ADC CLI Commands

appfw-profile

The following operations can be performed on “appfw-profile”:

stat set archive bind add restore unset rm unbind show

stat appfw profile

Displays statistics for the specified application firewall profile. If no profile is specified, displays abbreviated statistics for all profiles.

Synopsis

stat appfw profile [] [-detail] [-fullValues] [-ntimes ] [-logFile ] [-clearstats ( basic | full )]

Arguments

name Name of the application firewall profile.

detail Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.

fullValues Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated

ntimes The number of times, in intervals of seven seconds, the statistics should be displayed. Default value: 1 Minimum value: 0

logFile The name of the log file to be used as input.

clearstats Clear the statsistics / counters

Possible values: basic, full

Output

count devno stateflag

Counters

requests (reqs) HTTP/HTTPS requests sent to your protected web servers via the Application Firewall.

Request Bytes (reqBytes) Number of bytes transfered for requests

responses (resps) HTTP/HTTPS responses sent by your protected web servers via the Application Firewall.

Response Bytes (resBytes) Number of bytes transfered for responses

aborts Incomplete HTTP/HTTPS requests aborted by the client before the Application Firewall could finish processing them.

redirects (redirect) HTTP/HTTPS requests redirected by the Application Firewall to a different Web page or web server. (HTTP 302)

Long Term Ave Response Time (ms) (longAvgRespTimePP) Average backend response time in milliseconds since reboot

Recent Ave Response Time (ms) (shortAvgRespTimePP) Average backend response time in milliseconds over the last 7 seconds

start URL (startURL) Number of Start URL security check violations seen by the Application Firewall.

deny URL (denyURL) Number of Deny URL security check violations seen by the Application Firewall.

referer header (refererHdr) Number of Referer Header security check violations seen by the Application Firewall.

buffer overflow (bufovfl) Number of Buffer Overflow security check violations seen by the Application Firewall.

Post Body Limit (postBodyLimit) Number of Post Body Limit security check violations seen by the Application Firewall.

cookie consistency (cookie) Number of Cookie Consistency security check violations seen by the Application Firewall.

cookie hijacking (cookiehijack) Number of Cookie Hijacking security violations seen by the Application Firewall.

CSRF form tag (csrf_tag) Number of Cross Site Request Forgery form tag security check violations seen by the Application Firewall.

HTML Cross-site scripting (xss) Number of HTML Cross-Site Scripting security check violations seen by the Application Firewall.

HTML SQL injection (sql) Number of HTML SQL Injection security check violations seen by the Application Firewall.

field format (fieldfmt) Number of Field Format security check violations seen by the Application Firewall.

field consistency (fieldcon) Number of Field Consistency security check violations seen by the Application Firewall.

credit card (ccard) Number of Credit Card security check violations seen by the Application Firewall.

safe object (safeobj) Number of Safe Object security check violations seen by the Application Firewall.

Signature Violations (sigs) Number of Signature violations seen by the Application Firewall.

content Type (contentType) Number of Content Type security check violations seen by the Application Firewall.

JSON Denial of Service (jsondosViolations) Number of JSON Denial-of-Service security check violations seen by the Application Firewall.

JSON SQL injection (jsonsqlViolations) Number of JSON SQL Injection security check violations seen by the Application Firewall.

JSON Cross-Site Scripting (jsonxssViolations) Number of JSON Cross-Site Scripting (XSS) security check violations seen by the Application Firewall.

JSON CMD injection (jsoncmdViolations) Number of JSON Command Injection security check violations seen by the Application Firewall.

File Upload Types (fileUploadTypes) Number of Field Upload Types security check violations seen by the Application Firewall.

Infer Content Type XML Payload (inferContentType) Number of Mismatched Content-Type in request with XML Payload security check violations seen by the Application Firewall.

HTML CMD Injection (cmd) Number of HTML Command Injection security check violations seen by the Application Firewall.

XML Format (wfcViolations) Number of XML Format security check violations seen by the Application Firewall.

XML Denial of Service (XDoS) (xdosViolations) Number of XML Denial-of-Service security check violations seen by the Application Firewall.

XML Message Validation (msgvalViolations) Number of XML Message Validation security check violations seen by the Application Firewall.

Web Services Interoperability (wsIViolations) Number of Web Services Interoperability (WS-I) security check violations seen by the Application Firewall.

XML SQL Injection (xmlSqlViolations) Number of XML SQL Injection security check violations seen by the Application Firewall.

XML Cross-Site Scripting (xmlXssViolations) Number of XML Cross-Site Scripting (XSS) security check violations seen by the Application Firewall.

XML Attachment (xmlAttachmentViolations) Number of XML Attachment security check violations seen by the Application Firewall.

SOAP Fault Violations (soapflt) Number of requests returning soap:fault from the backend server

XML Generic Violations (genflt) Number of requests returning XML generic violation from the backend server

HTML SQL injection (SQL grammar) (sqlgram) Number of HTML SQL Injection security check violations (reported by SQL grammar) seen by the Application Firewall.

JSON SQL injection (SQL grammar) (jsonsqlgramViolations) Number of JSON SQL Injection security check violations (reported by SQL grammar) seen by the Application Firewall.

Total Violations (totperpr) Number of violations seen by the application firewall on per profile basis

start URL logs (startURLLog) Number of Start URL security check log messages generated by the Application Firewall.

deny URL logs (denyURLLog) Number of Deny URL security check log messages generated by the Application Firewall.

referer header logs (refererHdrLog) Number of Referer Header security check log messages generated by the Application Firewall.

buffer overflow logs (bufovflLog) Number of Buffer Overflow security check log messages generated by the Application Firewall.

Post Body Limit Logs (postBodyLimitLogs) Number of Post Body Limit security check logs seen by the Application Firewall.

cookie consistency logs (cookieLog) Number of Cookie Consistency security check log messages generated by the Application Firewall.

cookie hijacking logs (cookiehijackLog) Number of Cookie Hijacking security violation log messages generated by the Application Firewall.

CSRF form tag logs (csrf_tagLog) Number of Cross Site Request Forgery form tag security check log messages generated by the Application Firewall.

HTML XSS logs (xssLog) Number of HTML Cross-Site Scripting security check log messages generated by the Application Firewall.

HTML XSS transform logs (xssXformLog) Number of HTML Cross-Site Scripting security check transform log messages generated by the Application Firewall.

HTML SQL Injection logs (sqlLog) Number of HTML SQL Injection security check log messages generated by the Application Firewall.

HTML SQL transform logs (sqlXformLog) Number of HTML SQL Injection security check transform log messages generated by the Application Firewall.

field format logs (fieldfmtLog) Number of Field Format security check log messages generated by the Application Firewall.

field consistency logs (fieldconLog) Number of Field Consistency security check log messages generated by the Application Firewall.

credit cards (ccardLog) Number of Credit Card security check log messages generated by the Application Firewall.

credit card transform logs (ccardXformLog) Number of Credit Card security check transform log messages generated by the Application Firewall.

safe object logs (safeobjLog) Number of Safe Object security check log messages generated by the Application Firewall.

Signature logs (sigs) Number of Signature log messages generated by the Application Firewall.

content Type logs (contenttypeLog) Number of Content type security check log messages generated by the Application Firewall.

JSON Denial of Service logs (jsondosLogs) Number of JSON Denial-of-Service security check log messages generated by the Application Firewall.

JSON SQL injection logs (jsonsqlLogs) Number of JSON SQL Injection security check log messages generated by the Application Firewall.

JSON Cross-Site Scripting logs (jsonxssLogs) Number of JSON Cross-Site Scripting (XSS) security check log messages generated by the Application Firewall.

JSON CMD injection logs (jsoncmdLogs) Number of JSON Command Injection security check log messages generated by the Application Firewall.

file upload types logs (fileUploadTypesLog) Number of File Upload Types security check log messages generated by the Application Firewall.

Infer Content Type XML Payload Logs (inferContentTypeXMLPayloadLog) Number of Mismatched Content-Type in request with XML Payload security check logs seen by the Application Firewall.

HTML Command Injection logs (cmdLog) Number of HTML Command Injection security check log messages generated by the Application Firewall.

XML Format logs (wfcLogs) Number of XML Format security check log messages generated by the Application Firewall.

XML Denial of Service(XDoS) logs (xdosLogs) Number of XML Denial-of-Service security check log messages generated by the Application Firewall.

XML Message Validation logs (msgvalLogs) Number of XML Message Validation security check log messages generated by the Application Firewall.

WSI logs (wsILogs) Number of Web Services Interoperability (WS-I) security check log messages generated by the Application Firewall.

XML SQL Injection logs (xmlSqlLogs) Number of XML SQL Injection security check log messages generated by the Application Firewall.

XML XSS logs (xmlXssLogs) Number of XML Cross-Site Scripting (XSS) security check log messages generated by the Application Firewall.

XML Attachment logs (xmlAttachmentLogs) Number of XML Attachment security check log messages generated by the Application Firewall.

SOAP Fault logs (soapfltLogs) Number of requests generating soap:fault log messages

XML Generic logs (genfltLog) Number of requests generating XML Generic log messages

HTML SQL Injection logs (SQL grammar) (sqlGramLog) Number of HTML SQL Injection security check log messages (reported by SQL grammar) generated by the Application Firewall.

JSON SQL injection logs (SQL grammar) (jsonsqlGramLogs) Number of JSON SQL Injection security check log messages (reported by SQL grammar) generated by the Application Firewall.

Total log messages (totlogperpr) Number of log messages generated by the application firewall on per profile basis

HTTP Client Errors (4xx Resp) (4xxResps) Number of requests returning HTTP 4xx from the backend server

HTTP Server Errors (5xx Resp) (5xxResps) Number of requests returning HTTP 5xx from the backend server

Example

stat appfw profile

set appfw profile

Modifies the specified parameters of the specified application firewall profile.

Synopsis

set appfw profile [-startURLAction ...] [-inferContentTypeXmlPayloadAction ...] [-contentTypeAction ...] [-inspectContentTypes ...] [-startURLClosure ( ON | OFF )] [-denyURLAction ...] [-RefererHeaderCheck ] [-cookieConsistencyAction ...] [-cookieHijackingAction ...] [-cookieTransforms ( ON | OFF )] [-cookieEncryption ] [-cookieProxying ( none | sessionOnly )] [-addCookieFlags ] [-fieldConsistencyAction ...] [-CSRFtagAction ...] [-crossSiteScriptingAction ...] [-crossSiteScriptingTransformUnsafeHTML ( ON | OFF )] [-crossSiteScriptingCheckCompleteURLs ( ON | OFF )] [-SQLInjectionAction ...] [-CMDInjectionAction ...] [-CMDInjectionType ] [-SQLInjectionTransformSpecialChars ( ON | OFF )] [-SQLInjectionType ] [-SQLInjectionCheckSQLWildChars ( ON | OFF )] [-SQLInjectionGrammar ( ON | OFF )] [-fieldFormatAction ...] [-defaultFieldFormatType ] [-defaultFieldFormatMinLength ] [-defaultFieldFormatMaxLength ] [-bufferOverflowAction ...] [-bufferOverflowMaxURLLength ] [-bufferOverflowMaxHeaderLength ] [-bufferOverflowMaxCookieLength ] [-bufferOverflowMaxQueryLength ] [-bufferOverflowMaxTotalHeaderLength ] [-creditCardAction ...] [-creditCard ...] [-creditCardMaxAllowed ] [-creditCardXOut ( ON | OFF )] [-doSecureCreditCardLogging ( ON | OFF )] [-streaming ( ON | OFF )] [-trace ( ON | OFF )] [-requestContentType ] [-responseContentType ] [-JSONErrorObject ] [-JSONErrorStatusCode ] [-JSONErrorStatusMessage ] [-JSONDoSAction ...] [-JSONSQLInjectionAction ...] [-JSONSQLInjectionType ] [-JSONSQLInjectionGrammar ( ON | OFF )] [-JSONCMDInjectionAction ...] [-JSONCMDInjectionType ] [-JSONXSSAction ...] [-XMLDoSAction ...] [-XMLFormatAction ...] [-XMLSQLInjectionAction ...] [-XMLSQLInjectionType ] [-XMLSQLInjectionCheckSQLWildChars ( ON | OFF )] [-XMLSQLInjectionParseComments ] [-XMLXSSAction ...] [-XMLWSIAction ...] [-XMLAttachmentAction ...] [-XMLValidationAction ...] [-XMLErrorObject ] [-XMLErrorStatusCode ] [-XMLErrorStatusMessage ] [-signatures ] [-XMLSOAPFaultAction ...] [-useHTMLErrorObject ( ON | OFF )] [-errorURL ] [-HTMLErrorObject ] [-HTMLErrorStatusCode ] [-HTMLErrorStatusMessage ] [-logEveryPolicyHit ( ON | OFF )] [-stripHtmlComments ] [-stripXmlComments ( none | all )] [-dynamicLearning ...] [-exemptClosureURLsFromSecurityChecks ( ON | OFF )] [-defaultCharSet ] [-postBodyLimit ] [-postBodyLimitAction ...] [-postBodyLimitSignature ] [-fileUploadMaxNum ] [-canonicalizeHTMLResponse ( ON | OFF )] [-enableFormTagging ( ON | OFF )] [-sessionlessFieldConsistency ] [-sessionlessURLClosure ( ON | OFF )] [-semicolonFieldSeparator ( ON | OFF )] [-excludeFileUploadFromChecks ( ON | OFF )] [-SQLInjectionParseComments ] [-invalidPercentHandling ] [-type ...] [-checkRequestHeaders ( ON | OFF )] [-inspectQueryContentTypes ...] [-optimizePartialReqs ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-comment ] [-percentDecodeRecursively ( ON | OFF )] [-multipleHeaderAction ...] [-rfcprofile ] [-fileUploadTypesAction ...] [-verboseLogLevel ] [-insertCookieSameSiteAttribute ( ON | OFF )] [-cookieSameSiteAttribute ] [-SQLInjectionRuleType ( ALLOW | DENY )]

Arguments

name Name of the profile that you want to modify.

startURLAction One or more Start URL actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -startURLaction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -startURLaction none”. Default value: AS_DEFAULT_DISPOSITION

inferContentTypeXmlPayloadAction One or more infer content type payload actions. Available settings function as follows:

  • Block - Block connections that have mismatch in content-type header and payload.
  • Log - Log connections that have mismatch in content-type header and payload. The mismatched content-type in HTTP request header will be logged for the request.
  • Stats - Generate statistics when there is mismatch in content-type header and payload.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -inferContentTypeXMLPayloadAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -inferContentTypeXMLPayloadAction none”. Please note “none” action cannot be used with any other action type. Default value: AS_INFER_CONTENT_TYPE_XML_PAYLOAD_DEFAULT_DISPOSITION

contentTypeAction One or more Content-type actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -contentTypeaction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -contentTypeaction none”. Default value: AS_DEFAULT_CONTENT_TYPE_DISPOSITION

inspectContentTypes One or more InspectContentType lists.

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/x-gwt-rpc

CLI users: To enable, type “set appfw profile -InspectContentTypes” followed by the content types to be inspected. Default value: AS_DEFAULT_INSPECTION_CONTENT_TYPE

startURLClosure Toggle the state of Start URL Closure.

