appfw profile

The following operations can be performed on "appfw profile":

add | rm | set | unset | bind | unbind | show | stat | archive | restore

add appfw profile

Creates an application firewall profile, which specifies how the application firewall should protect a given type of web content. (A profile is equivalent to an action in other NetScaler features.)

Synopsys

add appfw profile <name> [-defaults ( basic | advanced )] [-startURLAction <startURLAction> ...] [-contentTypeAction <contentTypeAction> ...] [-inspectContentTypes <inspectContentTypes> ...] [-startURLClosure ( ON | OFF )] [-denyURLAction <denyURLAction> ...] [-RefererHeaderCheck <RefererHeaderCheck>] [-cookieConsistencyAction <cookieConsistencyAction> ...] [-cookieTransforms ( ON | OFF )] [-cookieEncryption <cookieEncryption>] [-cookieProxying ( none | sessionOnly )] [-addCookieFlags <addCookieFlags>] [-fieldConsistencyAction <fieldConsistencyAction> ...] [-CSRFtagAction <CSRFtagAction> ...] [-crossSiteScriptingAction <crossSiteScriptingAction> ...] [-crossSiteScriptingTransformUnsafeHTML ( ON | OFF )] [-crossSiteScriptingCheckCompleteURLs ( ON | OFF )] [-SQLInjectionAction <SQLInjectionAction> ...] [-SQLInjectionTransformSpecialChars ( ON | OFF )] [-SQLInjectionType <SQLInjectionType>] [-SQLInjectionCheckSQLWildChars ( ON | OFF )] [-fieldFormatAction <fieldFormatAction> ...] [-defaultFieldFormatType <string>] [-defaultFieldFormatMinLength <positive_integer>] [-defaultFieldFormatMaxLength <positive_integer>] [-bufferOverflowAction <bufferOverflowAction> ...] [-bufferOverflowMaxURLLength <positive_integer>] [-bufferOverflowMaxHeaderLength <positive_integer>] [-bufferOverflowMaxCookieLength <positive_integer>] [-creditCardAction <creditCardAction> ...] [-creditCard <creditCard> ...] [-creditCardMaxAllowed <positive_integer>] [-creditCardXOut ( ON | OFF )] [-doSecureCreditCardLogging ( ON | OFF )] [-streaming ( ON | OFF )] [-trace ( ON | OFF )] [-requestContentType <string>] [-responseContentType <string>] [-XMLDoSAction <XMLDoSAction> ...] [-XMLFormatAction <XMLFormatAction> ...] [-XMLSQLInjectionAction <XMLSQLInjectionAction> ...] [-XMLSQLInjectionType <XMLSQLInjectionType>] [-XMLSQLInjectionCheckSQLWildChars ( ON | OFF )] [-XMLSQLInjectionParseComments <XMLSQLInjectionParseComments>] [-XMLXSSAction <XMLXSSAction> ...] [-XMLWSIAction <XMLWSIAction> ...] [-XMLAttachmentAction <XMLAttachmentAction> ...] [-XMLValidationAction <XMLValidationAction> ...] [-XMLErrorObject <string>] [-signatures <string>] [-XMLSOAPFaultAction <XMLSOAPFaultAction> ...] [-useHTMLErrorObject ( ON | OFF )] [-errorURL <expression>] [-HTMLErrorObject <string>] [-logEveryPolicyHit ( ON | OFF )] [-stripHtmlComments <stripHtmlComments>] [-stripXmlComments ( none | all )] [-exemptClosureURLsFromSecurityChecks ( ON | OFF )] [-defaultCharSet <string>] [-postBodyLimit <positive_integer>] [-fileUploadMaxNum <positive_integer>] [-canonicalizeHTMLResponse ( ON | OFF )] [-enableFormTagging ( ON | OFF )] [-sessionlessFieldConsistency <sessionlessFieldConsistency>] [-sessionlessURLClosure ( ON | OFF )] [-semicolonFieldSeparator ( ON | OFF )] [-excludeFileUploadFromChecks ( ON | OFF )] [-SQLInjectionParseComments <SQLInjectionParseComments>] [-invalidPercentHandling <invalidPercentHandling>] [-type ( HTML | XML ) ...] [-checkRequestHeaders ( ON | OFF )] [-optimizePartialReqs ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-comment <string>]

Arguments

name

Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my profile" or 'my profile').

defaults

Default configuration to apply to the profile. Basic defaults are intended for standard content that requires little further configuration, such as static web site content. Advanced defaults are intended for specialized content that requires significant specialized configuration, such as heavily scripted or dynamic content.

CLI users: When adding an application firewall profile, you can set either the defaults or the type, but not both. To set both options, create the profile by using the add appfw profile command, and then use the set appfw profile command to configure the other option.

Possible values: basic, advanced

startURLAction

One or more Start URL actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -startURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -startURLaction none".

Default value: AS_DEFAULT_DISPOSITION

contentTypeAction

One or more Content-type actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -contentTypeaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -contentTypeaction none".

Default value: AS_DEFAULT_CONTENT_TYPE_DISPOSITION

inspectContentTypes

One or more InspectContentType lists.

