Home > Configuration > Application Firewall |
| Application Firewall |
application firewall configuration. |
Configuration APIs |
Use this method to defines the specified web form field as confidential. Form fields designated as confidential have the information that is provided in those fields x'd out in the audit logs. |
Use this method to adds a field type to the list of field types used by the field format security check. A field type is a regular expression defining the type of data that can appear in a web form field. The Learning engine also uses the field types list to generate appropriate field type assignments for the field formats check. |
Use this method to add gRPC content type. This will classify a request/response with the specified content type as gRPC |
Use this method to add gRPC-web-json content type. This will classify a request/response with the specified content type as gRPC-web-json |
Use this method to add gRPC-web-text content type. This will classify a request/response with the specified content type as gRPC-web-text |
Use this method to add JSON content type. This will classify a request/response with the specified content type as JSON |
Use this method to add multipart form content type. This will classify a request/response with the specified content type as multipart form |
Use this method to creates an application firewall policy. |
Use this method to creates a user-defined application firewall policy label. |
Use this method to creates an application firewall profile, which specifies how the application firewall should protect a given type of web content. (A profile is equivalent to an action in other Citrix ADC features.) |
Use this method to add urlencoded form content type. This will classify a request/response with the specified content type as urlencoded form |
Use this method to add XML content type. This will classify a request/response with the specified content type as XML |
Use this method to create archive for the profile. |
Use this method to bind policy to appfw global. |
Use this method to bind policy to appfw policylabel. |
Use this method to bind blockkeyword to appfw profile. |
Use this method to bind bypasslist to appfw profile. |
Use this method to bind cmdinjection to appfw profile. |
Use this method to bind comment to appfw profile. |
Use this method to bind confidfield to appfw profile. |
Use this method to bind contenttype to appfw profile. |
Use this method to bind cookieconsistency to appfw profile. |
Use this method to bind creditcardnumber to appfw profile. |
Use this method to bind crosssitescripting to appfw profile. |
Use this method to bind csrftag to appfw profile. |
Use this method to bind denylist to appfw profile. |
Use this method to bind denyurl to appfw profile. |
Use this method to bind excluderescontenttype to appfw profile. |
Use this method to bind fakeaccount to appfw profile. |
Use this method to bind fieldconsistency to appfw profile. |
Use this method to bind fieldformat to appfw profile. |
Use this method to bind fileuploadtype to appfw profile. |
Use this method to bind grpcvalidation to appfw profile. |
Use this method to bind isautodeployed to appfw profile. |
Use this method to bind jsonblockkeyword to appfw profile. |
Use this method to bind jsoncmdurl to appfw profile. |
Use this method to bind jsondosurl to appfw profile. |
Use this method to bind jsonsqlurl to appfw profile. |
Use this method to bind jsonxssurl to appfw profile. |
Use this method to bind logexpression to appfw profile. |
Use this method to bind resourceid to appfw profile. |
Use this method to bind restvalidation to appfw profile. |
Use this method to bind ruletype to appfw profile. |
Use this method to bind safeobject to appfw profile. |
Use this method to bind sqlinjection to appfw profile. |
Use this method to bind starturl to appfw profile. |
Use this method to bind state to appfw profile. |
Use this method to bind trustedlearningclients to appfw profile. |
Use this method to bind xmlattachmenturl to appfw profile. |
Use this method to bind xmldosurl to appfw profile. |
Use this method to bind xmlsqlinjection to appfw profile. |
Use this method to bind xmlvalidationurl to appfw profile. |
Use this method to bind xmlwsiurl to appfw profile. |
Use this method to bind xmlxss to appfw profile. |
Use this method to exports the archive file to the specified location |
NOTE: This method is deprecated. Changed CLI methods for Appfw "customSettings" to "signatures" |
Use this method to export appfw learnt data in csv format to the location /var/learnt_data/ |
Use this method to get the current settings for the specified application firewall confidential field designation. |
Use this method to get the object imported by import customsettings. NOTE: This method is deprecated. Changed CLI methods for Appfw "customSettings" to "signatures" |
Use this method to get the regular expression that defines the specified field type and its priority. If no field type is specified, displays all form field types currently configured on the Citrix ADC. |
Use this method to get a list of application firewall policies that are bound to the specified bind point. If no bind point is specified, displays a list of all application firewall policies |
Use this method to get all gRPC content types. |
Use this method to get all grpc-web-json content types. |
Use this method to get all grpc-web-text content types. |
Use this method to get the specified HTML error object. |
Use this method to get all JSON content types. |
Use this method to get the specified JSON error object. |
Use this method to get the unreviewed application firewall learning data for the specified profile and security check. |
Use this method to get the current application firewall learning settings for the specified profile. |
Use this method to get all multipart form content types. |
Use this method to get the current settings for the specified application firewall policy. |
Use this method to get the current settings for the specified application firewall policy label. |
Use this method to get details of the specified application firewall profile. If no profile is specified, displays a list of all application firewall profiles on the Citrix ADC. |
