Jump to content
Welcome to our new Citrix community!

Ip to update WAF signatures


Pedro Huaroto M

Recommended Posts

Here in the admin guide it states:  The default route of the NSIP is used; if a SNIP is present in the NSIP network, it can use that..otherwise it should use the NSIP to reach the current AWS destination. (Noted under "Connecting to Amazon AWS" section)

https://docs.citrix.com/en-us/netscaler/12/application-firewall/signatures/signature-update-in-ha-mode.html (same under 13.0 admin guide too)

A nstrace could confirm if you aren't sure.

 

If you need to, you can have a separate server download the firewall rules to an internal location and then configure the firewall to grab updates from your local "mirror" to avoid needing to allow connectivity from the ADC to the AWS location:  https://support.citrix.com/article/CTX138858

Link to comment
Share on other sites

Thanks Rhonda,

 

It is strange, when the NetScaler has an IP as the default IP gateway to go to the Internet and can also resolve the name 's3.amazonaws.com', (but the administrator's PC does not have internet access) when doing the test update siganture, error comes out, update does not work.

But when the administrator's PC (which connects to the netscaler) has a default gateway, the signature test does work and updates.
I show images.
It is a new NetScaler and has no configuration, only NSIP, SNIP and gateway default.

Any suggestions?
Thank you

 

image.thumb.png.ad5a4d9577c674864bac9a22750b5f5f.png

 

This capture is when function (Update ok), not view connect of NetScaler to ip public of s3.amazonaws.com

image.thumb.png.5dc647239ad1f182df76b89b2fce3480.png

Link to comment
Share on other sites

I have seen this a lot. I didn't actually examine this issue. But I think, your conclusion is wrong: it's not the admin machine's internet access in use, instead it's the ADM itself connecting successfully. I could reproduce this, also using command line, no GUI.

 

It's using NSIP of course, as it's BSD. There are some exceptions about using NSIP. I have written a blog about where AAA traffic will originate from, I guess, this will also be true about all other BSD based traffic, so also about WAF signature update. Maybe you want to read this? https://blog.norz.at/citrix-adc-netscaler-aaa-traffic-explained/

 

Cheers

 

Johannes

-----------------------

Johannes Norz

CCI, CCE-N, CTA

 

Link to comment
Share on other sites

On 2/23/2020 at 11:30 PM, Pedro Huaroto M said:

Thanks Rhonda,

 

It is strange, when the NetScaler has an IP as the default IP gateway to go to the Internet and can also resolve the name 's3.amazonaws.com', (but the administrator's PC does not have internet access) when doing the test update siganture, error comes out, update does not work.

But when the administrator's PC (which connects to the netscaler) has a default gateway, the signature test does work and updates.
I show images.
It is a new NetScaler and has no configuration, only NSIP, SNIP and gateway default.

Any suggestions?
Thank you

 

image.thumb.png.ad5a4d9577c674864bac9a22750b5f5f.png

 

 

Hey,
So when you use the GUI to update the signatures, it will use your local PC connection (I don't know why they made it like that tbh), so when you don't have a internet connection it will break and throw the error message you got "Error in accessing the URL!"

 

Take a look at this older CTX, but it's still valid https://support.citrix.com/article/CTX207698 it's pretty easy to replicate, set your DNS server to something that wont allow you to get internet access and then try to update a signature that isn't up to date, it will trigge the Error in accessing the URL! like show in this screenshot

Now my ADC got internet access as seen here:
 

> > ping www.google.dk
PING www.google.dk (172.217.20.35): 56 data bytes
64 bytes from 172.217.20.35: icmp_seq=0 ttl=54 time=20.769 ms
and a CURL against the signature URL:
 
 image.thumb.png.90714a86006b78d5bee6e79dbb2eb4c9.png

 

But when trying to update from the GUI it fails.

image.thumb.png.a4b218a031b4626bd4e239ee1a641770.png

 

Now if you try to update it using the CLI it will work

 

> sh app signatures
1)      Url: default_signatures.xml     Name: "*Default Signatures"
        Creation Date: Fri Oct 11 14:06:49 2019
        Base Version: "34"      Size: 1153774 bytes
2)      Url: xpath_injection_patterns.xml       Name: "*Xpath Injection Patterns"
        Creation Date: Fri Oct 11 14:06:49 2019
        Base Version: "1"       Size: 2621 bytes

Total signatures Size:  0 bytes
Total Import Size:      0 bytes

> update appfw signatures "*Default Signatures"
 Done

> sh app signatures
1)      Url: default_signatures.xml     Name: "*Default Signatures"
        Creation Date: Sun Mar  1 14:43:46 2020
        Base Version: "42"      Size: 1296450 bytes
2)      Url: xpath_injection_patterns.xml       Name: "*Xpath Injection Patterns"
        Creation Date: Mon Jan 20 13:38:53 2020
        Base Version: "1"       Size: 2621 bytes

> sh version
        NetScaler NS13.0: Build 47.24.nc, Date: Jan 20 2020, 06:11:41   (64-bit)
 Done


Regards,

Mads Petersen
CTP

 

  • Like 1
Link to comment
Share on other sites

On 3/1/2020 at 7:36 PM, Pedro Huaroto M said:

 

Thanks for the info. I understand that by default the NSIP goes to the internet to update the signatures, is it possible to go to the internet through a VIP to update the signatures?

I could use a RNAT?
Thank you

 

 

No, a VIP is impossible. It might be a SNIP, if it meets several requirements. I have written a blog about authentication traffic. You may read it, there are some similarities (as authentication traffic also origins from BSD).

 

Greetings from Austria

 

Johannes Norz

CTA, CCI, CCE-N

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...