• application/x-www-form-urlencoded

• multipart/form-data

• text/x-gwt-rpc

CLI users: To enable, type "set appfw profile -InspectContentTypes" followed by the content types to be inspected.

Default value: AS_DEFAULT_INSPECTION_CONTENT_TYPE

startURLClosure

Toggle the state of Start URL Closure.

Possible values: ON, OFF

Default value: OFF

denyURLAction

One or more Deny URL actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

NOTE: The Deny URL check takes precedence over the Start URL check. If you enable blocking for the Deny URL check, the application firewall blocks any URL that is explicitly blocked by a Deny URL, even if the same URL would otherwise be allowed by the Start URL check.

CLI users: To enable one or more actions, type "set appfw profile -denyURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -denyURLaction none".

Default value: AS_DEFAULT_DISPOSITION

RefererHeaderCheck

Enable validation of Referer headers.

Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker.

Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.

Possible values: OFF, if_present, AlwaysExceptStartURLs, AlwaysExceptFirstRequest

Default value: OFF

cookieConsistencyAction

One or more Cookie Consistency actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -cookieConsistencyAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -cookieConsistencyAction none".

Default value: none

cookieTransforms

Perform the specified type of cookie transformation.

Available settings function as follows:

• Encryption - Encrypt cookies.

• Proxying - Mask contents of server cookies by sending proxy cookie to users.

• Cookie flags - Flag cookies as HTTP only to prevent scripts on user's browser from accessing and possibly modifying them.

CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.

Possible values: ON, OFF

Default value: OFF

cookieEncryption

Type of cookie encryption. Available settings function as follows:

• None - Do not encrypt cookies.

• Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.

• Encrypt Session Only - Encrypt session cookies, but not permanent cookies.

• Encrypt All - Encrypt all cookies.

Possible values: none, decryptOnly, encryptSessionOnly, encryptAll

Default value: none

cookieProxying

Cookie proxy setting. Available settings function as follows:

• None - Do not proxy cookies.

• Session Only - Proxy session cookies by using the NetScaler session ID, but do not proxy permanent cookies.

Possible values: none, sessionOnly

Default value: none

addCookieFlags

Add the specified flags to cookies. Available settings function as follows:

• None - Do not add flags to cookies.

• HTTP Only - Add the HTTP Only flag to cookies, which prevents scripts from accessing cookies.

• Secure - Add Secure flag to cookies.

• All - Add both HTTPOnly and Secure flags to cookies.

Possible values: none, httpOnly, secure, all

Default value: none

fieldConsistencyAction

One or more Form Field Consistency actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -fieldConsistencyaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldConsistencyAction none".

Default value: none

CSRFtagAction

One or more Cross-Site Request Forgery (CSRF) Tagging actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -CSRFTagAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -CSRFTagAction none".

Default value: none

crossSiteScriptingAction

One or more Cross-Site Scripting (XSS) actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -crossSiteScriptingAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -crossSiteScriptingAction none".

Default value: AS_DEFAULT_DISPOSITION

crossSiteScriptingTransformUnsafeHTML

Transform cross-site scripts. This setting configures the application firewall to disable dangerous HTML instead of blocking the request.

CAUTION: Make sure that this parameter is set to ON if you are configuring any cross-site scripting transformations. If it is set to OFF, no cross-site scripting transformations are performed regardless of any other settings.

Possible values: ON, OFF

Default value: OFF

crossSiteScriptingCheckCompleteURLs

Check complete URLs for cross-site scripts, instead of just the query portions of URLs.

Possible values: ON, OFF

Default value: OFF

SQLInjectionAction

One or more HTML SQL Injection actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -SQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -SQLInjectionAction none".

Default value: AS_DEFAULT_DISPOSITION

SQLInjectionTransformSpecialChars

Transform injected SQL code. This setting configures the application firewall to disable SQL special strings instead of blocking the request. Since most SQL servers require a special string to activate an SQL keyword, in most cases a request that contains injected SQL code is safe if special strings are disabled.

CAUTION: Make sure that this parameter is set to ON if you are configuring any SQL injection transformations. If it is set to OFF, no SQL injection transformations are performed regardless of any other settings.

Possible values: ON, OFF

Default value: OFF

SQLInjectionType

Available SQL injection types.

-SQLSplChar : Checks for SQL Special Chars

-SQLKeyword : Checks for SQL Keywords

-SQLSplCharANDKeyword : Checks for both and blocks if both are found

-SQLSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword

Default value: SQLSplCharANDKeyword

SQLInjectionCheckSQLWildChars

Check for form fields that contain SQL wild chars .

Possible values: ON, OFF

Default value: OFF

fieldFormatAction

One or more Field Format actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of suggested web form fields and field format assignments.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -fieldFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldFormatAction none".

Default value: AS_DEFAULT_DISPOSITION

defaultFieldFormatType

Designate a default field type to be applied to web form fields that do not have a field type explicitly assigned to them.

defaultFieldFormatMinLength

Minimum length, in characters, for data entered into a field that is assigned the default field type.

To disable the minimum and maximum length settings and allow data of any length to be entered into the field, set this parameter to zero (0).