Use this method to get the specified gRPC schema object. |
Use this method to get the current application firewall global settings. |
Use this method to get the specified signatures object. If no signatures object is specified, displays all signatures objects defined on the Citrix ADC. |
Use this method to get an application firewall transaction record. |
Use this method to get all URLENCODED_FORM content types. |
Use this method to get the specified imported WSDL file. |
Use this method to get all xml content types. |
Use this method to get the specified XML error object. |
Use this method to get the specified XML Schema object. If no object is specified, displays all XML Schema objects on the Citrix ADC. |
Use this method to imports the archive file from specified location |
Use this method to downloads the Application Firewall Custom Settings XML configuration to the Citrix ADC Box with the given object name NOTE: This method is deprecated. Changed CLI methods for Appfw "customSettings" to "signatures" |
Use this method to imports the specified HTML error page to the Citrix ADC and assigns it the specified name. |
Use this method to imports the specified JSON error page to the Citrix ADC and assigns it the specified name. |
Use this method to imports a gRPC schema file from specified location. |
Use this method to imports the specified signatures object to the Citrix ADC and assigns it the specified name. |
Use this method to imports the specified WSDL file to the application firewall. |
Use this method to imports the specified XML error page to the Citrix ADC and assigns it the specified name. |
Use this method to imports the specified XML Schema to the Citrix ADC and assigns it the specified name. |
Use this method to renames an application firewall policy. |
Use this method to renames an application firewall policy label. |
Use this method to remove all databases. Make transaction count zero |
Use this method to restore configuration from archive file |
Use this method to removes the archive created by archive method. |
Use this method to removes a confidential field designation. |
Use this method to removes the object imported by import customsettings. NOTE: This method is deprecated. Changed CLI methods for Appfw "customSettings" to "signatures" |
Use this method to removes an application firewall field type. |
Use this method to remove gRPC content type. |
Use this method to remove grpc-web-json content type. |
Use this method to remove grpc-web-text content type. |
Use this method to removes the specified HTML error object. |
Use this method to remove JSON content type. |
Use this method to removes the object imported by import jsonerrorpage. |
Use this method to removes unreviewed application firewall learning data for the specified application firewall profile. |
Use this method to remove multipart form content type. |
Use this method to removes an application firewall policy. |
Use this method to removes the specified application firewall policy label. |
Use this method to removes the specified application firewall profile. |
Use this method to removes the named gRPC schema object. |
Use this method to removes the specified signature object from the application firewall. |
Use this method to remove urlencoded form content type. |
Use this method to removes the specified imported WSDL file from the application firewall. |
Use this method to remove XML content type. |
Use this method to removes the object imported by import xmlerrorpage. |
Use this method to removes the specified XML Schema object from the application firewall. |
Use this method to set any comments to preserve information about the form field designation. |
Use this method to set method of specifying the form field name. Available settings function as follows: * REGEX. Form field is a regular expression. * NOTREGEX. Form field is a literal string. |
Use this method to set enable or disable the confidential field designation. |
Use this method to set pCRE - format regular expression defining the characters and length allowed for this field type. This is mandatory parameter. |
Use this method to set the number of minutes after the threshold hit alert the learned rule will be deployed |
Use this method to set minimum threshold to learn Content Type information. |
Use this method to set minimum threshold in percent to learn Content Type information. |
Use this method to set the number of minutes after the threshold hit alert the learned rule will be deployed |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn cookies. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular cookie pattern for the learning engine to learn that cookie. |
Use this method to set minimum threshold to learn Credit Card information. |
Use this method to set minimum threshold in percent to learn Credit Card information. |
Use this method to set the number of minutes after the threshold hit alert the learned rule will be deployed |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn HTML cross-site scripting patterns. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular cross-site scripting pattern for the learning engine to learn that cross-site scripting pattern. |
Use this method to set the number of minutes after the threshold hit alert the learned rule will be deployed |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn cross-site request forgery (CSRF) tags. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular CSRF tag for the learning engine to learn that CSRF tag. |
Use this method to set the number of minutes after the threshold hit alert the learned rule will be deployed |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn field consistency information. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular field consistency pattern for the learning engine to learn that field consistency pattern. |
Use this method to set the number of minutes after the threshold hit alert the learned rule will be deployed |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn field formats. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular web form field pattern for the learning engine to recommend a field format for that form field. |