Possible values: ON, OFF Default value: OFF

denyURLAction One or more Deny URL actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

NOTE: The Deny URL check takes precedence over the Start URL check. If you enable blocking for the Deny URL check, the application firewall blocks any URL that is explicitly blocked by a Deny URL, even if the same URL would otherwise be allowed by the Start URL check.

CLI users: To enable one or more actions, type “set appfw profile -denyURLaction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -denyURLaction none”. Default value: AS_DEFAULT_DISPOSITION

RefererHeaderCheck Enable validation of Referer headers. Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker. Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.

Possible values: OFF, if_present, AlwaysExceptStartURLs, AlwaysExceptFirstRequest Default value: OFF

cookieConsistencyAction One or more Cookie Consistency actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -cookieConsistencyAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -cookieConsistencyAction none”. Default value: none

cookieHijackingAction One or more actions to prevent cookie hijacking. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check. NOTE: Cookie Hijacking feature is not supported for TLSv1.3

CLI users: To enable one or more actions, type “set appfw profile -cookieHijackingAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -cookieHijackingAction none”. Default value: none

cookieTransforms Perform the specified type of cookie transformation. Available settings function as follows:

  • Encryption - Encrypt cookies.
  • Proxying - Mask contents of server cookies by sending proxy cookie to users.
  • Cookie flags - Flag cookies as HTTP only to prevent scripts on user’s browser from accessing and possibly modifying them. CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.

Possible values: ON, OFF

cookieEncryption Type of cookie encryption. Available settings function as follows:

  • None - Do not encrypt cookies.
  • Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.
  • Encrypt Session Only - Encrypt session cookies, but not permanent cookies.
  • Encrypt All - Encrypt all cookies.

Possible values: none, decryptOnly, encryptSessionOnly, encryptAll Default value: none

cookieProxying Cookie proxy setting. Available settings function as follows:

  • None - Do not proxy cookies.
  • Session Only - Proxy session cookies by using the Citrix ADC session ID, but do not proxy permanent cookies.

Possible values: none, sessionOnly Default value: none

addCookieFlags Add HttpOnly and Secure flags to cookies

Possible values: none, httpOnly, secure, all Default value: none

fieldConsistencyAction One or more Form Field Consistency actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -fieldConsistencyaction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -fieldConsistencyAction none”. Default value: none

CSRFtagAction One or more Cross-Site Request Forgery (CSRF) Tagging actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -CSRFTagAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -CSRFTagAction none”. Default value: none

crossSiteScriptingAction One or more Cross-Site Scripting (XSS) actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -crossSiteScriptingAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -crossSiteScriptingAction none”. Default value: AS_DEFAULT_DISPOSITION

crossSiteScriptingTransformUnsafeHTML Transform cross-site scripts. This setting configures the application firewall to disable dangerous HTML instead of blocking the request. CAUTION: Make sure that this parameter is set to ON if you are configuring any cross-site scripting transformations. If it is set to OFF, no cross-site scripting transformations are performed regardless of any other settings.

Possible values: ON, OFF

crossSiteScriptingCheckCompleteURLs Check complete URLs for cross-site scripts, instead of just the query portions of URLs.

Possible values: ON, OFF

SQLInjectionAction One or more HTML SQL Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -SQLInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -SQLInjectionAction none”. Default value: AS_DEFAULT_DISPOSITION

CMDInjectionAction Command injection action. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -cmdInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -cmdInjectionAction none”. Default value: none

CMDInjectionType Available CMD injection types. -CMDSplChar : Checks for CMD Special Chars -CMDKeyword : Checks for CMD Keywords -CMDSplCharANDKeyword : Checks for both and blocks if both are found -CMDSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: CMDSplChar, CMDKeyword, CMDSplCharORKeyword, CMDSplCharANDKeyword Default value: CMDSplCharANDKeyword

SQLInjectionTransformSpecialChars Transform injected SQL code. This setting configures the application firewall to disable SQL special strings instead of blocking the request. Since most SQL servers require a special string to activate an SQL keyword, in most cases a request that contains injected SQL code is safe if special strings are disabled. CAUTION: Make sure that this parameter is set to ON if you are configuring any SQL injection transformations. If it is set to OFF, no SQL injection transformations are performed regardless of any other settings.

Possible values: ON, OFF

SQLInjectionType Available SQL injection types. -SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found -None : Disables checking using both SQL Special Char and Keyword

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword, None

SQLInjectionCheckSQLWildChars Check for form fields that contain SQL wild chars .

Possible values: ON, OFF

SQLInjectionGrammar Check for SQL injection using SQL grammar

Possible values: ON, OFF Default value: OFF

fieldFormatAction One or more Field Format actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of suggested web form fields and field format assignments.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -fieldFormatAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -fieldFormatAction none”. Default value: AS_DEFAULT_DISPOSITION

defaultFieldFormatType Designate a default field type to be applied to web form fields that do not have a field type explicitly assigned to them.

defaultFieldFormatMinLength Minimum length, in characters, for data entered into a field that is assigned the default field type. To disable the minimum and maximum length settings and allow data of any length to be entered into the field, set this parameter to zero (0). Default value: 0 Minimum value: 0 Maximum value: 2147483647

defaultFieldFormatMaxLength Maximum length, in characters, for data entered into a field that is assigned the default field type. Default value: 65535 Minimum value: 1 Maximum value: 2147483647

bufferOverflowAction One or more Buffer Overflow actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -bufferOverflowAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -bufferOverflowAction none”. Default value: AS_DEFAULT_DISPOSITION

bufferOverflowMaxURLLength Maximum length, in characters, for URLs on your protected web sites. Requests with longer URLs are blocked. Default value: 1024 Minimum value: 0 Maximum value: 65535

bufferOverflowMaxHeaderLength Maximum length, in characters, for HTTP headers in requests sent to your protected web sites. Requests with longer headers are blocked. Default value: 4096 Minimum value: 0 Maximum value: 65535

bufferOverflowMaxCookieLength Maximum length, in characters, for cookies sent to your protected web sites. Requests with longer cookies are blocked. Default value: 4096 Minimum value: 0 Maximum value: 65535

bufferOverflowMaxQueryLength Maximum length, in bytes, for query string sent to your protected web sites. Requests with longer query strings are blocked. Default value: 65535 Minimum value: 0 Maximum value: 65535

bufferOverflowMaxTotalHeaderLength Maximum length, in bytes, for the total HTTP header length in requests sent to your protected web sites. The minimum value of this and maxHeaderLen in httpProfile will be used. Requests with longer length are blocked. Default value: 65535 Minimum value: 0 Maximum value: 65535

creditCardAction One or more Credit Card actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -creditCardAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -creditCardAction none”. Default value: none

creditCard Credit card types that the application firewall should protect. Default value: none

creditCardMaxAllowed This parameter value is used by the block action. It represents the maximum number of credit card numbers that can appear on a web page served by your protected web sites. Pages that contain more credit card numbers are blocked. Minimum value: 0 Maximum value: 255

creditCardXOut Mask any credit card number detected in a response by replacing each digit, except the digits in the final group, with the letter “X.”

Possible values: ON, OFF

doSecureCreditCardLogging Setting this option logs credit card numbers in the response when the match is found.

Possible values: ON, OFF

streaming Setting this option converts content-length form submission requests (requests with content-type “application/x-www-form-urlencoded” or “multipart/form-data”) to chunked requests when atleast one of the following protections : Signatures, SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging, JSON SQL, JSON XSS, JSON DOS is enabled. Please make sure that the backend server accepts chunked requests before enabling this option. Citrix recommends enabling this option for large request sizes(>20MB).

Possible values: ON, OFF

trace Toggle the state of trace

Possible values: ON, OFF

requestContentType Default Content-Type header for requests. A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters. Default value: NS_S_AS_DEFAULT_REQUEST_CONTENT_TYPE

responseContentType Default Content-Type header for responses. A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters. Default value: NS_S_AS_DEFAULT_RESPONSE_CONTENT_TYPE

JSONErrorObject Name to the imported JSON Error Object to be set on application firewall profile.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my JSON error object” or ‘my JSON error object’). Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

JSONErrorStatusCode Response status code associated with JSON error page Default value: 200 Minimum value: 1 Maximum value: 999

JSONErrorStatusMessage Response status message associated with JSON error page Default value: NS_S_AS_ERROR_CODE_DESCRIPTION_DEFAULT

JSONDoSAction One or more JSON Denial-of-Service (JsonDoS) actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONDoSAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONDoSAction none”. Default value: AS_DEFAULT_DISPOSITION

JSONSQLInjectionAction One or more JSON SQL Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONSQLInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONSQLInjectionAction none”. Default value: AS_DEFAULT_DISPOSITION

JSONSQLInjectionType Available SQL injection types. -SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found, -None : Disables checking using both SQL Special Char and Keyword

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword, None Default value: SQLSplCharANDKeyword

JSONSQLInjectionGrammar Check for SQL injection using SQL grammar in JSON

Possible values: ON, OFF Default value: OFF

JSONCMDInjectionAction One or more JSON CMD Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONCMDInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONCMDInjectionAction none”. Default value: AS_DEFAULT_DISPOSITION

JSONCMDInjectionType Available CMD injection types. -CMDSplChar : Checks for CMD Special Chars -CMDKeyword : Checks for CMD Keywords -CMDSplCharANDKeyword : Checks for both and blocks if both are found -CMDSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: CMDSplChar, CMDKeyword, CMDSplCharORKeyword, CMDSplCharANDKeyword Default value: CMDSplCharANDKeyword

JSONXSSAction One or more JSON Cross-Site Scripting actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONXssAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONXssAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLDoSAction One or more XML Denial-of-Service (XDoS) actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLDoSAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLDoSAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLFormatAction One or more XML Format actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLFormatAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLFormatAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLSQLInjectionAction One or more XML SQL Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLSQLInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLSQLInjectionAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLSQLInjectionType Available SQL injection types. -SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword, None

XMLSQLInjectionCheckSQLWildChars Check for form fields that contain SQL wild chars .

Possible values: ON, OFF

XMLSQLInjectionParseComments Parse comments in XML Data and exempt those sections of the request that are from the XML SQL Injection check. You must configure the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:

  • Check all - Check all content.
  • ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.
  • Nested - Exempt content that is part of a nested (Microsoft-style) comment.
  • ANSI Nested - Exempt content that is part of any type of comment.

Possible values: checkall, ansi, nested, ansinested Default value: checkall

XMLXSSAction One or more XML Cross-Site Scripting actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLXSSAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLXSSAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLWSIAction One or more Web Services Interoperability (WSI) actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLWSIAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLWSIAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLAttachmentAction One or more XML Attachment actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLAttachmentAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLAttachmentAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLValidationAction One or more XML Validation actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLValidationAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLValidationAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLErrorObject Name to assign to the XML Error Object, which the application firewall displays when a user request is blocked. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the XML error object is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my XML error object” or ‘my XML error object’). Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

XMLErrorStatusCode Response status code associated with XML error page Default value: 200 Minimum value: 1 Maximum value: 999

XMLErrorStatusMessage Response status message associated with XML error page Default value: NS_S_AS_ERROR_CODE_DESCRIPTION_DEFAULT

signatures Object name for signatures. This check is applicable to Profile Type: HTML, XML. Default value: NS_S_AS_CUSTOM_OBJECT_DEFAULT

XMLSOAPFaultAction One or more XML SOAP Fault Filtering actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.
  • Remove - Remove all violations for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLSOAPFaultAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLSOAPFaultAction none”. Default value: AS_DEFAULT_DISPOSITION

useHTMLErrorObject Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.

Possible values: ON, OFF

errorURL URL that application firewall uses as the Error URL. Default value: NS_S_AS_ERROR_URL_DEFAULT

HTMLErrorObject Name to assign to the HTML Error Object. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the HTML error object is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my HTML error object” or ‘my HTML error object’). Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

HTMLErrorStatusCode Response status code associated with HTML error page Default value: 200 Minimum value: 1 Maximum value: 999

HTMLErrorStatusMessage Response status message associated with HTML error page Default value: NS_S_AS_ERROR_CODE_DESCRIPTION_DEFAULT

logEveryPolicyHit Log every profile match, regardless of security checks results.

Possible values: ON, OFF

stripHtmlComments Strip HTML comments before forwarding a web page sent by a protected web site in response to a user request.

Possible values: none, all, exclude_script_tag

stripXmlComments Strip XML comments before forwarding a web page sent by a protected web site in response to a user request.

Possible values: none, all

dynamicLearning One or more security checks. Available options are as follows:

  • SQLInjection - Enable dynamic learning for SQLInjection security check.
  • CrossSiteScripting - Enable dynamic learning for CrossSiteScripting security check.
  • fieldFormat - Enable dynamic learning for fieldFormat security check.
  • None - Disable security checks for all security checks.

CLI users: To enable dynamic learning on one or more security checks, type “set appfw profile -dynamicLearning” followed by the security checks to be enabled. To turn off dynamic learning on all security checks, type “set appfw profile -dynamicLearning none”. Default value: AS_DYNAMIC_LEARNING_SECURITY_CHECK_DEFAULT

exemptClosureURLsFromSecurityChecks Exempt URLs that pass the Start URL closure check from SQL injection, cross-site script, field format and field consistency security checks at locations other than headers.

Possible values: ON, OFF

defaultCharSet Default character set for protected web pages. Web pages sent by your protected web sites in response to user requests are assigned this character set if the page does not already specify a character set. The character sets supported by the application firewall are:

  • iso-8859-1 (English US)
  • big5 (Chinese Traditional)
  • gb2312 (Chinese Simplified)
  • sjis (Japanese Shift-JIS)
  • euc-jp (Japanese EUC-JP)
  • iso-8859-9 (Turkish)
  • utf-8 (Unicode)
  • euc-kr (Korean) Default value: NS_S_AS_CHARSET_DEFAULT Maximum value: 31

postBodyLimit Maximum allowed HTTP post body size, in bytes. Maximum supported value is 10GB. Citrix recommends enabling streaming option for large values of post body limit (>20MB). Default value: 20000000 Minimum value: 0

postBodyLimitAction One or more Post Body Limit actions. Available settings function as follows:

  • Block - Block connections that violate this security check. Must always be set.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.

CLI users: To enable one or more actions, type “set appfw profile -PostBodyLimitAction block” followed by the other actions to be enabled. Default value: AS_DEFAULT_POSTBODYLIMIT_DISPOSITION

postBodyLimitSignature Maximum allowed HTTP post body size for signature inspection for location HTTP_POST_BODY in the signatures, in bytes. Note that the changes in value could impact CPU and latency profile. Default value: 2048 Minimum value: 0

fileUploadMaxNum Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads. Default value: 65535 Minimum value: 0 Maximum value: 65535

canonicalizeHTMLResponse Perform HTML entity encoding for any special characters in responses sent by your protected web sites.

Possible values: ON, OFF Default value: ON

enableFormTagging Enable tagging of web form fields for use by the Form Field Consistency and CSRF Form Tagging checks.

Possible values: ON, OFF Default value: ON

sessionlessFieldConsistency Perform sessionless Field Consistency Checks.

Possible values: OFF, ON, postOnly Default value: OFF

sessionlessURLClosure Enable session less URL Closure Checks. This check is applicable to Profile Type: HTML.