Default value: 0

Minimum value: 0

Maximum value: 65535

defaultFieldFormatMaxLength

Maximum length, in characters, for data entered into a field that is assigned the default field type.

Default value: 65535

Minimum value: 1

Maximum value: 65535

bufferOverflowAction

One or more Buffer Overflow actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -bufferOverflowAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -bufferOverflowAction none".

Default value: AS_DEFAULT_DISPOSITION

bufferOverflowMaxURLLength

Maximum length, in characters, for URLs on your protected web sites. Requests with longer URLs are blocked.

Default value: 1024

Minimum value: 0

Maximum value: 65535

bufferOverflowMaxHeaderLength

Maximum length, in characters, for HTTP headers in requests sent to your protected web sites. Requests with longer headers are blocked.

Default value: 4096

Minimum value: 0

Maximum value: 65535

bufferOverflowMaxCookieLength

Maximum length, in characters, for cookies sent to your protected web sites. Requests with longer cookies are blocked.

Default value: 4096

Minimum value: 0

Maximum value: 65535

creditCardAction

One or more Credit Card actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -creditCardAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -creditCardAction none".

Default value: none

creditCard

Credit card types that the application firewall should protect.

Default value: AS_CCARD_DEFAULT_CARD_TYPE

creditCardMaxAllowed

Maximum number of credit card numbers that can appear on a web page served by your protected web sites. Pages that contain more credit card numbers are blocked

Minimum value: 0

Maximum value: 255

creditCardXOut

Mask any credit card number detected in a response by replacing each digit, except the digits in the final group, with the letter "X."

Possible values: ON, OFF

Default value: OFF

doSecureCreditCardLogging

Setting this option logs credit card numbers in the response when the match is found.

Possible values: ON, OFF

Default value: ON

streaming

Setting this option converts content-length form submission requests (requests with content-type "application/x-www-form-urlencoded" or "multipart/form-data") to chunked requests when atleast one of the following protections : SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging is enabled. Please make sure that the backend server accepts chunked requests before enabling this option.

Possible values: ON, OFF

Default value: OFF

trace

Toggle the state of trace

Possible values: ON, OFF

Default value: OFF

requestContentType

Default Content-Type header for requests.

A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters.

Default value: NS_S_AS_DEFAULT_REQUEST_CONTENT_TYPE

responseContentType

Default Content-Type header for responses.

A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters.

Default value: NS_S_AS_DEFAULT_RESPONSE_CONTENT_TYPE

XMLDoSAction

One or more XML Denial-of-Service (XDoS) actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLDoSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLDoSAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLFormatAction

One or more XML Format actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLFormatAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLSQLInjectionAction

One or more XML SQL Injection actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLSQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLSQLInjectionAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLSQLInjectionType

Available SQL injection types.

-SQLSplChar : Checks for SQL Special Chars

-SQLKeyword : Checks for SQL Keywords

-SQLSplCharANDKeyword : Checks for both and blocks if both are found

-SQLSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword

Default value: SQLSplCharANDKeyword

XMLSQLInjectionCheckSQLWildChars

Check for form fields that contain SQL wild chars .

Possible values: ON, OFF

Default value: OFF

XMLSQLInjectionParseComments

Parse comments in XML Data and exempt those sections of the request that are from the XML SQL Injection check. You must configure the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:

• Check all - Check all content.

• ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.

• Nested - Exempt content that is part of a nested (Microsoft-style) comment.

• ANSI Nested - Exempt content that is part of any type of comment.

Possible values: checkall, ansi, nested, ansinested

Default value: checkall

XMLXSSAction

One or more XML Cross-Site Scripting actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLXSSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLXSSAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLWSIAction

One or more Web Services Interoperability (WSI) actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLWSIAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLWSIAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLAttachmentAction

One or more XML Attachment actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLAttachmentAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLAttachmentAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLValidationAction

One or more XML Validation actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLValidationAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLValidationAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLErrorObject

Name to assign to the XML Error Object, which the application firewall displays when a user request is blocked.

Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the XML error object is added.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my XML error object" or 'my XML error object'\).

Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

signatures

Object name for signatures.

This check is applicable to Profile Type: HTML, XML.

Default value: NS_S_AS_CUSTOM_OBJECT_DEFAULT

XMLSOAPFaultAction

One or more XML SOAP Fault Filtering actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

• Remove - Remove all violations for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLSOAPFaultAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLSOAPFaultAction none".

Default value: AS_DEFAULT_DISPOSITION

useHTMLErrorObject

Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.

Possible values: ON, OFF

Default value: OFF

errorURL

URL that application firewall uses as the Error URL.

Default value: NS_S_AS_ERROR_URL_DEFAULT

HTMLErrorObject

Name to assign to the HTML Error Object.

Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the HTML error object is added.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my HTML error object" or 'my HTML error object'\).

Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

logEveryPolicyHit

Log every profile match, regardless of security checks results.

Possible values: ON, OFF

Default value: OFF

stripHtmlComments

Strip HTML comments before forwarding a web page sent by a protected web site in response to a user request.