Use this method to set the number of minutes after the threshold hit alert the learned rule will be deployed |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn HTML SQL injection patterns. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular HTML SQL injection pattern for the learning engine to learn that HTML SQL injection pattern. |
Use this method to set the number of minutes after the threshold hit alert the learned rule will be deployed |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn start URLs. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular start URL pattern for the learning engine to learn that start URL. |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn XML attachment patterns. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular XML attachment pattern for the learning engine to learn that XML attachment pattern. |
Use this method to set minimum number of application firewall sessions that the learning engine must observe to learn web services interoperability (WSI) information. |
Use this method to set minimum percentage of application firewall sessions that must contain a particular pattern for the learning engine to learn a web services interoperability (WSI) pattern. |
Use this method to set any comments to preserve information about the policy for later reference. |
Use this method to set where to log information for connections that match this policy. |
Use this method to set name of the application firewall profile to use if the policy matches. |
Use this method to set name of the Citrix ADC named rule, or a Citrix ADC expression, that the policy uses to determine whether to filter the connection through the application firewall with the designated profile. |
Use this method to set add HttpOnly and Secure flags to cookies |
Use this method to set name of the API Specification. |
Use this method to set block Keyword action. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -blockKeywordAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -blockKeywordAction none". |
Use this method to set one or more Buffer Overflow actions. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -bufferOverflowAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -bufferOverflowAction none". |
Use this method to set maximum length, in characters, for cookies sent to your protected web sites. Requests with longer cookies are blocked. |
Use this method to set maximum length, in characters, for HTTP headers in requests sent to your protected web sites. Requests with longer headers are blocked. |
Use this method to set maximum length, in bytes, for query string sent to your protected web sites. Requests with longer query strings are blocked. |
Use this method to set maximum length, in bytes, for the total HTTP header length in requests sent to your protected web sites. The minimum value of this and maxHeaderLen in httpProfile will be used. Requests with longer length are blocked. |
Use this method to set maximum length, in characters, for URLs on your protected web sites. Requests with longer URLs are blocked. |
Use this method to set enable bypass list for the profile. |
Use this method to set perform HTML entity encoding for any special characters in responses sent by your protected web sites. |
Use this method to set enable CEF format logs for the profile. |
Use this method to set check request headers as well as web forms for injected SQL and cross-site scripts. |
Use this method to set expression to get the client IP. |
Use this method to set method injection action. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -cmdInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -cmdInjectionAction none". |
Use this method to set check for CMD injection using CMD grammar |
Use this method to set available CMD injection types. -CMDSplChar : Checks for CMD Special Chars -CMDKeyword : Checks for CMD Keywords -CMDSplCharANDKeyword : Checks for both and blocks if both are found -CMDSplCharORKeyword : Checks for both and blocks if anyone is found, -None : Disables checking using both CMD Special Char and Keyword |
Use this method to set any comments about the purpose of profile, or other useful information about the profile. |
Use this method to set one or more Content-type actions. Available settings function as follows: * Block - Block connections that violate this security check. * Learn - Use the learning engine to generate a list of exceptions to this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -contentTypeaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -contentTypeaction none". |
Use this method to set one or more Cookie Consistency actions. Available settings function as follows: * Block - Block connections that violate this security check. * Learn - Use the learning engine to generate a list of exceptions to this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -cookieConsistencyAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -cookieConsistencyAction none". |
Use this method to set type of cookie encryption. Available settings function as follows: * None - Do not encrypt cookies. * Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies. * Encrypt Session Only - Encrypt session cookies, but not permanent cookies. * Encrypt All - Encrypt all cookies. |
Use this method to set one or more actions to prevent cookie hijacking. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. NOTE: Cookie Hijacking feature is not supported for TLSv1.3 CLI users: To enable one or more actions, type "set appfw profile -cookieHijackingAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -cookieHijackingAction none". |
Use this method to set cookie proxy setting. Available settings function as follows: * None - Do not proxy cookies. * Session Only - Proxy session cookies by using the Citrix ADC session ID, but do not proxy permanent cookies. |
Use this method to set cookie Samesite attribute added to support adding cookie SameSite attribute for all set-cookies including appfw session cookies. Default value will be "SameSite=Lax". |