Possible values: ON, OFF Default value: OFF

semicolonFieldSeparator Allow ‘;’ as a form field separator in URL queries and POST form bodies.

Possible values: ON, OFF Default value: OFF

excludeFileUploadFromChecks Exclude uploaded files from Form checks.

Possible values: ON, OFF Default value: OFF

SQLInjectionParseComments Parse HTML comments and exempt them from the HTML SQL Injection check. You must specify the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:

  • Check all - Check all content.
  • ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.
  • Nested - Exempt content that is part of a nested (Microsoft-style) comment.
  • ANSI Nested - Exempt content that is part of any type of comment.

Possible values: checkall, ansi, nested, ansinested Default value: AS_DEFAULT_SQLINJECTIONPARSECOMMENTS

invalidPercentHandling Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:

  • apache_mode - Apache format.
  • asp_mode - Microsoft ASP format.
  • secure_mode - Secure format.

Possible values: apache_mode, asp_mode, secure_mode Default value: secure_mode

type Application firewall profile type, which controls which security checks and settings are applied to content that is filtered with the profile. Available settings function as follows:

  • HTML - HTML-based web sites.
  • XML - XML-based web sites and services.
  • JSON - JSON-based web sites and services.
  • HTML XML (Web 2.0) - Sites that contain both HTML and XML content, such as ATOM feeds, blogs, and RSS feeds.
  • HTML JSON - Sites that contain both HTML and JSON content.
  • XML JSON - Sites that contain both XML and JSON content.
  • HTML XML JSON - Sites that contain HTML, XML and JSON content. Default value: HTML

checkRequestHeaders Check request headers as well as web forms for injected SQL and cross-site scripts.

Possible values: ON, OFF Default value: OFF

inspectQueryContentTypes Inspect request query as well as web forms for injected SQL and cross-site scripts for following content types. Default value: AS_INSPECT_QUERY_DEFAULT

optimizePartialReqs Optimize handle of HTTP partial requests i.e. those with range headers. Available settings are as follows:

  • ON - Partial requests by the client result in partial requests to the backend server in most cases.
  • OFF - Partial requests by the client are changed to full requests to the backend server

Possible values: ON, OFF

URLDecodeRequestCookies URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.

Possible values: ON, OFF Default value: OFF

comment Any comments about the purpose of profile, or other useful information about the profile.

percentDecodeRecursively Configure whether the application firewall should use percentage recursive decoding

Possible values: ON, OFF Default value: ON

multipleHeaderAction One or more multiple header actions. Available settings function as follows:

  • Block - Block connections that have multiple headers.
  • Log - Log connections that have multiple headers.
  • KeepLast - Keep only last header when multiple headers are present.

CLI users: To enable one or more actions, type “set appfw profile -multipleHeaderAction” followed by the actions to be enabled. Default value: AS_MULTIPLE_HEADER_DEFAULT_DISPOSITION

rfcprofile Object name of the rfc profile. Default value: NS_S_AS_RFC_PROFILE_DEFAULT

fileUploadTypesAction One or more file upload types actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -fileUploadTypeAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -fileUploadTypeAction none”. Default value: AS_DEFAULT_DISPOSITION

verboseLogLevel Detailed Logging Verbose Log Level.

Possible values: pattern, patternPayload, patternPayloadHeader Default value: pattern

insertCookieSameSiteAttribute Configure whether application firewall should add samesite attribute for set-cookies

Possible values: ON, OFF Default value: OFF

cookieSameSiteAttribute Cookie Samesite attribute added to support adding cookie SameSite attribute for all set-cookies including appfw session cookies. Default value will be “SameSite=Lax”.

Possible values: None, LAX, STRICT Default value: LAX

SQLInjectionRuleType Specifies SQL Injection rule type: ALLOW/DENY. If ALLOW rule type is configured then allow list rules are used, if DENY rule type is configured then deny rules are used.

Possible values: ALLOW, DENY Default value: ALLOW

archive appfw profile

Create archive for the profile.

Synopsis

archive appfw profile [-comment ]

Arguments

name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).

archivename Source for tar archive.

comment Any comments about the purpose of profile, or other useful information about the profile.

bind appfw profile

Binds the specified exemption (relaxation) or rule to the specified application firewall profile. NOTE: You should not attempt to bind more than one exemption or rule at a time by using this command.

Synopsis

bind appfw profile ((-startURL [-resourceId ]) | -denyURL | (-fieldConsistency [-isRegex ( REGEX | NOTREGEX )]) | (-cookieConsistency [-isRegex ( REGEX | NOTREGEX )]) | (-SQLInjection [-isRegex ( REGEX | NOTREGEX )] [-location ] [-valueType [-isValueRegex ( REGEX | NOTREGEX )]] [-RuleType ( ALLOW | DENY )]) | (-CMDInjection [-isRegex ( REGEX | NOTREGEX )] [-location ] [-valueType ( Keyword | SpecialString ) [-isValueRegex ( REGEX | NOTREGEX )]]) | (-CSRFTag ) | (-crossSiteScripting [-isRegex ( REGEX | NOTREGEX )] [-location ] [-valueType [-isValueRegex ( REGEX | NOTREGEX )]]) | (-fieldFormat [-fieldFormatMinLength ] [-fieldFormatMaxLength ] [-isRegex ( REGEX | NOTREGEX )]) | (-safeObject [-action ...]) | -trustedLearningClients <ip_addr[/prefix]|ipv6_addr[/prefix]> | -JSONSQLURL | -JSONCMDURL | -JSONXSSURL | (-JSONDoSURL [-JSONMaxContainerDepthCheck ( ON | OFF ) [-JSONMaxContainerDepth ]] [-JSONMaxDocumentLengthCheck ( ON | OFF ) [-JSONMaxDocumentLength ]] [-JSONMaxObjectKeyCountCheck ( ON | OFF ) [-JSONMaxObjectKeyCount ]] [-JSONMaxObjectKeyLengthCheck ( ON | OFF ) [-JSONMaxObjectKeyLength ]] [-JSONMaxArrayLengthCheck ( ON | OFF ) [-JSONMaxArrayLength ]] [-JSONMaxStringLengthCheck ( ON | OFF ) [-JSONMaxStringLength ]]) | (-XMLDoSURL [-XMLMaxElementDepthCheck ( ON | OFF ) [-XMLMaxElementDepth ]] [-XMLMaxElementNameLengthCheck ( ON | OFF ) [-XMLMaxElementNameLength ]] [-XMLMaxElementsCheck ( ON | OFF ) [-XMLMaxElements ]] [-XMLMaxElementChildrenCheck ( ON | OFF ) [-XMLMaxElementChildren ]] [-XMLMaxNodesCheck ( ON | OFF ) [-XMLMaxNodes ]] [-XMLMaxAttributesCheck ( ON | OFF ) [-XMLMaxAttributes ]] [-XMLMaxAttributeNameLengthCheck ( ON | OFF ) [-XMLMaxAttributeNameLength ]] [-XMLMaxAttributeValueLengthCheck ( ON | OFF ) [-XMLMaxAttributeValueLength ]] [-XMLMaxCharDATALengthCheck ( ON | OFF ) [-XMLMaxCharDATALength ]] [-XMLMaxFileSizeCheck ( ON | OFF ) [-XMLMaxFileSize ]] [-XMLMinFileSizeCheck ( ON | OFF ) [-XMLMinFileSize ]] [-XMLBlockPI ( ON | OFF )] [-XMLBlockDTD ( ON | OFF )] [-XMLBlockExternalEntities ( ON | OFF )] [-XMLMaxEntityExpansionsCheck ( ON | OFF ) [-XMLMaxEntityExpansions ]] [-XMLMaxEntityExpansionDepthCheck ( ON | OFF ) [-XMLMaxEntityExpansionDepth ]] [-XMLMaxNamespacesCheck ( ON | OFF ) [-XMLMaxNamespaces ]] [-XMLMaxNamespaceUriLengthCheck ( ON | OFF ) [-XMLMaxNamespaceUriLength ]] [-XMLSOAPArrayCheck ( ON | OFF ) [-XMLMaxSOAPArraySize ] [-XMLMaxSOAPArrayRank ]]) | (-XMLWSIURL [-XMLWSIChecks ]) | (-XMLValidationURL (-XMLRequestSchema | (-XMLWSDL [-XMLAdditionalSOAPHeaders ( ON | OFF )] [-XMLEndPointCheck ( ABSOLUTE | RELATIVE )]) | -XMLValidateSOAPEnvelope ( ON | OFF )) [-XMLResponseSchema ] [-XMLValidateResponse ( ON | OFF )]) | (-XMLAttachmentURL [-XMLMaxAttachmentSizeCheck ( ON | OFF ) [-XMLMaxAttachmentSize ]] [-XMLAttachmentContentTypeCheck ( ON | OFF ) [-XMLAttachmentContentType ]]) | (-XMLSQLInjection [-isRegex ( REGEX | NOTREGEX )] [-location ( ELEMENT | ATTRIBUTE )]) | (-XMLXSS [-isRegex ( REGEX | NOTREGEX )] [-location ( ELEMENT | ATTRIBUTE )]) | -contentType | -excludeResContentType | (-CreditCardNumber ) | (-logExpression ) | (-fileUploadType [-isRegex ( REGEX | NOTREGEX )] -fileType ...)) [-comment ] [-state ( ENABLED | DISABLED )] [-isAutoDeployed ( AUTODEPLOYED | NOTAUTODEPLOYED )]

Arguments

name Name of the profile to which to bind an exemption or rule.

startURL Add the specified URL to the start URL list. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

denyURL Add the specified URL to the deny URL list. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

fieldConsistency Exempt the specified web form field and form action URL from the form field consistency check, or exempt the specified cookie from the cookie consistency check. A form field consistency exemption (relaxation) consists of the following items:

  • Web form field name. Name of the form field to exempt from this check.
  • Form action URL. Action URL for the web form.
  • IsRegex flag. The IsRegex flag, followed by YES if the form action URL is a regular expression, or NO if it is a literal string.

formActionURL Form action URL.

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

cookieConsistency A cookie consistency exemption (relaxation) consists of the following items:

  • Cookie name. Name of the cookie to exempt from this check.
  • IsRegex flag. The IsRegex flag, followed by YES if the cookie name is a regular expression, or NO if it is a literal string.

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

SQLInjection Exempt the specified HTTP header, web form field and the form action URL, or cookie from the SQL injection check. An SQL injection exemption (relaxation) consists of the following items: *Item name. Name of the web form field, cookie, or HTTP header to exempt from this check.

  • Form action URL. If the item to be exempted is a web form field, the action URL for the web form.
  • IsRegex flag. The IsRegex flag, followed by YES if the name or form action URL is a regular expression, or NO if it is a literal string.
  • Location. Location that should be examined by the SQL injection check, either FORMFIELD for web form field, HEADER for HTTP header, or COOKIE for cookie.

formActionURL Form action URL for exceptions in fields, or request URL for exceptions in headers and cookies.

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

location Location of SQL injection exception - form field, header or cookie.

Possible values: FORMFIELD, HEADER, COOKIE

valueType SQL value type. (Keyword | SpecialString | Wildchar | None

Possible values: Keyword, SpecialString, Wildchar

valueExpression SQL value expressions consistituting expressions for Keyword, SpecialString and Wildchars.

isValueRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

CMDInjection Exempt the specified HTTP header, web form field and the form action URL, or cookie from the command injection check. A command injection exemption (relaxation) consists of the following items: *Item name. Name of the web form field, cookie, or HTTP header to exempt from this check.

  • Form action URL. If the item to be exempted is a web form field, the action URL for the web form.
  • IsRegex flag. The IsRegex flag, followed by YES if the name or form action URL is a regular expression, or NO if it is a literal string.
  • Location. Location that should be examined by the CMD injection check, either FORMFIELD for web form field, HEADER for HTTP header, or COOKIE for cookie.

formActionURL Form action URL for exceptions in fields, or request URL for exceptions in headers and cookies.

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

location Location of command injection exception - form field, header or cookie.

Possible values: FORMFIELD, HEADER, COOKIE

valueType Command value type. (Keyword | SpecialString)

Possible values: Keyword, SpecialString

valueExpression CMD value expressions consistituting expressions for Keyword and SpecialString

isValueRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

CSRFTag Exempt the specified form field and web form from the cross-site request forgery (CSRF tagging) check. A CSRF tagging exemption (relaxation) consists of the following items:

  • Web form field name. Regular expression that describes the web form field to exempt from this check.
  • Form action URL. The action URL for the web form.

CSRFFormActionURL CSRF form action URL.

crossSiteScripting Exempt the specified string, found in the specified HTTP header, cookie, url or web form, from the cross-site scripting check. A cross-site scripting check exemption (relaxation) consists of the following items:

  • HTML to exempt. The string to exempt from the cross-site scripting check.
  • URL. The URL to exempt.
  • IsRegex flag. The IsRegex flag, followed by YES if the URL is a regular expression, or NO if it is a literal string.
  • location. Location which should be examined by the cross-site scripting check, either FORMFIELD for web form field, HEADER for HTTP header, COOKIE for cookie, or URL for complete url

formActionURL Form action URL for exceptions in fields, or request URL for exceptions in headers, cookies or url.

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

location Location of cross-site scripting exception - form field, header, cookie or URL.

Possible values: FORMFIELD, HEADER, COOKIE, URL

valueType XSS value type. (Tag | Attribute | Pattern)

Possible values: Tag, Attribute, Pattern

valueExpression XSS value expressions consistituting expressions for Tag, Attribute and Pattern.

isValueRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

fieldFormat Impose the specified format on content returned by users in the specified web form field. A field format rule consists of the following items:

  • Form field name. The name of the form field.
  • Form action URL. The form action URL for the web form.
  • Field type. The field type (format) to enforce on the specified web form field.
  • Field format minimum length. The minimum length allowed for data in the specified field. If 0, field can be left blank.
  • Field format maximum length. The maximum length allowed for data in the specified field.
  • IsRegex flag. The IsRegex flag, followed by YES if the URL is a regular expression, or NO if it is a literal string.

formActionURL Form action URL.

fieldType Field type.

fieldFormatMinLength Field format minimum length. Default value: 0 Minimum value: 0 Maximum value: 2147483647

fieldFormatMaxLength Field format maximum length. Default value: 65535 Minimum value: 1 Maximum value: 2147483647

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

safeObject Protect web sites from exposing sensitive private information such as social security numbers, credit card numbers, driver’s license numbers, passport numbers, and any other type of private information that can be described by a regular expression. A safe object consists of the following items:

  • Name. A name that describes the type of information that the safe object is to protect.
  • Expression. PCRE-format regular expression that describes the information to be protected.
  • Maximum match length. Maximum length of a matched string.
  • Action. “X-Out” to mask blocked information with the letter X, or “Remove” to remove the information.

expression Safe Object regular expression.

maxMatchLength Maximum match length for a Safe Object expression. Default value: 1 Minimum value: 1 Maximum value: 65535

action Safe Object action types. (BLOCK | LEARN | LOG | STATS | NONE)

trustedLearningClients Trusted host/network learning IP. This binding is appilicable to profile Type: HTML, XML.

comment Any comments about the purpose of profile, or other useful information about the profile.

state Enabled.