Possible values: none, all, exclude_script_tag

Default value: none

stripXmlComments

Strip XML comments before forwarding a web page sent by a protected web site in response to a user request.

Possible values: none, all

Default value: none

exemptClosureURLsFromSecurityChecks

Exempt URLs that pass the Start URL closure check from SQL injection, cross-site script, field format and field consistency security checks at locations other than headers.

Possible values: ON, OFF

Default value: ON

defaultCharSet

Default character set for protected web pages. Web pages sent by your protected web sites in response to user requests are assigned this character set if the page does not already specify a character set. The character sets supported by the application firewall are:

• iso-8859-1 (English US)

• big5 (Chinese Traditional)

• gb2312 (Chinese Simplified)

• sjis (Japanese Shift-JIS)

• euc-jp (Japanese EUC-JP)

• iso-8859-9 (Turkish)

• utf-8 (Unicode)

• euc-kr (Korean)

Default value: NS_S_AS_CHARSET_DEFAULT

Maximum value: 31

postBodyLimit

Maximum allowed HTTP post body size, in bytes.

Default value: 20000000

Minimum value: 0

Maximum value: 1000000000

fileUploadMaxNum

Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads.

Default value: 65535

Minimum value: 0

Maximum value: 65535

canonicalizeHTMLResponse

Perform HTML entity encoding for any special characters in responses sent by your protected web sites.

Possible values: ON, OFF

Default value: ON

enableFormTagging

Enable tagging of web form fields for use by the Form Field Consistency and CSRF Form Tagging checks.

Possible values: ON, OFF

Default value: ON

sessionlessFieldConsistency

Perform sessionless Field Consistency Checks.

Possible values: OFF, ON, postOnly

Default value: OFF

sessionlessURLClosure

Enable session less URL Closure Checks.

This check is applicable to Profile Type: HTML.

Possible values: ON, OFF

Default value: OFF

semicolonFieldSeparator

Allow ';' as a form field separator in URL queries and POST form bodies.

Possible values: ON, OFF

Default value: OFF

excludeFileUploadFromChecks

Exclude uploaded files from Form checks.

Possible values: ON, OFF

Default value: OFF

SQLInjectionParseComments

Parse HTML comments and exempt them from the HTML SQL Injection check. You must specify the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:

• Check all - Check all content.

• ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.

• Nested - Exempt content that is part of a nested (Microsoft-style) comment.

• ANSI Nested - Exempt content that is part of any type of comment.

Possible values: checkall, ansi, nested, ansinested

Default value: AS_DEFAULT_SQLINJECTIONPARSECOMMENTS

invalidPercentHandling

Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:

• apache_mode - Apache format.

• asp_mode - Microsoft ASP format.

• secure_mode - Secure format.

Possible values: apache_mode, asp_mode, secure_mode

Default value: secure_mode

type

Application firewall profile type, which controls which security checks and settings are applied to content that is filtered with the profile. Available settings function as follows:

• HTML - HTML-based web sites.

• XML - XML-based web sites and services.

• HTML XML (Web 2.0) - Sites that contain both HTML and XML content, such as ATOM feeds, blogs, and RSS feeds.

Default value: HTML

checkRequestHeaders

Check request headers as well as web forms for injected SQL and cross-site scripts.

Possible values: ON, OFF

Default value: OFF

optimizePartialReqs

Optimize handle of HTTP partial requests i.e. those with range headers.

Available settings are as follows:

• ON - Partial requests by the client result in partial requests to the backend server in most cases.

• OFF - Partial requests by the client are changed to full requests to the backend server

Possible values: ON, OFF

Default value: ON

URLDecodeRequestCookies

URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.

Possible values: ON, OFF

Default value: OFF

comment

Any comments about the purpose of profile, or other useful information about the profile.

rm appfw profile

Removes the specified application firewall profile.

Synopsys

rm appfw profile <name>

Arguments

name

Name of the profile.

set appfw profile

Modifies the specified parameters of the specified application firewall profile.