Use this method to set perform the specified type of cookie transformation. Available settings function as follows: * Encryption - Encrypt cookies. * Proxying - Mask contents of server cookies by sending proxy cookie to users. * Cookie flags - Flag cookies as HTTP only to prevent scripts on user's browser from accessing and possibly modifying them. CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings. |
Use this method to set credit card types that the application firewall should protect. |
Use this method to set one or more Credit Card actions. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -creditCardAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -creditCardAction none". |
Use this method to set this parameter value is used by the block action. It represents the maximum number of credit card numbers that can appear on a web page served by your protected web sites. Pages that contain more credit card numbers are blocked. |
Use this method to set mask any credit card number detected in a response by replacing each digit, except the digits in the final group, with the letter "X." |
Use this method to set one or more Cross-Site Scripting (XSS) actions. Available settings function as follows: * Block - Block connections that violate this security check. * Learn - Use the learning engine to generate a list of exceptions to this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -crossSiteScriptingAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -crossSiteScriptingAction none". |
Use this method to set check complete URLs for cross-site scripts, instead of just the query portions of URLs. |
Use this method to set transform cross-site scripts. This setting configures the application firewall to disable dangerous HTML instead of blocking the request. CAUTION: Make sure that this parameter is set to ON if you are configuring any cross-site scripting transformations. If it is set to OFF, no cross-site scripting transformations are performed regardless of any other settings. |
Use this method to set one or more Cross-Site Request Forgery (CSRF) Tagging actions. Available settings function as follows: * Block - Block connections that violate this security check. * Learn - Use the learning engine to generate a list of exceptions to this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -CSRFTagAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -CSRFTagAction none". |
Use this method to set object name for custom settings. This check is applicable to Profile Type: HTML, XML. NOTE: This attribute is deprecated. Changed CLI methods for Appfw "customSettings" to "signatures" |
Use this method to set default character set for protected web pages. Web pages sent by your protected web sites in response to user requests are assigned this character set if the page does not already specify a character set. The character sets supported by the application firewall are: * iso-8859-1 (English US) * big5 (Chinese Traditional) * gb2312 (Chinese Simplified) * sjis (Japanese Shift-JIS) * euc-jp (Japanese EUC-JP) * iso-8859-9 (Turkish) * utf-8 (Unicode) * euc-kr (Korean) |
Use this method to set maximum length, in characters, for data entered into a field that is assigned the default field type. |
Use this method to set maxiumum allowed occurrences of the form field name in a request. |
Use this method to set minimum length, in characters, for data entered into a field that is assigned the default field type. To disable the minimum and maximum length settings and allow data of any length to be entered into the field, set this parameter to zero (0). |
Use this method to set designate a default field type to be applied to web form fields that do not have a field type explicitly assigned to them. |
Use this method to set enable deny list for the profile. |
Use this method to set one or more Deny URL actions. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. NOTE: The Deny URL check takes precedence over the Start URL check. If you enable blocking for the Deny URL check, the application firewall blocks any URL that is explicitly blocked by a Deny URL, even if the same URL would otherwise be allowed by the Start URL check. CLI users: To enable one or more actions, type "set appfw profile -denyURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -denyURLaction none". |
Use this method to set setting this option logs credit card numbers in the response when the match is found. |
Use this method to set one or more security checks. Available options are as follows: * SQLInjection - Enable dynamic learning for SQLInjection security check. * CrossSiteScripting - Enable dynamic learning for CrossSiteScripting security check. * fieldFormat - Enable dynamic learning for fieldFormat security check. * None - Disable security checks for all security checks. CLI users: To enable dynamic learning on one or more security checks, type "set appfw profile -dynamicLearning" followed by the security checks to be enabled. To turn off dynamic learning on all security checks, type "set appfw profile -dynamicLearning none". |
Use this method to set enable tagging of web form fields for use by the Form Field Consistency and CSRF Form Tagging checks. |
Use this method to set uRL that application firewall uses as the Error URL. |
Use this method to set exclude uploaded files from Form checks. |
Use this method to set exempt URLs that pass the Start URL closure check from SQL injection, cross-site script, field format and field consistency security checks at locations other than headers. |
Use this method to set fake account detection flag : ON/OFF. If set to ON fake account detection in enabled on ADC, if set to OFF fake account detection is disabled. |
Use this method to set one or more Form Field Consistency actions. Available settings function as follows: * Block - Block connections that violate this security check. * Learn - Use the learning engine to generate a list of exceptions to this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -fieldConsistencyaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldConsistencyAction none". |