Possible values: ENABLED, DISABLED Default value: ENABLED

JSONSQLURL A regular expression that designates a URL on the Json SQL URL list for which SQL violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONCMDURL A regular expression that designates a URL on the Json CMD URL list for which Command injection violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONXSSURL A regular expression that designates a URL on the Json XSS URL list for which XSS violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONDoSURL The URL on which we need to enforce the specified JSON denial-of-service (JSONDoS) attack protections. An JSON DoS configuration consists of the following items:

  • URL. PCRE-format regular expression for the URL.
  • Maximum-document-length-check toggle. ON to enable this check, OFF to disable it.
  • Maximum document length. Positive integer representing the maximum length of the JSON document.
  • Maximum-container-depth-check toggle. ON to enable, OFF to disable.
  • Maximum container depth. Positive integer representing the maximum container depth of the JSON document.
  • Maximum-object-key-count-check toggle. ON to enable, OFF to disable.
  • Maximum object key count. Positive integer representing the maximum allowed number of keys in any of the JSON object.
  • Maximum-object-key-length-check toggle. ON to enable, OFF to disable.
  • Maximum object key length. Positive integer representing the maximum allowed length of key in any of the JSON object.
  • Maximum-array-value-count-check toggle. ON to enable, OFF to disable.
  • Maximum array value count. Positive integer representing the maximum allowed number of values in any of the JSON array.
  • Maximum-string-length-check toggle. ON to enable, OFF to disable.
  • Maximum string length. Positive integer representing the maximum length of string in JSON.

JSONMaxContainerDepthCheck State if JSON Max Container Depth Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

JSONMaxContainerDepth Maximum allowed nesting depth of JSON document. JSON allows one to nest the containers (object and array) in any order to any depth. This check protects against documents that have excessive depth of hierarchy. Default value: 5 Minimum value: 0 Maximum value: 127

JSONMaxDocumentLengthCheck State if JSON Max Document Length Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

JSONMaxDocumentLength Maximum document length of JSON document, in bytes. Default value: 20000000 Minimum value: 0 Maximum value: 2147483647

JSONMaxObjectKeyCountCheck State if JSON Max Object Key Count Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

JSONMaxObjectKeyCount Maximum key count in the any of JSON object. This check protects against objects that have large number of keys. Default value: 10000 Minimum value: 0 Maximum value: 2147483647

JSONMaxObjectKeyLengthCheck State if JSON Max Object Key Length Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

JSONMaxObjectKeyLength Maximum key length in the any of JSON object. This check protects against objects that have large keys. Default value: 128 Minimum value: 0 Maximum value: 2147483647

JSONMaxArrayLengthCheck State if JSON Max Array Length Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

JSONMaxArrayLength Maximum array length in the any of JSON object. This check protects against arrays having large lengths. Default value: 10000 Minimum value: 0 Maximum value: 2147483647

JSONMaxStringLengthCheck State if JSON Max String Length Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

JSONMaxStringLength Maximum string length in the JSON. This check protects against strings that have large length. Default value: 1000000 Minimum value: 0 Maximum value: 2147483647

XMLDoSURL Exempt the specified URL from the specified XML denial-of-service (XDoS) attack protections. An XDoS exemption (relaxation) consists of the following items:

  • URL. PCRE-format regular expression for the URL or URLs to be exempted.
  • Maximum-element-depth-check toggle. ON to enable this check, OFF to disable it.
  • Maximum-element-depth-check toggle. ON to enable, OFF to disable.
  • Maximum-element-depth-check level. Positive integer representing the maximum allowed depth of nested XML elements.
  • Maximum-element-name-length-check toggle. ON to enable, OFF to disable.
  • Maximum element name length. Positive integer representing the maximum allowed length of XML element names.
  • Maximum-number-of-elements-check toggle. ON to enable, OFF to disable.
  • Maximum number of elements. Positive integer representing the maximum allowed number of XML elements.
  • Maximum-number-of-element-children-check toggle. ON to enable, OFF to disable.
  • Maximum number of element children. Positive integer representing the maximum allowed number of XML element children.
  • Maximum-number-of-attributes-check toggle. ON to enable, OFF to disable.
  • Maximum number of attributes. Positive integer representing the maximum allowed number of XML attributes.
  • Maximum-attribute-name-length-check toggle. ON to enable, OFF to disable.
  • Maximum attribute name length. Positive integer representing the maximum allowed length of XML attribute names.
  • Maximum-attribute-value-length-check toggle. ON to enable, OFF to disable.
  • Maximum attribute value length. Positive integer representing the maximum allowed length of XML attribute values.
  • Maximum-character-data-length-check toggle. ON to enable, OFF to disable.
  • Maximum character-data length. Positive integer representing the maximum allowed length of XML character data.
  • Maximum-file-size-check toggle. ON to enable, OFF to disable.
  • Maximum file size. Positive integer representing the maximum allowed size, in bytes. of attached or uploaded files.
  • Minimum-file-size-check toggle. ON to enable, OFF to disable.
  • Minimum file size. Positive integer representing the minimum allowed size, in bytes, of attached or uploaded files.
  • Maximum-number-of-entity-expansions-check toggle. ON to enable, OFF to disable.
  • Maximum number of entity expansions. Positive integer representing the maximum allowed number of XML entity expansions.
  • Maximum-number-of XML-namespaces-check toggle. ON to enable, OFF to disable.
  • Maximum number of XML namespaces. Positive integer representing the maximum allowed number of XML namespaces.
  • Maximum-XML-namespace-URI-length-check toggle. ON to enable, OFF to disable.
  • MaximumXML-namespace URI length. Positive integer representing the maximum allowed length of XML namespace URIs.
  • Block-processing-instructions toggle. Block XML processing instructions. ON to enable, OFF to disable.
  • Block-DTD toggle. Block design type documents (DTDs). ON to enable, OFF to disable.
  • Block-external-XML-entitites toggle. ON to enable, OFF to disable.
  • Maximum-SOAP-array-check toggle. ON to enable, OFF to disable.
  • Maximum SOAP-array size. Positive integer representing the maximum allowed size of XML SOAP arrays.
  • Maximum SOAP-array rank. Positive integer representing the maximum rank (dimensions) of any single XML SOAP array.

XMLMaxElementDepthCheck State if XML Max Element Depth Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxElementDepth Maximum nesting (depth) of XML elements. This check protects against documents that have excessive depth of hierarchy. Default value: 256 Minimum value: 1 Maximum value: 65535

XMLMaxElementNameLengthCheck State if XML Max Element Name Length Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxElementNameLength Specify the longest name of any element (including the prefix for qualified element name) to protect against overflow attacks. Default value: 128 Minimum value: 1 Maximum value: 65535

XMLMaxElementsCheck State if XML Max Elements Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxElements Specifying maximum number of elements protects against overflow attacks. Default value: 65535 Minimum value: 1 Maximum value: 65535

XMLMaxElementChildrenCheck State if XML Max Element Children Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxElementChildren Specifying maximum number of children allowed per element protects against overflow attacks. Default value: 65535 Minimum value: 0 Maximum value: 65535

XMLMaxNodesCheck State if XML Max Nodes Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxNodes Specify the maximum number of nodes. Protects against overflow attacks. Default value: 65535 Minimum value: 0 Maximum value: 65535

XMLMaxAttributesCheck State if XML Max Attributes Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxAttributes Specify maximum number of attributes per element. Protects against overflow attacks. Default value: 256 Minimum value: 0 Maximum value: 65535

XMLMaxAttributeNameLengthCheck State if XML Max Attribute Name Length Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxAttributeNameLength Specify the longest name of any attribute (including the prefix for qualified attribute name). Protects against overflow attacks. Default value: 128 Minimum value: 1 Maximum value: 65535

XMLMaxAttributeValueLengthCheck State if XML Max Atribute Value Length is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxAttributeValueLength Specify the longest value of any attribute. Protects against overflow attacks. Default value: 2048 Minimum value: 0 Maximum value: 65535

XMLMaxCharDATALengthCheck State if XML Max CDATA Length Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxCharDATALength Maximum size of CDATA protects against overflow attacks and large unparsed data within XML messages. Default value: 65535 Minimum value: 0 Maximum value: 1000000000

XMLMaxFileSizeCheck State if XML Max File Size Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxFileSize Maximum size of the XML messages protects against overflow attacks. Default value: 20000000 Minimum value: 4 Maximum value: 1000000000

XMLMinFileSizeCheck State if XML Min File Size Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMinFileSize Enforces minimum message size. Default value: 9 Minimum value: 4 Maximum value: 1000000000

XMLBlockPI State if XML Block PI is ON or OFF. Protects resources from denial of service attacks as SOAP messages can not have Processing Instruction (PI) in the message.

Possible values: ON, OFF Default value: OFF

XMLBlockDTD State if XML DTD is ON or OFF. Protects against recursive Document Type Declaration (DTD) entity expansion attacks. Also, SOAP messages can not have DTD in the message.

Possible values: ON, OFF Default value: OFF

XMLBlockExternalEntities State if XML Block External Entities Check is ON or OFF. Protects against XML External Entity (XXE) attacks that force applications to parse untrusted external entities (sources) in XML documents.

Possible values: ON, OFF Default value: OFF

XMLMaxEntityExpansionsCheck State if XML Max Entity Expansions Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxEntityExpansions Specify maximum allowed number of entity expansions. Protects aganist Entity Expansion Attack. Default value: 512 Minimum value: 0 Maximum value: 1024

XMLMaxEntityExpansionDepthCheck State if XML Max Entity Expansions Depth Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxEntityExpansionDepth Specify maximum entity expansion depth. Protects aganist Entity Expansion Attack. Default value: 8 Minimum value: 0 Maximum value: 24

XMLMaxNamespacesCheck State if XML Max Namespaces Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxNamespaces Specify maximum number of active namespaces. Protects against overflow attacks. Default value: 16 Minimum value: 0 Maximum value: 512

XMLMaxNamespaceUriLengthCheck State if XML Max Namspace URI Length Check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxNamespaceUriLength Specify the longest URI of any XML namespace. Protects against overflow attacks. Default value: 256 Minimum value: 0 Maximum value: 65535

XMLSOAPArrayCheck State if XML SOAP Array check is ON or OFF.

Possible values: ON, OFF Default value: OFF

XMLMaxSOAPArraySize XML Max Total SOAP Array Size. Protects against SOAP Array Abuse attack. Default value: 20000000 Minimum value: 0 Maximum value: 1000000000

XMLMaxSOAPArrayRank XML Max Total SOAP Array Rank. Protects against SOAP Array Abuse attack. Default value: 16 Minimum value: 0 Maximum value: 32

XMLWSIURL Exempt the specified URL from the web services interoperability (WS-I) check. The URL is specified as a PCRE-format regular expression, which can match one or more URLs.

XMLWSIChecks Synonym for XMLWISURL, but takes a literal URL instead of a PCRE-format regular expression.

XMLValidationURL Exempt the specified URL from the XML message validation check. An XML message validation exemption (relaxation) consists of the following items:

  • URL. PCRE-format regular expression that matches the URL(s) to be exempted.
  • XML-request-schema toggle. Use the specified XML schema to validate requests. ON to enable, OFF to disable.
  • XML request schema. XML schema to use for validating requests.
  • XML-response-schema toggle. Use the specified XML schema to validate responses. ON to enable, OFF to disable.
  • XML response schema. XML schema to use for validating responses.
  • WSDL toggle. Use the specified WSDL to validate. ON to enable, OFF to disable.
  • WSDL. WSDL to use for validation.
  • SOAP-envelope toggle. Validate against the SOAP envelope. ON to enable, OFF to disable.
  • Additional-SOAP-headers toggle. Validate against the extended list of SOAP headers. ON to enable, OFF to disable.
  • XML-end-point check. ABSOLUTE to use an absolute end point, RELATIVE to use a relative end point.

XMLRequestSchema XML Schema object for request validation .

XMLResponseSchema XML Schema object for response validation .

XMLWSDL WSDL object for soap request validation .

XMLAdditionalSOAPHeaders Allow addtional soap headers.

Possible values: ON, OFF

XMLEndPointCheck Modifies the behaviour of the Request URL validation w.r.t. the Service URL. If set to ABSOLUTE, the entire request URL is validated with the entire URL mentioned in Service of the associated WSDL. eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would FAIL the validation. If set to RELATIVE, only the non-hostname part of the request URL is validated against the non-hostname part of the Service URL. eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would PASS the validation.

Possible values: ABSOLUTE, RELATIVE Default value: ABSOLUTE

XMLValidateSOAPEnvelope Validate SOAP Evelope only.

Possible values: ON, OFF

XMLValidateResponse Validate response message.

Possible values: ON, OFF

XMLAttachmentURL Exempt the specified URL from the XML attachment check. An XML attachment exemption (relaxation) consists of the following items:

  • URL. PCRE-format regular expression that matches the URL(s) to be exempted.
  • Maximum-attachment-size-check toggle. ON to enable, OFF to disable.
  • Maximum attachment size. Positive integer representing the maximum allowed size in bytes for each XML attachment.
  • Attachment-content-type-check toggle. ON to enable, OFF to disable.
  • Attachment content type. PCRE-format regular expression that specifies the list of MIME content types allowed for XML attachments.

XMLMaxAttachmentSizeCheck State if XML max attachment size check is ON or OFF. Protects against XML requests with large attachment data.

Possible values: ON, OFF Default value: OFF

XMLMaxAttachmentSize Specify maximum attachment size. Minimum value: 0 Maximum value: 1000000000

XMLAttachmentContentTypeCheck State if XML attachment content-type check is ON or OFF. Protects against XML requests with illegal attachments.

Possible values: ON, OFF Default value: OFF

XMLAttachmentContentType Specify content-type regular expression.

XMLSQLInjection Exempt the specified URL from the XML SQL injection check. An XML SQL injection exemption (relaxation) consists of the following items:

  • Name. Name to exempt, as a string or a PCRE-format regular expression.
  • ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
  • Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

location Location of SQL injection exception - XML Element or Attribute. Default location is ‘ELEMENT’

Possible values: ELEMENT, ATTRIBUTE Default value: AS_XMLLOCATION_ELEMENT

XMLXSS Exempt the specified URL from the XML cross-site scripting (XSS) check. An XML cross-site scripting exemption (relaxation) consists of the following items:

  • URL. URL to exempt, as a string or a PCRE-format regular expression.
  • ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
  • Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

location Location of XSS injection exception - XML Element or Attribute. Default location is ‘ELEMENT’

Possible values: ELEMENT, ATTRIBUTE Default value: AS_XMLLOCATION_ELEMENT

contentType Add the specified content-type to the content-type list.Enclose content-type in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

excludeResContentType Add the specified content-type to the response content-type list that are to be excluded from inspection. Enclose content-type in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

CreditCardNumber Add expression to the list of object expression which are to be bypassed from safe commerce checks.

CreditCardNumberUrl The url for which the list of credit card numbers are needed to be bypassed from inspection

logExpression Bind specified logExpression to application firewall profile

expression Log expression. Maximum value: 1500

fileUploadType Protect web sites from unknown file upload types.. A file upload object consists of the following items:

  • Form field name. The name of the form field.
  • Form action URL. The form action URL for the web form.
  • File Type. Allowed file type.
  • Content Type. Request Content Type.

formActionURL FileUploadTypes action URL.

isRegex Is a regular expression?

