Application Firewall is a relatively complex feature of the Netscaler using complex policies and profiles to identify un-wanted traffic that is flowing to and from an organization’s extranet. Building the policies the first time can be a challenging task alone, but when it comes to duplicating and transporting the policies, well we will just say it’s NO picnic.
Let's take a look at how Citrix Command Center can be used to easily "create" and "transport" Application Firewall Template profiles from Development into Production without having to go deep into the cli.
First of all, if you haven’t heard of Citrix Command Center, you are definetly missing out. Citrix CC is a great tool that can alert and track historic trends of Citrix Netscaler, Application Firewall, Access Gateway Enterprise, and Branch Repeater. It can also be used to transport commands from development to production with just a few simple steps. I’ll be posting more information about Command Center in a later blog, but for now, let me give you a little teaser by making AppFW Profiles portable.
Let’s start by creating a simple Application Firewall Profile (and Policy) Template. vThis template will be a starting point for all your Vservers, and it will give you practice on how to export and import the profiles and policies using Command Center…
First, go in and create a simple AppFW policy and profile that can be re-used by all sites. i.e. no host header matching and no learned data. Call the Policy Template_Pol and the Profile Template_Prof.
Once you have your profile created and configured, you will want to save the config by clicking the little Save button on the Top right.
NOTE: if you don’t save your config, you will not be able to read the commands that were entered using the cat command.
Open a Secure Shell client and login to your Netscaler and type Shell to drop to FreeBSD. You can then use the CLI to grep the commands into a Template File that you can later copy out and re-use any time:
After your Template file is created, simply download the file using an SFTP client to your Computer. (WinSCP does a great job here because you can use it’s built in text editor that works well with Citrix Netscaler Config files). You will find this file under the "/Var" directory on the Netscaler.
Next make a copy of the file on your PC and rename it to something that is a little meaningful… Something like “AppFW_Website_00001”... Then open the new file and do a Find all occurrences of “Template_” and replace with “Website_00001”.
Now you are ready to import this new policy and profile using Citrix Command Center. Open Command Center; go to Configuration / Custom Task / Add Custom Task. Use the Import from command line to browse to your newly created file and select next. The Custom Task wizard will capture the contents of the file and place them in sequential commands that can be fed into the Netscaler.
NOTE: Make sure you remove any task variables at the bottom of the page. Citrix Command center reads some of the commands and misinterprets Deny-URL’s as Task Variables..
Finally, go back to the Netscaler Configuration utility and refresh the screen. You will see that you have a complete copy of the original Profile and Policy (with a new name) ready to begin learning mode on a new Web Application….
Ok, since you have the basic concepts, let’s take this one step further… Since it is relatively risky to place the App Firewall Rules in learning mode while facing the public Internet, you can use Netscaler VPX to create your initial profiles and policies and build all the learned and deployed data in a development environment. Once you are finished deploying all the rules, save the configuration and perform the same steps, only this time deploy rules to the production Netscalers and bind them to the production Vservers.