Use this method to set one or more Field Format actions. Available settings function as follows: * Block - Block connections that violate this security check. * Learn - Use the learning engine to generate a list of suggested web form fields and field format assignments. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -fieldFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldFormatAction none". |
Use this method to set check if formfield limit scan is ON or OFF. |
Use this method to set Field scan limit value for HTML |
Use this method to set maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads. |
Use this method to set one or more file upload types actions. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -fileUploadTypeAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fileUploadTypeAction none". |
Use this method to set enable Geo-Location Logging in CEF format logs for the profile. |
Use this method to set gRPC validation |
Use this method to set name to assign to the HTML Error Object. Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the HTML error object is added. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my HTML error object" or 'my HTML error object'\). |
Use this method to set response status code associated with HTML error page. Non-empty HTML error object must be imported to the application firewall profile for the status code. |
Use this method to set response status message associated with HTML error page |
Use this method to set one or more infer content type payload actions. Available settings function as follows: * Block - Block connections that have mismatch in content-type header and payload. * Log - Log connections that have mismatch in content-type header and payload. The mismatched content-type in HTTP request header will be logged for the request. * Stats - Generate statistics when there is mismatch in content-type header and payload. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -inferContentTypeXMLPayloadAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -inferContentTypeXMLPayloadAction none". Please note "none" action cannot be used with any other action type. |
Use this method to set configure whether application firewall should add samesite attribute for set-cookies |
Use this method to set one or more InspectContentType lists. * application/x-www-form-urlencoded * multipart/form-data * text/x-gwt-rpc CLI users: To enable, type "set appfw profile -InspectContentTypes" followed by the content types to be inspected. |
Use this method to set inspect request query as well as web forms for injected SQL and cross-site scripts for following content types. |
Use this method to set configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows: * asp_mode - Microsoft ASP format. * secure_mode - Secure format. |
Use this method to set jSON Block Keyword action. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -JSONBlockKeywordAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -JSONBlockKeywordAction none". |
Use this method to set one or more JSON CMD Injection actions. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -JSONCMDInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -JSONCMDInjectionAction none". |
Use this method to set check for CMD injection using CMD grammar in JSON |
Use this method to set available CMD injection types. -CMDSplChar : Checks for CMD Special Chars -CMDKeyword : Checks for CMD Keywords -CMDSplCharANDKeyword : Checks for both and blocks if both are found -CMDSplCharORKeyword : Checks for both and blocks if anyone is found, -None : Disables checking using both SQL Special Char and Keyword |
Use this method to set one or more JSON Denial-of-Service (JsonDoS) actions. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -JSONDoSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -JSONDoSAction none". |
Use this method to set name to the imported JSON Error Object to be set on application firewall profile. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my JSON error object" or 'my JSON error object'\). |
Use this method to set response status code associated with JSON error page. Non-empty JSON error object must be imported to the application firewall profile for the status code. |
Use this method to set response status message associated with JSON error page |
Use this method to set check if JSON field limit scan is ON or OFF. |
Use this method to set Field scan limit value for JSON |
Use this method to set check if JSON message limit scan is ON or OFF |
Use this method to set message scan limit value for JSON |
Use this method to set one or more JSON SQL Injection actions. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -JSONSQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -JSONSQLInjectionAction none". |
Use this method to set check for SQL injection using SQL grammar in JSON |
Use this method to set available SQL injection types. -SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found, -None : Disables checking using both SQL Special Char and Keyword |
Use this method to set one or more JSON Cross-Site Scripting actions. Available settings function as follows: * Block - Block connections that violate this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -JSONXssAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -JSONXssAction none". |
Use this method to set log every profile match, regardless of security checks results. |
Use this method to set check if HTML message limit scan is ON or OFF |
Use this method to set message scan limit value for HTML |
Use this method to set enable Message Scan Limit for following content types. |
Use this method to set one or more multiple header actions. Available settings function as follows: * Block - Block connections that have multiple headers. * Log - Log connections that have multiple headers. * KeepLast - Keep only last header when multiple headers are present. Request headers inspected: * Accept-Encoding * Content-Encoding * Content-Range * Content-Type * Host * Range * Referer CLI users: To enable one or more actions, type "set appfw profile -multipleHeaderAction" followed by the actions to be enabled. |