Possible values: REGEX, NOTREGEX

fileType FileUploadTypes file types.

isAutoDeployed Is the rule auto deployed by dynamic profile ?

Possible values: AUTODEPLOYED, NOTAUTODEPLOYED

resourceId A “id” that identifies the rule.

RuleType Specifies rule type of binding

Possible values: ALLOW, DENY

add appfw profile

Creates an application firewall profile, which specifies how the application firewall should protect a given type of web content. (A profile is equivalent to an action in other Citrix ADC features.)

Synopsis

add appfw profile [-defaults ( basic | advanced )] [-startURLAction ...] [-inferContentTypeXmlPayloadAction ...] [-contentTypeAction ...] [-inspectContentTypes ...] [-startURLClosure ( ON | OFF )] [-denyURLAction ...] [-RefererHeaderCheck ] [-cookieConsistencyAction ...] [-cookieHijackingAction ...] [-cookieTransforms ( ON | OFF )] [-cookieEncryption ] [-cookieProxying ( none | sessionOnly )] [-addCookieFlags ] [-fieldConsistencyAction ...] [-CSRFtagAction ...] [-crossSiteScriptingAction ...] [-crossSiteScriptingTransformUnsafeHTML ( ON | OFF )] [-crossSiteScriptingCheckCompleteURLs ( ON | OFF )] [-SQLInjectionAction ...] [-CMDInjectionAction ...] [-CMDInjectionType ] [-SQLInjectionGrammar ( ON | OFF )] [-SQLInjectionTransformSpecialChars ( ON | OFF )] [-SQLInjectionType ] [-SQLInjectionCheckSQLWildChars ( ON | OFF )] [-fieldFormatAction ...] [-defaultFieldFormatType ] [-defaultFieldFormatMinLength ] [-defaultFieldFormatMaxLength ] [-bufferOverflowAction ...] [-bufferOverflowMaxURLLength ] [-bufferOverflowMaxHeaderLength ] [-bufferOverflowMaxCookieLength ] [-bufferOverflowMaxQueryLength ] [-bufferOverflowMaxTotalHeaderLength ] [-creditCardAction ...] [-creditCard ...] [-creditCardMaxAllowed ] [-creditCardXOut ( ON | OFF )] [-doSecureCreditCardLogging ( ON | OFF )] [-streaming ( ON | OFF )] [-trace ( ON | OFF )] [-requestContentType ] [-responseContentType ] [-JSONErrorObject ] [-JSONErrorStatusCode ] [-JSONErrorStatusMessage ] [-JSONDoSAction ...] [-JSONSQLInjectionAction ...] [-JSONSQLInjectionType ] [-JSONSQLInjectionGrammar ( ON | OFF )] [-JSONCMDInjectionAction ...] [-JSONCMDInjectionType ] [-JSONXSSAction ...] [-XMLDoSAction ...] [-XMLFormatAction ...] [-XMLSQLInjectionAction ...] [-XMLSQLInjectionType ] [-XMLSQLInjectionCheckSQLWildChars ( ON | OFF )] [-XMLSQLInjectionParseComments ] [-XMLXSSAction ...] [-XMLWSIAction ...] [-XMLAttachmentAction ...] [-XMLValidationAction ...] [-XMLErrorObject ] [-XMLErrorStatusCode ] [-XMLErrorStatusMessage ] [-signatures ] [-XMLSOAPFaultAction ...] [-useHTMLErrorObject ( ON | OFF )] [-errorURL ] [-HTMLErrorObject ] [-HTMLErrorStatusCode ] [-HTMLErrorStatusMessage ] [-logEveryPolicyHit ( ON | OFF )] [-stripHtmlComments ] [-stripXmlComments ( none | all )] [-exemptClosureURLsFromSecurityChecks ( ON | OFF )] [-defaultCharSet ] [-dynamicLearning ...] [-postBodyLimit ] [-postBodyLimitAction ...] [-postBodyLimitSignature ] [-fileUploadMaxNum ] [-canonicalizeHTMLResponse ( ON | OFF )] [-enableFormTagging ( ON | OFF )] [-sessionlessFieldConsistency ] [-sessionlessURLClosure ( ON | OFF )] [-semicolonFieldSeparator ( ON | OFF )] [-excludeFileUploadFromChecks ( ON | OFF )] [-SQLInjectionParseComments ] [-invalidPercentHandling ] [-type ...] [-checkRequestHeaders ( ON | OFF )] [-inspectQueryContentTypes ...] [-optimizePartialReqs ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-comment ] [-percentDecodeRecursively ( ON | OFF )] [-multipleHeaderAction ...] [-rfcprofile ] [-fileUploadTypesAction ...] [-verboseLogLevel ] [-insertCookieSameSiteAttribute ( ON | OFF )] [-cookieSameSiteAttribute ] [-SQLInjectionRuleType ( ALLOW | DENY )]

Arguments

name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).

defaults Default configuration to apply to the profile. Basic defaults are intended for standard content that requires little further configuration, such as static web site content. Advanced defaults are intended for specialized content that requires significant specialized configuration, such as heavily scripted or dynamic content.

CLI users: When adding an application firewall profile, you can set either the defaults or the type, but not both. To set both options, create the profile by using the add appfw profile command, and then use the set appfw profile command to configure the other option.

Possible values: basic, advanced

startURLAction One or more Start URL actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -startURLaction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -startURLaction none”. Default value: AS_DEFAULT_DISPOSITION

inferContentTypeXmlPayloadAction One or more infer content type payload actions. Available settings function as follows:

  • Block - Block connections that have mismatch in content-type header and payload.
  • Log - Log connections that have mismatch in content-type header and payload. The mismatched content-type in HTTP request header will be logged for the request.
  • Stats - Generate statistics when there is mismatch in content-type header and payload.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -inferContentTypeXMLPayloadAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -inferContentTypeXMLPayloadAction none”. Please note “none” action cannot be used with any other action type. Default value: AS_INFER_CONTENT_TYPE_XML_PAYLOAD_DEFAULT_DISPOSITION

contentTypeAction One or more Content-type actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -contentTypeaction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -contentTypeaction none”. Default value: AS_DEFAULT_CONTENT_TYPE_DISPOSITION

inspectContentTypes One or more InspectContentType lists.

  • application/x-www-form-urlencoded
  • multipart/form-data
  • text/x-gwt-rpc

CLI users: To enable, type “set appfw profile -InspectContentTypes” followed by the content types to be inspected. Default value: AS_DEFAULT_INSPECTION_CONTENT_TYPE

startURLClosure Toggle the state of Start URL Closure.

Possible values: ON, OFF Default value: OFF

denyURLAction One or more Deny URL actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

NOTE: The Deny URL check takes precedence over the Start URL check. If you enable blocking for the Deny URL check, the application firewall blocks any URL that is explicitly blocked by a Deny URL, even if the same URL would otherwise be allowed by the Start URL check.

CLI users: To enable one or more actions, type “set appfw profile -denyURLaction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -denyURLaction none”. Default value: AS_DEFAULT_DISPOSITION

RefererHeaderCheck Enable validation of Referer headers. Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker. Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.

Possible values: OFF, if_present, AlwaysExceptStartURLs, AlwaysExceptFirstRequest Default value: OFF

cookieConsistencyAction One or more Cookie Consistency actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -cookieConsistencyAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -cookieConsistencyAction none”. Default value: none

cookieHijackingAction One or more actions to prevent cookie hijacking. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check. NOTE: Cookie Hijacking feature is not supported for TLSv1.3

CLI users: To enable one or more actions, type “set appfw profile -cookieHijackingAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -cookieHijackingAction none”. Default value: none

cookieTransforms Perform the specified type of cookie transformation. Available settings function as follows:

  • Encryption - Encrypt cookies.
  • Proxying - Mask contents of server cookies by sending proxy cookie to users.
  • Cookie flags - Flag cookies as HTTP only to prevent scripts on user’s browser from accessing and possibly modifying them. CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.

Possible values: ON, OFF Default value: OFF

cookieEncryption Type of cookie encryption. Available settings function as follows:

  • None - Do not encrypt cookies.
  • Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.
  • Encrypt Session Only - Encrypt session cookies, but not permanent cookies.
  • Encrypt All - Encrypt all cookies.

Possible values: none, decryptOnly, encryptSessionOnly, encryptAll Default value: none

cookieProxying Cookie proxy setting. Available settings function as follows:

  • None - Do not proxy cookies.
  • Session Only - Proxy session cookies by using the Citrix ADC session ID, but do not proxy permanent cookies.

Possible values: none, sessionOnly Default value: none

addCookieFlags Add the specified flags to cookies. Available settings function as follows:

  • None - Do not add flags to cookies.
  • HTTP Only - Add the HTTP Only flag to cookies, which prevents scripts from accessing cookies.
  • Secure - Add Secure flag to cookies.
  • All - Add both HTTPOnly and Secure flags to cookies.

Possible values: none, httpOnly, secure, all Default value: none

fieldConsistencyAction One or more Form Field Consistency actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -fieldConsistencyaction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -fieldConsistencyAction none”. Default value: none

CSRFtagAction One or more Cross-Site Request Forgery (CSRF) Tagging actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -CSRFTagAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -CSRFTagAction none”. Default value: none

crossSiteScriptingAction One or more Cross-Site Scripting (XSS) actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -crossSiteScriptingAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -crossSiteScriptingAction none”. Default value: AS_DEFAULT_DISPOSITION

crossSiteScriptingTransformUnsafeHTML Transform cross-site scripts. This setting configures the application firewall to disable dangerous HTML instead of blocking the request. CAUTION: Make sure that this parameter is set to ON if you are configuring any cross-site scripting transformations. If it is set to OFF, no cross-site scripting transformations are performed regardless of any other settings.

Possible values: ON, OFF Default value: OFF

crossSiteScriptingCheckCompleteURLs Check complete URLs for cross-site scripts, instead of just the query portions of URLs.

Possible values: ON, OFF Default value: OFF

SQLInjectionAction One or more HTML SQL Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -SQLInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -SQLInjectionAction none”. Default value: AS_DEFAULT_DISPOSITION

CMDInjectionAction Command injection action. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -cmdInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -cmdInjectionAction none”. Default value: none

CMDInjectionType Available CMD injection types. -CMDSplChar : Checks for CMD Special Chars -CMDKeyword : Checks for CMD Keywords -CMDSplCharANDKeyword : Checks for both and blocks if both are found -CMDSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: CMDSplChar, CMDKeyword, CMDSplCharORKeyword, CMDSplCharANDKeyword Default value: CMDSplCharANDKeyword

SQLInjectionGrammar Check for SQL injection using SQL grammar

Possible values: ON, OFF Default value: OFF

SQLInjectionTransformSpecialChars Transform injected SQL code. This setting configures the application firewall to disable SQL special strings instead of blocking the request. Since most SQL servers require a special string to activate an SQL keyword, in most cases a request that contains injected SQL code is safe if special strings are disabled. CAUTION: Make sure that this parameter is set to ON if you are configuring any SQL injection transformations. If it is set to OFF, no SQL injection transformations are performed regardless of any other settings.

Possible values: ON, OFF Default value: OFF

SQLInjectionType Available SQL injection types. -SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found -None : Disables checking using both SQL Special Char and Keyword

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword, None Default value: SQLSplCharANDKeyword

SQLInjectionCheckSQLWildChars Check for form fields that contain SQL wild chars .

Possible values: ON, OFF Default value: OFF

fieldFormatAction One or more Field Format actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of suggested web form fields and field format assignments.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -fieldFormatAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -fieldFormatAction none”. Default value: AS_DEFAULT_DISPOSITION

defaultFieldFormatType Designate a default field type to be applied to web form fields that do not have a field type explicitly assigned to them.

defaultFieldFormatMinLength Minimum length, in characters, for data entered into a field that is assigned the default field type. To disable the minimum and maximum length settings and allow data of any length to be entered into the field, set this parameter to zero (0). Default value: 0 Minimum value: 0 Maximum value: 2147483647

defaultFieldFormatMaxLength Maximum length, in characters, for data entered into a field that is assigned the default field type. Default value: 65535 Minimum value: 1 Maximum value: 2147483647

bufferOverflowAction One or more Buffer Overflow actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -bufferOverflowAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -bufferOverflowAction none”. Default value: AS_DEFAULT_DISPOSITION

bufferOverflowMaxURLLength Maximum length, in characters, for URLs on your protected web sites. Requests with longer URLs are blocked. Default value: 1024 Minimum value: 0 Maximum value: 65535

bufferOverflowMaxHeaderLength Maximum length, in characters, for HTTP headers in requests sent to your protected web sites. Requests with longer headers are blocked. Default value: 4096 Minimum value: 0 Maximum value: 65535

bufferOverflowMaxCookieLength Maximum length, in characters, for cookies sent to your protected web sites. Requests with longer cookies are blocked. Default value: 4096 Minimum value: 0 Maximum value: 65535

bufferOverflowMaxQueryLength Maximum length, in bytes, for query string sent to your protected web sites. Requests with longer query strings are blocked. Default value: 65535 Minimum value: 0 Maximum value: 65535

bufferOverflowMaxTotalHeaderLength Maximum length, in bytes, for the total HTTP header length in requests sent to your protected web sites. The minimum value of this and maxHeaderLen in httpProfile will be used. Requests with longer length are blocked. Default value: 65535 Minimum value: 0 Maximum value: 65535

creditCardAction One or more Credit Card actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -creditCardAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -creditCardAction none”. Default value: none

creditCard Credit card types that the application firewall should protect. Default value: none

creditCardMaxAllowed This parameter value is used by the block action. It represents the maximum number of credit card numbers that can appear on a web page served by your protected web sites. Pages that contain more credit card numbers are blocked. Minimum value: 0 Maximum value: 255

creditCardXOut Mask any credit card number detected in a response by replacing each digit, except the digits in the final group, with the letter “X.”

Possible values: ON, OFF Default value: OFF

doSecureCreditCardLogging Setting this option logs credit card numbers in the response when the match is found.

Possible values: ON, OFF Default value: ON

streaming Setting this option converts content-length form submission requests (requests with content-type “application/x-www-form-urlencoded” or “multipart/form-data”) to chunked requests when atleast one of the following protections : Signatures, SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging, JSON SQL, JSON XSS, JSON DOS is enabled. Please make sure that the backend server accepts chunked requests before enabling this option. Citrix recommends enabling this option for large request sizes(>20MB).