Synopsys

set appfw profile <name> [-startURLAction <startURLAction> ...] [-contentTypeAction <contentTypeAction> ...] [-inspectContentTypes <inspectContentTypes> ...] [-startURLClosure ( ON | OFF )] [-denyURLAction <denyURLAction> ...] [-RefererHeaderCheck <RefererHeaderCheck>] [-cookieConsistencyAction <cookieConsistencyAction> ...] [-cookieTransforms ( ON | OFF )] [-cookieEncryption <cookieEncryption>] [-cookieProxying ( none | sessionOnly )] [-addCookieFlags <addCookieFlags>] [-fieldConsistencyAction <fieldConsistencyAction> ...] [-CSRFtagAction <CSRFtagAction> ...] [-crossSiteScriptingAction <crossSiteScriptingAction> ...] [-crossSiteScriptingTransformUnsafeHTML ( ON | OFF )] [-crossSiteScriptingCheckCompleteURLs ( ON | OFF )] [-SQLInjectionAction <SQLInjectionAction> ...] [-SQLInjectionTransformSpecialChars ( ON | OFF )] [-SQLInjectionType <SQLInjectionType>] [-SQLInjectionCheckSQLWildChars ( ON | OFF )] [-fieldFormatAction <fieldFormatAction> ...] [-defaultFieldFormatType <string>] [-defaultFieldFormatMinLength <positive_integer>] [-defaultFieldFormatMaxLength <positive_integer>] [-bufferOverflowAction <bufferOverflowAction> ...] [-bufferOverflowMaxURLLength <positive_integer>] [-bufferOverflowMaxHeaderLength <positive_integer>] [-bufferOverflowMaxCookieLength <positive_integer>] [-creditCardAction <creditCardAction> ...] [-creditCard <creditCard> ...] [-creditCardMaxAllowed <positive_integer>] [-creditCardXOut ( ON | OFF )] [-doSecureCreditCardLogging ( ON | OFF )] [-streaming ( ON | OFF )] [-trace ( ON | OFF )] [-requestContentType <string>] [-responseContentType <string>] [-XMLDoSAction <XMLDoSAction> ...] [-XMLFormatAction <XMLFormatAction> ...] [-XMLSQLInjectionAction <XMLSQLInjectionAction> ...] [-XMLSQLInjectionType <XMLSQLInjectionType>] [-XMLSQLInjectionCheckSQLWildChars ( ON | OFF )] [-XMLSQLInjectionParseComments <XMLSQLInjectionParseComments>] [-XMLXSSAction <XMLXSSAction> ...] [-XMLWSIAction <XMLWSIAction> ...] [-XMLAttachmentAction <XMLAttachmentAction> ...] [-XMLValidationAction <XMLValidationAction> ...] [-XMLErrorObject <string>] [-signatures <string>] [-XMLSOAPFaultAction <XMLSOAPFaultAction> ...] [-useHTMLErrorObject ( ON | OFF )] [-errorURL <expression>] [-HTMLErrorObject <string>] [-logEveryPolicyHit ( ON | OFF )] [-stripHtmlComments <stripHtmlComments>] [-stripXmlComments ( none | all )] [-exemptClosureURLsFromSecurityChecks ( ON | OFF )] [-defaultCharSet <string>] [-postBodyLimit <positive_integer>] [-fileUploadMaxNum <positive_integer>] [-canonicalizeHTMLResponse ( ON | OFF )] [-enableFormTagging ( ON | OFF )] [-sessionlessFieldConsistency <sessionlessFieldConsistency>] [-sessionlessURLClosure ( ON | OFF )] [-semicolonFieldSeparator ( ON | OFF )] [-excludeFileUploadFromChecks ( ON | OFF )] [-SQLInjectionParseComments <SQLInjectionParseComments>] [-invalidPercentHandling <invalidPercentHandling>] [-type ( HTML | XML ) ...] [-checkRequestHeaders ( ON | OFF )] [-optimizePartialReqs ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-comment <string>]

Arguments

name

Name of the profile that you want to modify.

startURLAction

One or more Start URL actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -startURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -startURLaction none".

Default value: AS_DEFAULT_DISPOSITION

contentTypeAction

One or more Content-type actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -contentTypeaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -contentTypeaction none".

Default value: AS_DEFAULT_CONTENT_TYPE_DISPOSITION

inspectContentTypes

One or more InspectContentType lists.

• application/x-www-form-urlencoded

• multipart/form-data

• text/x-gwt-rpc

CLI users: To enable, type "set appfw profile -InspectContentTypes" followed by the content types to be inspected.

Default value: AS_DEFAULT_INSPECTION_CONTENT_TYPE

startURLClosure

Toggle the state of Start URL Closure.

Possible values: ON, OFF

Default value: OFF

denyURLAction

One or more Deny URL actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

NOTE: The Deny URL check takes precedence over the Start URL check. If you enable blocking for the Deny URL check, the application firewall blocks any URL that is explicitly blocked by a Deny URL, even if the same URL would otherwise be allowed by the Start URL check.

CLI users: To enable one or more actions, type "set appfw profile -denyURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -denyURLaction none".

Default value: AS_DEFAULT_DISPOSITION

RefererHeaderCheck

Enable validation of Referer headers.

Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker.

Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.

Possible values: OFF, if_present, AlwaysExceptStartURLs, AlwaysExceptFirstRequest

Default value: OFF

cookieConsistencyAction

One or more Cookie Consistency actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -cookieConsistencyAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -cookieConsistencyAction none".

Default value: none

cookieTransforms

Perform the specified type of cookie transformation.

Available settings function as follows:

• Encryption - Encrypt cookies.

• Proxying - Mask contents of server cookies by sending proxy cookie to users.

• Cookie flags - Flag cookies as HTTP only to prevent scripts on user's browser from accessing and possibly modifying them.

CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.

Possible values: ON, OFF

cookieEncryption

Type of cookie encryption. Available settings function as follows:

• None - Do not encrypt cookies.

• Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.

• Encrypt Session Only - Encrypt session cookies, but not permanent cookies.

• Encrypt All - Encrypt all cookies.

Possible values: none, decryptOnly, encryptSessionOnly, encryptAll

Default value: none

cookieProxying

Cookie proxy setting. Available settings function as follows:

• None - Do not proxy cookies.