Use this method to set optimize handle of HTTP partial requests i.e. those with range headers. Available settings are as follows: * ON - Partial requests by the client result in partial requests to the backend server in most cases. * OFF - Partial requests by the client are changed to full requests to the backend server |
Use this method to set configure whether the application firewall should use percentage recursive decoding |
Use this method to set maximum allowed HTTP post body size, in bytes. Maximum supported value is 10GB. Citrix recommends enabling streaming option for large values of post body limit (>20MB). |
Use this method to set one or more Post Body Limit actions. Available settings function as follows: * Block - Block connections that violate this security check. Must always be set. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. CLI users: To enable one or more actions, type "set appfw profile -PostBodyLimitAction block" followed by the other actions to be enabled. |
Use this method to set maximum allowed HTTP post body size for signature inspection for location HTTP_POST_BODY in the signatures, in bytes. Note that the changes in value could impact CPU and latency profile. |
Use this method to set name of the imported proto file. |
Use this method to set enable validation of Referer headers. Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker. Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks. |
Use this method to set default Content-Type header for requests. A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters. |
Use this method to set default Content-Type header for responses. A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters. |
Use this method to set rest validation |
Use this method to set object name of the rfc profile. |
Use this method to set allow ';' as a form field separator in URL queries and POST form bodies. |
Use this method to set name of the session cookie that the application firewall uses to track user sessions. Must begin with a letter or number, and can consist of from 1 to 31 letters, numbers, and the hyphen (-) and underscore (_) symbols. The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my cookie name" or 'my cookie name'). |
Use this method to set perform sessionless Field Consistency Checks. |
Use this method to set enable session less URL Closure Checks. This check is applicable to Profile Type: HTML. |
Use this method to set object name for signatures. This check is applicable to Profile Type: HTML, XML. |
Use this method to set one or more HTML SQL Injection actions. Available settings function as follows: * Block - Block connections that violate this security check. * Learn - Use the learning engine to generate a list of exceptions to this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -SQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -SQLInjectionAction none". |
Use this method to set check for form fields that contain SQL wild chars . |
Use this method to set check for SQL injection using SQL grammar |
Use this method to set check only form fields that contain SQL special strings (characters) for injected SQL code. Most SQL servers require a special string to activate an SQL request, so SQL code without a special string is harmless to most SQL servers. NOTE: This attribute is deprecated. The same functionality is added to SQLInjectionType . Set SQLInjectionType to "SQLSplCharANDKeyword" to get the same result |
Use this method to set parse HTML comments and exempt them from the HTML SQL Injection check. You must specify the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows: * Check all - Check all content. * ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment. * Nested - Exempt content that is part of a nested (Microsoft-style) comment. * ANSI Nested - Exempt content that is part of any type of comment. |
Use this method to set specifies SQL Injection rule type: ALLOW/DENY. If ALLOW rule type is configured then allow list rules are used, if DENY rule type is configured then deny rules are used. |
Use this method to set transform injected SQL code. This setting configures the application firewall to disable SQL special strings instead of blocking the request. Since most SQL servers require a special string to activate an SQL keyword, in most cases a request that contains injected SQL code is safe if special strings are disabled. CAUTION: Make sure that this parameter is set to ON if you are configuring any SQL injection transformations. If it is set to OFF, no SQL injection transformations are performed regardless of any other settings. |
Use this method to set available SQL injection types. -SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found -None : Disables checking using both SQL Special Char and Keyword |
Use this method to set one or more Start URL actions. Available settings function as follows: * Block - Block connections that violate this security check. * Learn - Use the learning engine to generate a list of exceptions to this security check. * Log - Log violations of this security check. * Stats - Generate statistics for this security check. * None - Disable all actions for this security check. CLI users: To enable one or more actions, type "set appfw profile -startURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -startURLaction none". |
Use this method to set toggle the state of Start URL Closure. |
Use this method to set setting this option converts content-length form submission requests (requests with content-type "application/x-www-form-urlencoded" or "multipart/form-data") to chunked requests when atleast one of the following protections : Signatures, SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging, JSON SQL, JSON XSS, JSON DOS is enabled. Please make sure that the backend server accepts chunked requests before enabling this option. Citrix recommends enabling this option for large request sizes(>20MB). |
Use this method to set strip HTML comments. This check is applicable to Profile Type: HTML. NOTE: This attribute is deprecated. Replaced by a new method that provides an option to exclude comments inside |