Possible values: ON, OFF Default value: OFF

trace Toggle the state of trace

Possible values: ON, OFF Default value: OFF

requestContentType Default Content-Type header for requests. A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters. Default value: NS_S_AS_DEFAULT_REQUEST_CONTENT_TYPE

responseContentType Default Content-Type header for responses. A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters. Default value: NS_S_AS_DEFAULT_RESPONSE_CONTENT_TYPE

JSONErrorObject Name to the imported JSON Error Object to be set on application firewall profile.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my JSON error object” or ‘my JSON error object’). Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

JSONErrorStatusCode Response status code associated with JSON error page Default value: 200 Minimum value: 1 Maximum value: 999

JSONErrorStatusMessage Response status message associated with JSON error page Default value: NS_S_AS_ERROR_CODE_DESCRIPTION_DEFAULT

JSONDoSAction One or more JSON Denial-of-Service (JsonDoS) actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONDoSAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONDoSAction none”. Default value: AS_DEFAULT_DISPOSITION

JSONSQLInjectionAction One or more JSON SQL Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONSQLInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONSQLInjectionAction none”. Default value: AS_DEFAULT_DISPOSITION

JSONSQLInjectionType Available SQL injection types. -SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found, -None : Disables checking using both SQL Special Char and Keyword

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword, None Default value: SQLSplCharANDKeyword

JSONSQLInjectionGrammar Check for SQL injection using SQL grammar in JSON

Possible values: ON, OFF Default value: OFF

JSONCMDInjectionAction One or more JSON CMD Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONCMDInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONCMDInjectionAction none”. Default value: AS_DEFAULT_DISPOSITION

JSONCMDInjectionType Available CMD injection types. -CMDSplChar : Checks for CMD Special Chars -CMDKeyword : Checks for CMD Keywords -CMDSplCharANDKeyword : Checks for both and blocks if both are found -CMDSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: CMDSplChar, CMDKeyword, CMDSplCharORKeyword, CMDSplCharANDKeyword Default value: CMDSplCharANDKeyword

JSONXSSAction One or more JSON Cross-Site Scripting actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONXssAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONXssAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLDoSAction One or more XML Denial-of-Service (XDoS) actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLDoSAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLDoSAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLFormatAction One or more XML Format actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLFormatAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLFormatAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLSQLInjectionAction One or more XML SQL Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLSQLInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLSQLInjectionAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLSQLInjectionType Available SQL injection types. -SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword, None Default value: SQLSplCharANDKeyword

XMLSQLInjectionCheckSQLWildChars Check for form fields that contain SQL wild chars .

Possible values: ON, OFF Default value: OFF

XMLSQLInjectionParseComments Parse comments in XML Data and exempt those sections of the request that are from the XML SQL Injection check. You must configure the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:

  • Check all - Check all content.
  • ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.
  • Nested - Exempt content that is part of a nested (Microsoft-style) comment.
  • ANSI Nested - Exempt content that is part of any type of comment.

Possible values: checkall, ansi, nested, ansinested Default value: checkall

XMLXSSAction One or more XML Cross-Site Scripting actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLXSSAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLXSSAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLWSIAction One or more Web Services Interoperability (WSI) actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLWSIAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLWSIAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLAttachmentAction One or more XML Attachment actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Learn - Use the learning engine to generate a list of exceptions to this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLAttachmentAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLAttachmentAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLValidationAction One or more XML Validation actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLValidationAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLValidationAction none”. Default value: AS_DEFAULT_DISPOSITION

XMLErrorObject Name to assign to the XML Error Object, which the application firewall displays when a user request is blocked. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the XML error object is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my XML error object” or ‘my XML error object’). Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

XMLErrorStatusCode Response status code associated with XML error page Default value: 200 Minimum value: 1 Maximum value: 999

XMLErrorStatusMessage Response status message associated with XML error page Default value: NS_S_AS_ERROR_CODE_DESCRIPTION_DEFAULT

signatures Object name for signatures. This check is applicable to Profile Type: HTML, XML. Default value: NS_S_AS_CUSTOM_OBJECT_DEFAULT

XMLSOAPFaultAction One or more XML SOAP Fault Filtering actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.
  • Remove - Remove all violations for this security check.

CLI users: To enable one or more actions, type “set appfw profile -XMLSOAPFaultAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -XMLSOAPFaultAction none”. Default value: AS_DEFAULT_DISPOSITION

useHTMLErrorObject Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.

Possible values: ON, OFF Default value: OFF

errorURL URL that application firewall uses as the Error URL. Default value: NS_S_AS_ERROR_URL_DEFAULT

HTMLErrorObject Name to assign to the HTML Error Object. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the HTML error object is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my HTML error object” or ‘my HTML error object’). Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

HTMLErrorStatusCode Response status code associated with HTML error page Default value: 200 Minimum value: 1 Maximum value: 999

HTMLErrorStatusMessage Response status message associated with HTML error page Default value: NS_S_AS_ERROR_CODE_DESCRIPTION_DEFAULT

logEveryPolicyHit Log every profile match, regardless of security checks results.

Possible values: ON, OFF Default value: OFF

stripHtmlComments Strip HTML comments before forwarding a web page sent by a protected web site in response to a user request.

Possible values: none, all, exclude_script_tag Default value: none

stripXmlComments Strip XML comments before forwarding a web page sent by a protected web site in response to a user request.

Possible values: none, all Default value: none

exemptClosureURLsFromSecurityChecks Exempt URLs that pass the Start URL closure check from SQL injection, cross-site script, field format and field consistency security checks at locations other than headers.

Possible values: ON, OFF Default value: ON

defaultCharSet Default character set for protected web pages. Web pages sent by your protected web sites in response to user requests are assigned this character set if the page does not already specify a character set. The character sets supported by the application firewall are:

  • iso-8859-1 (English US)
  • big5 (Chinese Traditional)
  • gb2312 (Chinese Simplified)
  • sjis (Japanese Shift-JIS)
  • euc-jp (Japanese EUC-JP)
  • iso-8859-9 (Turkish)
  • utf-8 (Unicode)
  • euc-kr (Korean) Default value: NS_S_AS_CHARSET_DEFAULT Maximum value: 31

dynamicLearning One or more security checks. Available options are as follows:

  • SQLInjection - Enable dynamic learning for SQLInjection security check.
  • CrossSiteScripting - Enable dynamic learning for CrossSiteScripting security check.
  • fieldFormat - Enable dynamic learning for fieldFormat security check.
  • None - Disable security checks for all security checks.

CLI users: To enable dynamic learning on one or more security checks, type “set appfw profile -dynamicLearning” followed by the security checks to be enabled. To turn off dynamic learning on all security checks, type “set appfw profile -dynamicLearning none”. Default value: AS_DYNAMIC_LEARNING_SECURITY_CHECK_DEFAULT

postBodyLimit Maximum allowed HTTP post body size, in bytes. Maximum supported value is 10GB. Citrix recommends enabling streaming option for large values of post body limit (>20MB). Default value: 20000000 Minimum value: 0

postBodyLimitAction One or more Post Body Limit actions. Available settings function as follows:

  • Block - Block connections that violate this security check. Must always be set.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.

CLI users: To enable one or more actions, type “set appfw profile -PostBodyLimitAction block” followed by the other actions to be enabled. Default value: AS_DEFAULT_POSTBODYLIMIT_DISPOSITION

postBodyLimitSignature Maximum allowed HTTP post body size for signature inspection for location HTTP_POST_BODY in the signatures, in bytes. Note that the changes in value could impact CPU and latency profile. Default value: 2048 Minimum value: 0

fileUploadMaxNum Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads. Default value: 65535 Minimum value: 0 Maximum value: 65535

canonicalizeHTMLResponse Perform HTML entity encoding for any special characters in responses sent by your protected web sites.

Possible values: ON, OFF Default value: ON

enableFormTagging Enable tagging of web form fields for use by the Form Field Consistency and CSRF Form Tagging checks.

Possible values: ON, OFF Default value: ON

sessionlessFieldConsistency Perform sessionless Field Consistency Checks.

Possible values: OFF, ON, postOnly Default value: OFF

sessionlessURLClosure Enable session less URL Closure Checks. This check is applicable to Profile Type: HTML.

Possible values: ON, OFF Default value: OFF

semicolonFieldSeparator Allow ‘;’ as a form field separator in URL queries and POST form bodies.

Possible values: ON, OFF Default value: OFF

excludeFileUploadFromChecks Exclude uploaded files from Form checks.

Possible values: ON, OFF Default value: OFF

SQLInjectionParseComments Parse HTML comments and exempt them from the HTML SQL Injection check. You must specify the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:

  • Check all - Check all content.
  • ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.
  • Nested - Exempt content that is part of a nested (Microsoft-style) comment.
  • ANSI Nested - Exempt content that is part of any type of comment.

Possible values: checkall, ansi, nested, ansinested Default value: AS_DEFAULT_SQLINJECTIONPARSECOMMENTS

invalidPercentHandling Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:

  • apache_mode - Apache format.
  • asp_mode - Microsoft ASP format.
  • secure_mode - Secure format.

Possible values: apache_mode, asp_mode, secure_mode Default value: secure_mode

type Application firewall profile type, which controls which security checks and settings are applied to content that is filtered with the profile. Available settings function as follows:

  • HTML - HTML-based web sites.
  • XML - XML-based web sites and services.
  • JSON - JSON-based web sites and services.
  • HTML XML (Web 2.0) - Sites that contain both HTML and XML content, such as ATOM feeds, blogs, and RSS feeds.
  • HTML JSON - Sites that contain both HTML and JSON content.
  • XML JSON - Sites that contain both XML and JSON content.
  • HTML XML JSON - Sites that contain HTML, XML and JSON content. Default value: HTML

checkRequestHeaders Check request headers as well as web forms for injected SQL and cross-site scripts.

Possible values: ON, OFF Default value: OFF

inspectQueryContentTypes Inspect request query as well as web forms for injected SQL and cross-site scripts for following content types. Default value: AS_INSPECT_QUERY_DEFAULT

optimizePartialReqs Optimize handle of HTTP partial requests i.e. those with range headers. Available settings are as follows:

  • ON - Partial requests by the client result in partial requests to the backend server in most cases.
  • OFF - Partial requests by the client are changed to full requests to the backend server

Possible values: ON, OFF Default value: ON

URLDecodeRequestCookies URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.

Possible values: ON, OFF Default value: OFF

comment Any comments about the purpose of profile, or other useful information about the profile.

percentDecodeRecursively Configure whether the application firewall should use percentage recursive decoding

Possible values: ON, OFF Default value: ON

multipleHeaderAction One or more multiple header actions. Available settings function as follows:

  • Block - Block connections that have multiple headers.
  • Log - Log connections that have multiple headers.
  • KeepLast - Keep only last header when multiple headers are present.

CLI users: To enable one or more actions, type “set appfw profile -multipleHeaderAction” followed by the actions to be enabled. Default value: AS_MULTIPLE_HEADER_DEFAULT_DISPOSITION

rfcprofile Object name of the rfc profile. Default value: NS_S_AS_RFC_PROFILE_DEFAULT

fileUploadTypesAction One or more file upload types actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -fileUploadTypeAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -fileUploadTypeAction none”. Default value: AS_DEFAULT_DISPOSITION

verboseLogLevel Detailed Logging Verbose Log Level.

Possible values: pattern, patternPayload, patternPayloadHeader Default value: pattern

insertCookieSameSiteAttribute Configure whether application firewall should add samesite attribute for set-cookies

Possible values: ON, OFF Default value: OFF

cookieSameSiteAttribute Cookie Samesite attribute added to support adding cookie SameSite attribute for all set-cookies including appfw session cookies. Default value will be “SameSite=Lax”.

Possible values: None, LAX, STRICT Default value: LAX

SQLInjectionRuleType Specifies SQL Injection rule type: ALLOW/DENY. If ALLOW rule type is configured then allow list rules are used, if DENY rule type is configured then deny rules are used.

Possible values: ALLOW, DENY Default value: ALLOW

restore appfw profile

Restore configuration from archive file

Synopsis

restore appfw profile [-relaxationRules] [-importProfileName ] [-matchUrlString ] [-replaceUrlString ] [-overwrite] [-augment]

Arguments

archivename Source for tar archive.

relaxationRules Import all appfw relaxation rules

importProfileName Name of the profile which will be created/updated to associate the relaxation rules

matchUrlString Match this action url in archived Relaxation Rules to replace.

replaceUrlString Replace matched url string with this action url string while restoring Relaxation Rules

overwrite Purge existing Relaxation Rules and replace during import

augment Augment Relaxation Rules during import

unset appfw profile

Use this command to remove appfw profile settings.Refer to the set appfw profile command for meanings of the arguments.

Synopsis

unset appfw profile [-startURLAction] [-inferContentTypeXmlPayloadAction] [-contentTypeAction] [-inspectContentTypes] [-startURLClosure] [-denyURLAction] [-RefererHeaderCheck] [-cookieConsistencyAction] [-cookieHijackingAction] [-cookieTransforms] [-cookieEncryption] [-cookieProxying] [-addCookieFlags] [-fieldConsistencyAction] [-CSRFtagAction] [-crossSiteScriptingAction] [-crossSiteScriptingTransformUnsafeHTML] [-crossSiteScriptingCheckCompleteURLs] [-SQLInjectionAction] [-CMDInjectionAction] [-CMDInjectionType] [-SQLInjectionTransformSpecialChars] [-SQLInjectionType] [-SQLInjectionCheckSQLWildChars] [-SQLInjectionGrammar] [-fieldFormatAction] [-defaultFieldFormatType] [-defaultFieldFormatMinLength] [-defaultFieldFormatMaxLength] [-bufferOverflowAction] [-bufferOverflowMaxURLLength] [-bufferOverflowMaxHeaderLength] [-bufferOverflowMaxCookieLength] [-bufferOverflowMaxQueryLength] [-bufferOverflowMaxTotalHeaderLength] [-creditCardAction] [-creditCard] [-creditCardMaxAllowed] [-creditCardXOut] [-doSecureCreditCardLogging] [-streaming] [-trace] [-requestContentType] [-responseContentType] [-JSONErrorObject] [-JSONErrorStatusCode] [-JSONErrorStatusMessage] [-JSONDoSAction] [-JSONSQLInjectionAction] [-JSONSQLInjectionType] [-JSONSQLInjectionGrammar] [-JSONCMDInjectionAction] [-JSONCMDInjectionType] [-JSONXSSAction] [-XMLDoSAction] [-XMLFormatAction] [-XMLSQLInjectionAction] [-XMLSQLInjectionType] [-XMLSQLInjectionCheckSQLWildChars] [-XMLSQLInjectionParseComments] [-XMLXSSAction] [-XMLWSIAction] [-XMLAttachmentAction] [-XMLValidationAction] [-XMLErrorObject] [-XMLErrorStatusCode] [-XMLErrorStatusMessage] [-signatures] [-XMLSOAPFaultAction] [-useHTMLErrorObject] [-errorURL] [-HTMLErrorObject] [-HTMLErrorStatusCode] [-HTMLErrorStatusMessage] [-logEveryPolicyHit] [-stripHtmlComments] [-stripXmlComments] [-dynamicLearning] [-exemptClosureURLsFromSecurityChecks] [-defaultCharSet] [-postBodyLimit] [-postBodyLimitAction] [-postBodyLimitSignature] [-fileUploadMaxNum] [-canonicalizeHTMLResponse] [-enableFormTagging] [-sessionlessFieldConsistency] [-sessionlessURLClosure] [-semicolonFieldSeparator] [-excludeFileUploadFromChecks] [-SQLInjectionParseComments] [-invalidPercentHandling] [-type] [-checkRequestHeaders] [-inspectQueryContentTypes] [-optimizePartialReqs] [-URLDecodeRequestCookies] [-comment] [-percentDecodeRecursively] [-multipleHeaderAction] [-rfcprofile] [-fileUploadTypesAction] [-verboseLogLevel] [-insertCookieSameSiteAttribute] [-cookieSameSiteAttribute] [-SQLInjectionRuleType]

rm appfw profile

Removes the specified application firewall profile.