• Session Only - Proxy session cookies by using the NetScaler session ID, but do not proxy permanent cookies.

Possible values: none, sessionOnly

Default value: none

addCookieFlags

Add HttpOnly and Secure flags to cookies

Possible values: none, httpOnly, secure, all

Default value: none

fieldConsistencyAction

One or more Form Field Consistency actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -fieldConsistencyaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldConsistencyAction none".

Default value: none

CSRFtagAction

One or more Cross-Site Request Forgery (CSRF) Tagging actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -CSRFTagAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -CSRFTagAction none".

Default value: none

crossSiteScriptingAction

One or more Cross-Site Scripting (XSS) actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -crossSiteScriptingAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -crossSiteScriptingAction none".

Default value: AS_DEFAULT_DISPOSITION

crossSiteScriptingTransformUnsafeHTML

Transform cross-site scripts. This setting configures the application firewall to disable dangerous HTML instead of blocking the request.

CAUTION: Make sure that this parameter is set to ON if you are configuring any cross-site scripting transformations. If it is set to OFF, no cross-site scripting transformations are performed regardless of any other settings.

Possible values: ON, OFF

crossSiteScriptingCheckCompleteURLs

Check complete URLs for cross-site scripts, instead of just the query portions of URLs.

Possible values: ON, OFF

SQLInjectionAction

One or more HTML SQL Injection actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -SQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -SQLInjectionAction none".

Default value: AS_DEFAULT_DISPOSITION

SQLInjectionTransformSpecialChars

Transform injected SQL code. This setting configures the application firewall to disable SQL special strings instead of blocking the request. Since most SQL servers require a special string to activate an SQL keyword, in most cases a request that contains injected SQL code is safe if special strings are disabled.

CAUTION: Make sure that this parameter is set to ON if you are configuring any SQL injection transformations. If it is set to OFF, no SQL injection transformations are performed regardless of any other settings.

Possible values: ON, OFF

SQLInjectionType

Available SQL injection types.

-SQLSplChar : Checks for SQL Special Chars

-SQLKeyword : Checks for SQL Keywords

-SQLSplCharANDKeyword : Checks for both and blocks if both are found

-SQLSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword

SQLInjectionCheckSQLWildChars

Check for form fields that contain SQL wild chars .

Possible values: ON, OFF

fieldFormatAction

One or more Field Format actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of suggested web form fields and field format assignments.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -fieldFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldFormatAction none".

Default value: AS_DEFAULT_DISPOSITION

defaultFieldFormatType

Designate a default field type to be applied to web form fields that do not have a field type explicitly assigned to them.

defaultFieldFormatMinLength

Minimum length, in characters, for data entered into a field that is assigned the default field type.

To disable the minimum and maximum length settings and allow data of any length to be entered into the field, set this parameter to zero (0).

Default value: 0

Minimum value: 0

Maximum value: 65535

defaultFieldFormatMaxLength

Maximum length, in characters, for data entered into a field that is assigned the default field type.

Default value: 65535

Minimum value: 1

Maximum value: 65535

bufferOverflowAction

One or more Buffer Overflow actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -bufferOverflowAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -bufferOverflowAction none".

Default value: AS_DEFAULT_DISPOSITION

bufferOverflowMaxURLLength

Maximum length, in characters, for URLs on your protected web sites. Requests with longer URLs are blocked.

Default value: 1024

Minimum value: 0

Maximum value: 65535

bufferOverflowMaxHeaderLength

Maximum length, in characters, for HTTP headers in requests sent to your protected web sites. Requests with longer headers are blocked.

Default value: 4096

Minimum value: 0

Maximum value: 65535

bufferOverflowMaxCookieLength

Maximum length, in characters, for cookies sent to your protected web sites. Requests with longer cookies are blocked.

Default value: 4096

Minimum value: 0

Maximum value: 65535

creditCardAction

One or more Credit Card actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -creditCardAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -creditCardAction none".

Default value: none

creditCard

Credit card types that the application firewall should protect.

Default value: AS_CCARD_DEFAULT_CARD_TYPE

creditCardMaxAllowed

Maximum number of credit card numbers that can appear on a web page served by your protected web sites. Pages that contain more credit card numbers are blocked

Minimum value: 0

Maximum value: 255

creditCardXOut

Mask any credit card number detected in a response by replacing each digit, except the digits in the final group, with the letter "X."

Possible values: ON, OFF

doSecureCreditCardLogging

Setting this option logs credit card numbers in the response when the match is found.

Possible values: ON, OFF

streaming

Setting this option converts content-length form submission requests (requests with content-type "application/x-www-form-urlencoded" or "multipart/form-data") to chunked requests when atleast one of the following protections : SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging is enabled. Please make sure that the backend server accepts chunked requests before enabling this option.

Possible values: ON, OFF

trace

Toggle the state of trace

Possible values: ON, OFF

requestContentType

Default Content-Type header for requests.

A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters.

Default value: NS_S_AS_DEFAULT_REQUEST_CONTENT_TYPE

responseContentType

Default Content-Type header for responses.

A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters.

