Jump to content
Welcome to our new Citrix community!
  • 0

Citrix WAF | allowing and restriction of signature rule ID


Question

Hi Folks,

 

I need your support  to know if the below is possible for Citrix WAF:-

POST requests with signature rule ID (1288,999958 & 999960)should be allowed only against few pages such as.

 

https://x.y.com/en/Careers/Pages/default.aspx,

https://x.y.com/en/portfolio/Pages/default.aspx

https://x.y.com/en/_vti_bin/client.svc/ProcessQuery

https://x.y.com/en/Contact-us/Pages/default.aspx

 

The rest of the POST requests with signature rule ID (1288,999958 & 999960) must be blocked.

 

Please let me know how we can achieve this .

 

Thanks in advance.

Link to comment

3 answers to this question

Recommended Posts

  • 0

Do you still want to protect the exempted pages with other appfw protections? If so, you'll need two different appfw policies and profiles.

 

Basically, you would need to create two different appfw policies (or you can use content switching).

appfw_pol1_exemptedurls would point to an appfw profile with these signatures disabled and all other protections you need enabled.

The policy expression would be for these paths:  http.req.url.path.set_text_mode(ignorecase).eq("/en/Carreers/Pages/default.aspx") || http.req.url....("/en/portfolio/pages/default.aspx") || etc...

NOTE: you may need to adjust whether it is exactly these pages or these pages and their related content.  

 

Bind this policy to your lb_vsrv_demo1 at priority 100.

then create a second policy to apply to all other content that is NOT these URLS with the regular profile and all the signature enforcement.

appfw_pol2_nonexemptedurls with appfw_prof_allprotections

Using an example expression based on the above paths:  !(http.req.url.path("x") || http.req.url.path("y") || http.req.url(path("z"))

 

If you don't want to protect this content at all, then you can just do the second policy exemption only.

 

 

Link to comment
  • 0

Hi Rhonda,

 

Thanks a lot for the help.

 

I am planning to make the configuration as below, please let me know if this any additional changes needs to be made.

 

1.       I will create a WAF profile where signature rule IDs are disabled and bind the below exempted policy with priority 100 to the load balancing server

 

appfw_pol1_exemptedurls

 

http.req.url.path.set_text_mode(ignorecase).eq("/en/Carreers/Pages/default.aspx") || http.req.url.path.set_text_mode(ignorecase).eq("/en/portfolio/Pages/default.aspx ") ||

http.req.url.path.set_text_mode(ignorecase).eq("/en/_vti_bin/client.svc/ProcessQuery ") ||

http.req.url.path.set_text_mode(ignorecase).eq("/en/Contact-us/Pages/default.aspx aspx")

 

2.I will create a secondary WAF profile and bind the below policy(with priority 110) with all the signature enforcement checks

 

appfw_pol2_nonexemptedurls

 

HTTP.REQ.HEADER("User-Agent").CONTAINS_ANY("Browser")

 

 

 

Link to comment
  • 0

 

Be sure you set the policy GOTO to END for the first binding (pol1), so it does not look for more after the policy hit.  

Use a logaction during testing to confirm that you are only processing pol1 OR pol2 for a given request and not both.  

I would also confirm that a manipulation of the user-agent header won't leave you with no appfw protection at all. If only one policy hit is occurring, you might be able to change pol2 to a broad expression like to true to apply to all other non-matched traffic.

 

There's a case where traffic could hit both policies, without the END to stop processing on the first matches.

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...