Synopsis

rm appfw profile

Arguments

name Name of the profile.

unbind appfw profile

Unbinds the specified exemption (relaxation) or rule from the specified application firewall profile. See the bind appfw profile command for a description of the parameters.

Synopsis

unbind appfw profile (-startURL | -denyURL | (-fieldConsistency ) | -cookieConsistency | (-SQLInjection [-location ] [-valueType []] [-RuleType ( ALLOW | DENY )]) | (-CMDInjection [-location ] [-valueType ( Keyword | SpecialString ) []]) | (-CSRFTag ) | (-crossSiteScripting [-location ] [-valueType []]) | (-fieldFormat ) | -safeObject | -trustedLearningClients <ip_addr[/prefix]|ipv6_addr[/prefix]> | -JSONXSSURL | -JSONSQLURL | -JSONCMDURL | -JSONDoSURL | -XMLDoSURL | -XMLWSIURL | -XMLValidationURL | -XMLAttachmentURL | (-XMLSQLInjection [-location ( ELEMENT | ATTRIBUTE )]) | (-XMLXSS [-location ( ELEMENT | ATTRIBUTE )]) | -contentType | -excludeResContentType | (-CreditCardNumber ) | -logExpression | (-fileUploadType [-fileType ...]))

Arguments

name Name of the exemption (relaxation) or rule that you want to unbind.

startURL Start URL regular expression.

denyURL Deny URL regular expression.

fieldConsistency Form field name.

formActionURL Form action URL.

cookieConsistency Cookie name.

SQLInjection Form field, header or cookie name.

formActionURL Form action URL for exceptions in fields, or request URL for exceptions in headers and cookies.

location Location of SQL injection exception - form field, header or cookie.

Possible values: FORMFIELD, HEADER, COOKIE

valueType The web form value type.

Possible values: Keyword, SpecialString, Wildchar

valueExpression The web form value expression.

CMDInjection Form field, header or cookie name.

formActionURL Form action URL for exceptions in fields, or request URL for exceptions in headers and cookies.

location Location of command injection exception - form field, header or cookie.

Possible values: FORMFIELD, HEADER, COOKIE

valueType Type of the relaxed web form value

Possible values: Keyword, SpecialString

valueExpression The web form/header/cookie value expression.

CSRFTag CSRF Form origin URL. This binding is applicable to Profile Type: HTML.

CSRFFormActionURL CSRF form action URL.

crossSiteScripting Form field, header, cookie name or ‘.*’ for url.

formActionURL Form action URL for exceptions in fields, or request URL for exceptions in headers, cookies and url.

location Location of cross-site scripting exception - form field, header, cookie or URL.

Possible values: FORMFIELD, HEADER, COOKIE, URL

valueType The web form value type.

Possible values: Tag, Attribute, Pattern

valueExpression The web form value expression.

fieldFormat Field format name.

formActionURL Form action URL.

safeObject Safe Object name.

trustedLearningClients Trusted learning Clients IP

JSONXSSURL A regular expression that designates a URL on the Json XSS URL list for which XSS violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONSQLURL A regular expression that designates a URL on the Json SQL URL list for which SQL violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONCMDURL A regular expression that designates a URL on the Json CMD URL list for which Command injection violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONDoSURL The URL on which we need to enforce the specified JSON denial-of-service (JSONDoS) attack protections. An JSON DoS configuration consists of the following items:

  • URL. PCRE-format regular expression for the URL.
  • Maximum-document-length-check toggle. ON to enable this check, OFF to disable it.
  • Maximum document length. Positive integer representing the maximum length of the JSON document.
  • Maximum-container-depth-check toggle. ON to enable, OFF to disable.
  • Maximum container depth. Positive integer representing the maximum container depth of the JSON document.
  • Maximum-object-key-count-check toggle. ON to enable, OFF to disable.
  • Maximum object key count. Positive integer representing the maximum allowed number of keys in any of the JSON object.
  • Maximum-object-key-length-check toggle. ON to enable, OFF to disable.
  • Maximum object key length. Positive integer representing the maximum allowed length of key in any of the JSON object.
  • Maximum-array-value-count-check toggle. ON to enable, OFF to disable.
  • Maximum array value count. Positive integer representing the maximum allowed number of values in any of the JSON array.
  • Maximum-string-length-check toggle. ON to enable, OFF to disable.
  • Maximum string length. Positive integer representing the maximum length of string in JSON.

XMLDoSURL XML DoS URL regular expression.

XMLWSIURL XML WS-I URL regular expression.

XMLValidationURL XML Message URL regular expression.

XMLAttachmentURL XML Attachment URL regular expression.

XMLSQLInjection Exempt the specified URL from the XML SQL injection check. An XML SQL injection exemption (relaxation) consists of the following items:

  • Name. Name to exempt, as a string or a PCRE-format regular expression.
  • ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
  • Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.

location Location of SQL injection exception - XML Element or Attribute. Default location is ‘ELEMENT’

Possible values: ELEMENT, ATTRIBUTE Default value: AS_XMLLOCATION_ELEMENT

XMLXSS Exempt the specified URL from the XML cross-site scripting (XSS) check. An XML cross-site scripting exemption (relaxation) consists of the following items:

  • URL. URL to exempt, as a string or a PCRE-format regular expression.
  • ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
  • Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.

location Location of XSS injection exception - XML Element or Attribute. Default location is ‘ELEMENT’

Possible values: ELEMENT, ATTRIBUTE Default value: AS_XMLLOCATION_ELEMENT

contentType content-type regular expression.

excludeResContentType Response content type regular expression that are to be excluded from inspection.

CreditCardNumber The object expression that is to be excluded from safe commerce check.

CreditCardNumberUrl The url for which the list of credit card numbers are needed to be bypassed from inspection

logExpression Unbind specified logExpression to application firewall profile

fileUploadType Unbind the file upload types.

formActionURL Form action URL for making File Upload Type checks..

fileType FileUploadTypes file types.

RuleType Specifies rule type of binding

Possible values: ALLOW, DENY

show appfw profile

Displays details of the specified application firewall profile. If no profile is specified, displays a list of all application firewall profiles on the Citrix ADC.

Synopsis

show appfw profile []

Arguments

name Name of the application firewall profile.

Output

stateflag type The profile type of of this Application Firewall profile. If the profile is of the HTML type, only checks relevant to HTML are applied. If the profile is of the XML type, only checks relevent to XML are applied. if the profile is of the Web 2.0 type, then both types of checks are applied.

state Enabled.

defaults Default configuration to apply to the profile. Basic defaults are intended for standard content that requires little further configuration, such as static web site content. Advanced defaults are intended for specialized content that requires significant specialized configuration, such as heavily scripted or dynamic content.

CLI users: When adding an application firewall profile, you can set either the defaults or the type, but not both. To set both options, create the profile by using the add appfw profile command, and then use the set appfw profile command to configure the other option.

useHTMLErrorObject Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.

errorURL The error page for this profile.

HTMLErrorObject Name to assign to the HTML Error Object. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the HTML error object is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my HTML error object” or ‘my HTML error object’).

HTMLErrorStatusCode Response status code associated with HTML error page

HTMLErrorStatusMessage Response status message associated with HTML error page

logEveryPolicyHit Log every profile match, regardless of security checks results.

stripComments Tells the Application Firewall to strip HTML comments from responses before sending them to the user.

stripHtmlComments Tells the Application Firewall to strip HTML comments from responses before sending them to the user.

stripXmlComments Tells the Application Firewall to strip XML comments from responses before sending them to the user.

defaultCharSet The default character set. The character set that the Application Firewall uses for web pages that do not explicitly set a different character set.

postBodyLimit The maximum body size for an HTTP POST.

postBodyLimitAction One or more Post Body Limit actions. Available settings function as follows:

  • Block - Block connections that violate this security check. Must always be set.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.

CLI users: To enable one or more actions, type “set appfw profile -PostBodyLimitAction block” followed by the other actions to be enabled.

dynamicLearning One or more security checks. Available options are as follows:

  • SQLInjection - Enable dynamic learning for SQLInjection security check.
  • CrossSiteScripting - Enable dynamic learning for CrossSiteScripting security check.
  • fieldFormat - Enable dynamic learning for fieldFormat security check.
  • None - Disable security checks for all security checks.

CLI users: To enable dynamic learning on one or more security checks, type “set appfw profile -dynamicLearning” followed by the security checks to be enabled. To turn off dynamic learning on all security checks, type “set appfw profile -dynamicLearning none”.

isAutoDeployed Is the rule auto deployed by dynamic profile ?

alertOnly Send SNMP alert?

postBodyLimitSignature Maximum allowed HTTP post body size for signature inspection for location HTTP_POST_BODY in the signatures, in bytes. Note that the changes in value could impact CPU and latency profile.

learning Profile level learning option that overrides the protection level learning. Available settings are as follows:

  • ON - Honor all protection level learn settings.
  • OFF - Avoids learning for this profile for all protections ignoring protection level learn setting.

fileUploadMaxNum Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads.

canonicalizeHTMLResponse Tells the Application Firewall to convert any non-ASCII characters into HTML entities before sending responses to the user. This is called ‘canonicalization’ of HTML responses.

enableFormTagging Enables tagging of web forms for form field Consistency checks.

sessionlessFieldConsistency Enable session less form field consistency checks.

sessionlessURLClosure Enable session less URL closure checks.

semicolonFieldSeparator Allow ‘;’ as a form field separator in URL queries and POST form bodies.

excludeFileUploadFromChecks Excludes uploaded files from all web form checks.

SQLInjectionParseComments Canonicalizes SQL Comments in form fields.

checkRequestHeaders Check request headers as well as web forms for injected SQL and cross-site scripts.

inspectQueryContentTypes Inspect request query as well as web forms for injected SQL and cross-site scripts for following content types.

optimizePartialReqs Optimize handle of HTTP partial requests i.e. those with range headers. Available settings are as follows:

  • ON - Partial requests by the client result in partial requests to the backend server in most cases.
  • OFF - Partial requests by the client are changed to full requests to the backend server

URLDecodeRequestCookies URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.

startURLAction Start URL action types. (BLOCK | LEARN | LOG | STATS | NONE)

inferContentTypeXmlPayloadAction One or more infer content type payload actions. Available settings function as follows:

  • Block - Block connections that have mismatch in content-type header and payload.
  • Log - Log connections that have mismatch in content-type header and payload. The mismatched content-type in HTTP request header will be logged for the request.
  • Stats - Generate statistics when there is mismatch in content-type header and payload.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -inferContentTypeXMLPayloadAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -inferContentTypeXMLPayloadAction none”. Please note “none” action cannot be used with any other action type.

contentTypeAction Content-type action types. (BLOCK | LOG | NONE)

inspectContentTypes Inspection content types associated with this profile

startURL A regular expression that designates a URL on the Start URL list.

startURLClosure Enable Start URL closure. When enabled, this feature allows users to start their session at a designated start URL, then navigate from that start URL to any URL on a protected web site by clicking a link on another web page on that web site. Otherwise, requests to any URL that is not explicitly allowed are blocked.

denyURLAction Deny URL action types. (BLOCK | LOG | STATS | NONE)

denyURL A regular expression that designates a URL on the Deny URL list.

RefererHeaderCheck Enable validation of Referer headers. Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker. Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.

CSRFtagAction Cross-site request forgery tagging action types. (BLOCK | LEARN | LOG | STATS | NONE)

CSRFTag The web form originating URL.

CSRFFormActionURL The web form action URL.

crossSiteScriptingAction Cross-site scripting action types. (BLOCK | LEARN | LOG | STATS | NONE)

crossSiteScriptingTransformUnsafeHTML Enables transformation of unsafe HTML into safe HTML before forwarding a request to the web server.

crossSiteScriptingCheckCompleteURLs Tells the Application Firewall to check complete URLs rather than just the query portion of URLs for cross-site scripting violations.

crossSiteScripting The web form field name.

isRegex Is the web form field name a regular expression?

formActionURL The web form action URL.

exemptClosureURLsFromSecurityChecks Tells the Application Firewall to exempt closure URLs from security checks.

location Location of cross-site scripting exception - form field, header, cookie or URL.

valueType The web form value type.

valueExpression The web form value expression.

isValueRegex Is the web form field value a regular expression?

SQLInjectionAction SQL injection action types. (BLOCK | LEARN | LOG | STATS | NONE)

CMDInjectionAction CMD injection action types. (BLOCK | LOG | STATS | NONE)

SQLInjectionTransformSpecialChars Enables transformation of SQL special characters found in web forms into safe equivalents.

SQLInjectionOnlyCheckFieldsWithSQLChars Tells the Application Firewall to check form fields that contain SQL special characters only, rather than all form fields, for SQL injection violations.

SQLInjectionType Available SQL Injection types.

CMDInjectionType Available CMD Injection types.

SQLInjectionGrammar Check for SQL injection using SQL grammar

SQLInjectionCheckSQLWildChars Check for form fields that contain SQL wild chars .

SQLInjection The web form field name.

isRegex Is the web form field name a regular expression?

formActionURL The web form action URL.

invalidPercentHandling Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:

  • apache_mode - Apache format.
  • asp_mode - Microsoft ASP format.
  • secure_mode - Secure format.

location Location of SQL injection exception - form field, header or cookie.

valueType The web form value type.

valueExpression The web form value expression.

isValueRegex Is the web form field value a regular expression?