Default value: NS_S_AS_DEFAULT_RESPONSE_CONTENT_TYPE

XMLDoSAction

One or more XML Denial-of-Service (XDoS) actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLDoSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLDoSAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLFormatAction

One or more XML Format actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLFormatAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLSQLInjectionAction

One or more XML SQL Injection actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLSQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLSQLInjectionAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLSQLInjectionType

Available SQL injection types.

-SQLSplChar : Checks for SQL Special Chars

-SQLKeyword : Checks for SQL Keywords

-SQLSplCharANDKeyword : Checks for both and blocks if both are found

-SQLSplCharORKeyword : Checks for both and blocks if anyone is found

Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword

XMLSQLInjectionCheckSQLWildChars

Check for form fields that contain SQL wild chars .

Possible values: ON, OFF

XMLSQLInjectionParseComments

Parse comments in XML Data and exempt those sections of the request that are from the XML SQL Injection check. You must configure the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:

• Check all - Check all content.

• ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.

• Nested - Exempt content that is part of a nested (Microsoft-style) comment.

• ANSI Nested - Exempt content that is part of any type of comment.

Possible values: checkall, ansi, nested, ansinested

Default value: checkall

XMLXSSAction

One or more XML Cross-Site Scripting actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLXSSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLXSSAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLWSIAction

One or more Web Services Interoperability (WSI) actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLWSIAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLWSIAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLAttachmentAction

One or more XML Attachment actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Learn - Use the learning engine to generate a list of exceptions to this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLAttachmentAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLAttachmentAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLValidationAction

One or more XML Validation actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLValidationAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLValidationAction none".

Default value: AS_DEFAULT_DISPOSITION

XMLErrorObject

Name to assign to the XML Error Object, which the application firewall displays when a user request is blocked.

Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the XML error object is added.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my XML error object" or 'my XML error object'\).

Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

signatures

Object name for signatures.

This check is applicable to Profile Type: HTML, XML.

Default value: NS_S_AS_CUSTOM_OBJECT_DEFAULT

XMLSOAPFaultAction

One or more XML SOAP Fault Filtering actions. Available settings function as follows:

• Block - Block connections that violate this security check.

• Log - Log violations of this security check.

• Stats - Generate statistics for this security check.

• None - Disable all actions for this security check.

• Remove - Remove all violations for this security check.

CLI users: To enable one or more actions, type "set appfw profile -XMLSOAPFaultAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLSOAPFaultAction none".

Default value: AS_DEFAULT_DISPOSITION

useHTMLErrorObject

Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.

Possible values: ON, OFF

errorURL

URL that application firewall uses as the Error URL.

Default value: NS_S_AS_ERROR_URL_DEFAULT

HTMLErrorObject

Name to assign to the HTML Error Object.

Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the HTML error object is added.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my HTML error object" or 'my HTML error object'\).

Default value: NS_S_AS_ERROR_OBJECT_DEFAULT

logEveryPolicyHit

Log every profile match, regardless of security checks results.

Possible values: ON, OFF

stripHtmlComments

Strip HTML comments before forwarding a web page sent by a protected web site in response to a user request.

Possible values: none, all, exclude_script_tag

stripXmlComments

Strip XML comments before forwarding a web page sent by a protected web site in response to a user request.

Possible values: none, all

exemptClosureURLsFromSecurityChecks

Exempt URLs that pass the Start URL closure check from SQL injection, cross-site script, field format and field consistency security checks at locations other than headers.

Possible values: ON, OFF

defaultCharSet

Default character set for protected web pages. Web pages sent by your protected web sites in response to user requests are assigned this character set if the page does not already specify a character set. The character sets supported by the application firewall are:

• iso-8859-1 (English US)

• big5 (Chinese Traditional)

• gb2312 (Chinese Simplified)

• sjis (Japanese Shift-JIS)

• euc-jp (Japanese EUC-JP)

• iso-8859-9 (Turkish)

• utf-8 (Unicode)

• euc-kr (Korean)

Default value: NS_S_AS_CHARSET_DEFAULT

Maximum value: 31

postBodyLimit

Maximum allowed HTTP post body size, in bytes.

Default value: 20000000

Minimum value: 0

Maximum value: 1000000000

fileUploadMaxNum

Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads.

Default value: 65535

Minimum value: 0

Maximum value: 65535

canonicalizeHTMLResponse

Perform HTML entity encoding for any special characters in responses sent by your protected web sites.

Possible values: ON, OFF

Default value: ON

enableFormTagging

Enable tagging of web form fields for use by the Form Field Consistency and CSRF Form Tagging checks.

Possible values: ON, OFF

Default value: ON

sessionlessFieldConsistency

Perform sessionless Field Consistency Checks.

Possible values: OFF, ON, postOnly

Default value: OFF

sessionlessURLClosure

Enable session less URL Closure Checks.

This check is applicable to Profile Type: HTML.

Possible values: ON, OFF

Default value: OFF

semicolonFieldSeparator

Allow ';' as a form field separator in URL queries and POST form bodies.

Possible values: ON, OFF

Default value: OFF

excludeFileUploadFromChecks

Exclude uploaded files from Form checks.

