ways)

- WAF is about protecting a website against layer-7 attacks, such as SQL Injection, Cross Site Scripting etc

 

WAF doesn't actually "manage" client devices at all, it protects your website against unwanted client devices!

[Valentin Todorov]

Thanks, Paul!

 

Can you send me a link or a tutorial that shows how to do a basic setup of WAF to protect a website. I've searched a lot for a tutorial, but most of them are either way too complicated, or don't show how to add a website to be managed by WAF. I'm not actually going to use the firewall in production. Just need to have it operational for a few weeks to write an integration with its API.

I've stood up an ADC VPX instance, setup DNS, etc. and I'm trying to actually put it inline for managing a website.
 

Thanks a lot for your help!

Valentin

[Johannes Norz]

Maybe you could find some ideas on my blog.

[Paul Blitz]

AFW:

- upgrade signatures to latest

- create one or more AFW profiles, as deemed suitable

- configure AFW profiles with signatures and protections, and other settings, as required

- create suitable policies to invoke the AFW profiles

- bind the policies to the relevant vservers

 

For a small and trivial website, you might simply have one profile, bound to the vserver with a "true" policy. 

 

For a larger, more complex, site, with international access, you may need multiple profiles, to differentially handle different users (eg: you might wish to have a harsher profile for countries with known hackers), or to differently protect different parts of the site (maybe coded in very different ways)

 

Setting up an AppFW is not a trivial task, you need an understanding of the protections needed, and need to learn (either manually or using AFW learning) how the web site breaks the strict rules applied by the AFW, and create "relaxations" to allow the site to continue working. If you are very lucky, you won't need any relaxations. If you are less lucky, you could spend several days sorting things out!! There's no "one size fits all" for AFW, each config will be quite customised.