RuleType Specifies rule type of binding

CMDInjection Name of the relaxed web form field/header/cookie

isRegex Is the relaxed web form field name/header/cookie a regular expression?

formActionURL The web form action URL.

location Location of command injection exception - form field, header or cookie.

valueType Type of the relaxed web form value

valueExpression The web form/header/cookie value expression.

isValueRegex Is the web form field/header/cookie value a regular expression?

fieldConsistencyAction Form Field Consistency action types. (BLOCK | LEARN | LOG | STATS | NONE)

fieldConsistency The web form field name.

isRegex Is the web form field name a regular expression?

formActionURL The web form action URL.

cookieConsistencyAction Cookie consistency action types. (BLOCK | LEARN | LOG | STATS | NONE)

cookieHijackingAction Cookie hijacking action types. (BLOCK | LOG | STATS | NONE)

cookieConsistency The name of the cookie to be checked.

isRegex Is the cookie name a regular expression?

cookieTransforms Perform the specified type of cookie transformation. Available settings function as follows:

  • Encryption - Encrypt cookies.
  • Proxying - Mask contents of server cookies by sending proxy cookie to users.
  • Cookie flags - Flag cookies as HTTP only to prevent scripts on user’s browser from accessing and possibly modifying them. CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.

cookieEncryption Type of cookie encryption. Available settings function as follows:

  • None - Do not encrypt cookies.
  • Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.
  • Encrypt Session Only - Encrypt session cookies, but not permanent cookies.
  • Encrypt All - Encrypt all cookies.

cookieProxying Proxies server cookies using the Application Firewall session

addCookieFlags Add the specified flags to cookies. Available settings function as follows:

  • None - Do not add flags to cookies.
  • HTTP Only - Add the HTTP Only flag to cookies, which prevents scripts from accessing cookies.
  • Secure - Add Secure flag to cookies.
  • All - Add both HTTPOnly and Secure flags to cookies.

bufferOverflowAction Buffer overflow action types. (BLOCK | LOG | STATS | NONE)

bufferOverflowMaxURLLength Maximum allowed length for URLs.

bufferOverflowMaxHeaderLength Maximum allowed length for HTTP headers.

bufferOverflowMaxCookieLength Maximum allowed length for cookies.

bufferOverflowMaxQueryLength Maximum allowed length for query string.

bufferOverflowMaxTotalHeaderLength Maximum allowed length for the total HTTP header length

fieldFormatAction Field format action types. (BLOCK | LEARN | LOG | STATS | NONE)

defaultFieldFormatType Name of the default field type, the field type that the Application Firewall will assign to a form field when no specific field type is assigned to that particular form field.

defaultFieldFormatMinLength Default field type minimum length setting.

defaultFieldFormatMaxLength Default field type maximum length setting.

fieldFormat Name of the form field to which a field format will be assigned.

isRegex Is the form field name a regular expression?

formActionURL Action URL of the form field to which a field format will be assigned.

fieldType The field type you are assigning to this form field.

fieldFormatMinLength The minimum allowed length for data in this form field.

fieldFormatMaxLength The maximum allowed length for data in this form field.

creditCardAction Credit Card action types. (BLOCK | LOG | STATS | NONE)

creditCard Credit card types. (AMEX | DINERSCLUB| DISCOVER | JBC | MASTERCARD | VISA)

creditCardMaxAllowed Maximum number of times a credit card number may be seen before action is taken.

creditCardXOut X-out credit card numbers.

doSecureCreditCardLogging Setting this option logs credit card numbers in the response when the match is found.

streaming Setting this option converts content-length form submission requests (requests with content-type “application/x-www-form-urlencoded” or “multipart/form-data”) to chunked requests when atleast one of the following protections : Signatures, SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging, JSON SQL, JSON XSS, JSON DOS is enabled. Please make sure that the backend server accepts chunked requests before enabling this option. Citrix recommends enabling this option for large request sizes(>20MB).

trace Toggle the state of trace

safeObject Name of the Safe Object.

expression A regular expression that defines the Safe Object.

maxMatchLength Maximum match length for a Safe Object expression.

action Safe Object action types. (BLOCK | LOG | STATS | NONE)

requestContentType Default content-type for request messages.

responseContentType Default content-type for response messages.

XMLErrorObject URL for the xml error page

XMLErrorStatusCode Response status code associated with XML error page

XMLErrorStatusMessage Response status message associated with XML error page

signatures Signatures for the profile

XMLFormatAction XML well-formed request action types. (BLOCK | LOG | STATS | NONE)

XMLDoSAction XML DOS action types. (BLOCK | LEARN | LOG | STATS | NONE)

XMLSQLInjectionAction XML SQL Injection action types. (BLOCK | LOG | STATS | NONE)

XMLSQLInjectionOnlyCheckFieldsWithSQLChars XML flag to check only fields with SQL characters.

XMLSQLInjectionType Available XML SQL Injection types.

XMLSQLInjectionCheckSQLWildChars XML flag to check for SQL wild chars.

XMLSQLInjectionParseComments Canonicalize SQL Comments in XML data.

XMLXSSAction XML cross-site scripting action types. (BLOCK | LOG | STATS | NONE)

XMLWSIAction XML WSI action types. (BLOCK | LEARN | LOG | STATS | NONE)

XMLAttachmentAction XML attachment action types. (BLOCK | LEARN | LOG | STATS | NONE)

XMLValidationAction XML message validation action types. (BLOCK | LOG | STATS | NONE)

XMLSOAPFaultAction XML SOAP fault filtering action types. (BLOCK | LOG | STATS | REMOVE | NONE)

XMLDoSURL XML DoS URL regular expression length.

XMLWSIURL XML WS-I URL regular expression length.

XMLValidationURL XML Validation URL regular expression.

XMLAttachmentURL XML attachment URL regular expression length.

XMLSQLInjection Exempt the specified URL from the XML SQL injection check. An XML SQL injection exemption (relaxation) consists of the following items:

  • Name. Name to exempt, as a string or a PCRE-format regular expression.
  • ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
  • Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.

isRegex Is the XML SQL Injection exempted field name a regular expression?

location Location of SQL injection exception - XML Element or Attribute.

XMLXSS Exempt the specified URL from the XML cross-site scripting (XSS) check. An XML cross-site scripting exemption (relaxation) consists of the following items:

  • URL. URL to exempt, as a string or a PCRE-format regular expression.
  • ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
  • Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.

isRegex Is the XML XSS exempted field name a regular expression?

location Location of XSS injection exception - XML Element or Attribute.

XMLMaxElementDepthCheck State if XML Max element depth check is ON or OFF.

XMLMaxElementDepth Maximum nesting (depth) of XML elements. This check protects against documents that have excessive hierarchy depths.

XMLMaxElementNameLengthCheck State if XML Max element name length check is ON or OFF.

XMLMaxElementNameLength Specify the longest name of any element (including the expanded namespace) to protect against overflow attacks.

XMLMaxElementsCheck State if XML Max elements check is ON or OFF.

XMLMaxElements Specify the maximum number of XML elements allowed. Protects against overflow attacks.

XMLMaxElementChildrenCheck State if XML Max element children check is ON or OFF.

XMLMaxElementChildren Specify the maximum number of children allowed per XML element. Protects against overflow attacks.

XMLMaxNodesCheck State if XML Max nodes check is ON or OFF.

XMLMaxNodes Specify the maximum number of XML nodes. Protects against overflow attacks.

XMLMaxAttributesCheck State if XML Max attributes check is ON or OFF.

XMLMaxAttributes Specify maximum number of attributes per XML element. Protects against overflow attacks.

XMLMaxAttributeNameLengthCheck State if XML Max attribute name length check is ON or OFF.

XMLMaxAttributeNameLength Specify the longest name of any XML attribute. Protects against overflow attacks.

XMLMaxAttributeValueLengthCheck State if XML Max atribute value length is ON or OFF.

XMLMaxAttributeValueLength Specify the longest value of any XML attribute. Protects against overflow attacks.

XMLMaxCharDATALengthCheck State if XML Max CDATA length check is ON or OFF.

XMLMaxCharDATALength Specify the maximum size of CDATA. Protects against overflow attacks and large quantities of unparsed data within XML messages.

XMLMaxFileSizeCheck State if XML Max file size check is ON or OFF.

XMLMaxFileSize Specify the maximum size of XML messages. Protects against overflow attacks.

XMLMinFileSizeCheck State if XML Min file size check is ON or OFF.

XMLMinFileSize Enforces minimum message size.

XMLBlockPI State if XML Block PI is ON or OFF. Protects resources from denial of service attacks as SOAP messages cannot have processing instructions (PI) in messages.

XMLBlockDTD State if XML DTD is ON or OFF. Protects against recursive Document Type Declaration (DTD) entity expansion attacks. Also, SOAP messages cannot have DTDs in messages.

XMLBlockExternalEntities State if XML Block External Entities Check is ON or OFF. Protects against XML External Entity (XXE) attacks that force applications to parse untrusted external entities (sources) in XML documents.

XMLMaxEntityExpansionsCheck State if XML Max Entity Expansions Check is ON or OFF.

XMLMaxEntityExpansions Specify maximum allowed number of entity expansions. Protects aganist Entity Expansion Attack.

XMLMaxEntityExpansionDepthCheck State if XML Max Entity Expansions Depth Check is ON or OFF.

XMLMaxEntityExpansionDepth Specify maximum entity expansion depth. Protects aganist Entity Expansion Attack.

XMLMaxNamespacesCheck State if XML Max namespaces check is ON or OFF.

XMLMaxNamespaces Specify maximum number of active namespaces. Protects against overflow attacks.

XMLMaxNamespaceUriLengthCheck State if XML Max namespace URI length check is ON or OFF.

XMLMaxNamespaceUriLength Specify the longest URI of any XML namespace. Protects against overflow attacks.

XMLSOAPArrayCheck State if XML SOAP Array check is ON or OFF.

XMLMaxSOAPArraySize XML Max Total SOAP Array Size. Protects against SOAP Array Abuse attack.

XMLMaxSOAPArrayRank XML Max Individual SOAP Array Rank. This is the dimension of the SOAP array.

XMLWSIChecks Specify a comma separated list of relevant WS-I rule IDs. (R1140, R1141)

XMLRequestSchema XML Schema object for request validation .

XMLResponseSchema XML Schema object for response validation.

XMLWSDL WSDL object for soap request validation.

XMLAdditionalSOAPHeaders Allow addtional soap headers.

XMLEndPointCheck Modifies the behaviour of the Request URL validation w.r.t. the Service URL. If set to ABSOLUTE, the entire request URL is validated with the entire URL mentioned in Service of the associated WSDL. eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would FAIL the validation. If set to RELAIVE, only the non-hostname part of the request URL is validated against the non-hostname part of the Service URL. eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would PASS the validation.

XMLValidateSOAPEnvelope Validate SOAP Evelope only.

XMLValidateResponse Validate response message.

XMLMaxAttachmentSizeCheck State if XML Max attachment size Check is ON or OFF. Protects against XML requests with large attachment data.

XMLMaxAttachmentSize Specify maximum attachment size.

XMLAttachmentContentTypeCheck State if XML attachment content-type check is ON or OFF. Protects against XML requests with illegal attachments.

XMLAttachmentContentType Specify content-type regular expression.

builtin Indicates that a profile is a built-in entity.

builtin Indicates that a profile is a built-in entity.

feature The feature to be checked while applying this config

builtinType Type of built-in profiles

trustedLearningClients Specify trusted host/network IP

contentType A regular expression that designates a content-type on the content-types list.

excludeResContentType A regular expression that represents the content type of the response that are to be excluded from inspection.

CreditCardNumber The object expression that is to be excluded from safe commerce check

CreditCardNumberUrl The url for which the list of credit card numbers are needed to be bypassed from inspection

comment Comments associated with this profile.

percentDecodeRecursively Configure whether the application firewall should use percentage recursive decoding

multipleHeaderAction One or more multiple header actions. Available settings function as follows:

  • Block - Block connections that have multiple headers.
  • Log - Log connections that have multiple headers.
  • KeepLast - Keep only last header when multiple headers are present.

CLI users: To enable one or more actions, type “set appfw profile -multipleHeaderAction” followed by the actions to be enabled.

logExpression Name of LogExpression object.

expression LogExpression to log when violation happened on appfw profile

rfcprofile Object name of the rfc profile.

JSONErrorObject Name to the imported JSON Error Object to be set on application firewall profile.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my JSON error object” or ‘my JSON error object’).

JSONErrorStatusCode Response status code associated with JSON error page

JSONErrorStatusMessage Response status message associated with JSON error page

JSONDoSAction JSON DOS action types. (BLOCK | LOG | STATS | NONE)

JSONSQLInjectionAction JSON SQL Injection action types. (BLOCK | LOG | STATS | NONE)

JSONSQLInjectionType Available JSON SQL Injection types.

JSONSQLInjectionGrammar Check for SQL injection using SQL grammar in JSON

JSONCMDInjectionAction One or more JSON CMD Injection actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -JSONCMDInjectionAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -JSONCMDInjectionAction none”.

JSONCMDInjectionType Available CMD injection types. -CMDSplChar : Checks for CMD Special Chars -CMDKeyword : Checks for CMD Keywords -CMDSplCharANDKeyword : Checks for both and blocks if both are found -CMDSplCharORKeyword : Checks for both and blocks if anyone is found

JSONXSSAction JSON cross-site scripting action types. (BLOCK | LOG | STATS | NONE)

JSONSQLURL A regular expression that designates a URL on the Json SQL URL list for which SQL violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONCMDURL A regular expression that designates a URL on the Json CMD URL list for which Command injection violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONXSSURL A regular expression that designates a URL on the Json XSS URL list for which XSS violations are relaxed. Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

JSONDoSURL The URL on which we need to enforce the specified JSON denial-of-service (JSONDoS) attack protections. An JSON DoS configuration consists of the following items:

  • URL. PCRE-format regular expression for the URL.
  • Maximum-document-length-check toggle. ON to enable this check, OFF to disable it.
  • Maximum document length. Positive integer representing the maximum length of the JSON document.
  • Maximum-container-depth-check toggle. ON to enable, OFF to disable.
  • Maximum container depth. Positive integer representing the maximum container depth of the JSON document.
  • Maximum-object-key-count-check toggle. ON to enable, OFF to disable.
  • Maximum object key count. Positive integer representing the maximum allowed number of keys in any of the JSON object.
  • Maximum-object-key-length-check toggle. ON to enable, OFF to disable.
  • Maximum object key length. Positive integer representing the maximum allowed length of key in any of the JSON object.
  • Maximum-array-value-count-check toggle. ON to enable, OFF to disable.
  • Maximum array value count. Positive integer representing the maximum allowed number of values in any of the JSON array.
  • Maximum-string-length-check toggle. ON to enable, OFF to disable.
  • Maximum string length. Positive integer representing the maximum length of string in JSON.

JSONMaxDocumentLengthCheck State if JSON Max document length check is ON or OFF.

JSONMaxDocumentLength Maximum document length of JSON document, in bytes.

JSONMaxContainerDepthCheck State if JSON Max depth check is ON or OFF.

JSONMaxContainerDepth Maximum allowed nesting depth of JSON document. JSON allows one to nest the containers (object and array) in any order to any depth. This check protects against documents that have excessive depth of hierarchy.

JSONMaxObjectKeyCountCheck State if JSON Max object key count check is ON or OFF.

JSONMaxObjectKeyCount Maximum key count in the any of JSON object. This check protects against objects that have large number of keys.

JSONMaxObjectKeyLengthCheck State if JSON Max object key length check is ON or OFF.

JSONMaxObjectKeyLength Maximum key length in the any of JSON object. This check protects against objects that have large keys.

JSONMaxArrayLengthCheck State if JSON Max array value count check is ON or OFF.

JSONMaxArrayLength Maximum array length in the any of JSON object. This check protects against arrays having large lengths.

JSONMaxStringLengthCheck State if JSON Max string value count check is ON or OFF.

JSONMaxStringLength Maximum string length in the JSON. This check protects against strings that have large length.

fileUploadType FileUploadTypes to allow/deny.

formActionURL FileUploadTypes action URL.

fileType FileUploadTypes file types.

fileUploadTypesAction One or more file upload types actions. Available settings function as follows:

  • Block - Block connections that violate this security check.
  • Log - Log violations of this security check.
  • Stats - Generate statistics for this security check.
  • None - Disable all actions for this security check.

CLI users: To enable one or more actions, type “set appfw profile -fileUploadTypeAction” followed by the actions to be enabled. To turn off all actions, type “set appfw profile -fileUploadTypeAction none”.

verboseLogLevel Detailed Logging Verbose Log Level.

insertCookieSameSiteAttribute Configure whether application firewall should add samesite attribute for set-cookies

cookieSameSiteAttribute Cookie Samesite attribute added to support adding cookie SameSite attribute for all set-cookies including appfw session cookies. Default value will be “SameSite=Lax”.

resourceId A “id” that identifies the rule.

SQLInjectionRuleType Specifies SQL Injection rule type: ALLOW/DENY. If ALLOW rule type is configured then allow list rules are used, if DENY rule type is configured then deny rules are used.

devno count

appfw-profile