Possible values: ON, OFF

Default value: OFF

SQLInjectionParseComments

Parse HTML comments and exempt them from the HTML SQL Injection check. You must specify the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:

• Check all - Check all content.

• ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.

• Nested - Exempt content that is part of a nested (Microsoft-style) comment.

• ANSI Nested - Exempt content that is part of any type of comment.

Possible values: checkall, ansi, nested, ansinested

Default value: AS_DEFAULT_SQLINJECTIONPARSECOMMENTS

invalidPercentHandling

Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:

• apache_mode - Apache format.

• asp_mode - Microsoft ASP format.

• secure_mode - Secure format.

Possible values: apache_mode, asp_mode, secure_mode

Default value: secure_mode

type

Application firewall profile type, which controls which security checks and settings are applied to content that is filtered with the profile. Available settings function as follows:

• HTML - HTML-based web sites.

• XML - XML-based web sites and services.

• HTML XML (Web 2.0) - Sites that contain both HTML and XML content, such as ATOM feeds, blogs, and RSS feeds.

Default value: HTML

checkRequestHeaders

Check request headers as well as web forms for injected SQL and cross-site scripts.

Possible values: ON, OFF

Default value: OFF

optimizePartialReqs

Optimize handle of HTTP partial requests i.e. those with range headers.

Available settings are as follows:

• ON - Partial requests by the client result in partial requests to the backend server in most cases.

• OFF - Partial requests by the client are changed to full requests to the backend server

Possible values: ON, OFF

URLDecodeRequestCookies

URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.

Possible values: ON, OFF

Default value: OFF

comment

Any comments about the purpose of profile, or other useful information about the profile.

unset appfw profile

Use this command to remove appfw profile settings.Refer to the set appfw profile command for meanings of the arguments.

Synopsys

unset appfw profile <name> [-startURLAction] [-contentTypeAction] [-inspectContentTypes] [-startURLClosure] [-denyURLAction] [-RefererHeaderCheck] [-cookieConsistencyAction] [-cookieTransforms] [-cookieEncryption] [-cookieProxying] [-addCookieFlags] [-fieldConsistencyAction] [-CSRFtagAction] [-crossSiteScriptingAction] [-crossSiteScriptingTransformUnsafeHTML] [-crossSiteScriptingCheckCompleteURLs] [-SQLInjectionAction] [-SQLInjectionTransformSpecialChars] [-SQLInjectionType] [-SQLInjectionCheckSQLWildChars] [-fieldFormatAction] [-defaultFieldFormatType] [-defaultFieldFormatMinLength] [-defaultFieldFormatMaxLength] [-bufferOverflowAction] [-bufferOverflowMaxURLLength] [-bufferOverflowMaxHeaderLength] [-bufferOverflowMaxCookieLength] [-creditCardAction] [-creditCard] [-creditCardMaxAllowed] [-creditCardXOut] [-doSecureCreditCardLogging] [-streaming] [-trace] [-requestContentType] [-responseContentType] [-XMLDoSAction] [-XMLFormatAction] [-XMLSQLInjectionAction] [-XMLSQLInjectionType] [-XMLSQLInjectionCheckSQLWildChars] [-XMLSQLInjectionParseComments] [-XMLXSSAction] [-XMLWSIAction] [-XMLAttachmentAction] [-XMLValidationAction] [-XMLErrorObject] [-signatures] [-XMLSOAPFaultAction] [-useHTMLErrorObject] [-errorURL] [-HTMLErrorObject] [-logEveryPolicyHit] [-stripHtmlComments] [-stripXmlComments] [-exemptClosureURLsFromSecurityChecks] [-defaultCharSet] [-postBodyLimit] [-fileUploadMaxNum] [-canonicalizeHTMLResponse] [-enableFormTagging] [-sessionlessFieldConsistency] [-sessionlessURLClosure] [-semicolonFieldSeparator] [-excludeFileUploadFromChecks] [-SQLInjectionParseComments] [-invalidPercentHandling] [-type] [-checkRequestHeaders] [-optimizePartialReqs] [-URLDecodeRequestCookies] [-comment]

bind appfw profile

Binds the specified exemption (relaxation) or rule to the specified application firewall profile. NOTE: You should not attempt to bind more than one exemption or rule at a time by using this command.

Synopsys

bind appfw profile <name> (-startURL <expression> | -denyURL <expression> | (-fieldConsistency <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )]) | (-cookieConsistency <string> [-isRegex ( REGEX | NOTREGEX )]) | (-SQLInjection <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )] [-location <location>] [-valueType <valueType> <valueExpression> [-isValueRegex ( REGEX | NOTREGEX )]]) | (-CSRFTag <expression> <CSRFFormActionURL>) | (-crossSiteScripting <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )] [-location <location>] [-valueType <valueType> <valueExpression> [-isValueRegex ( REGEX | NOTREGEX )]]) | (-fieldFormat <string> <formActionURL> <fieldType> [-fieldFormatMinLength <positive_integer>] [-fieldFormatMaxLength <positive_integer>] [-isRegex ( REGEX | NOTREGEX )]) | (-safeObject <string> <expression> <maxMatchLength> [-action <action> ...]) | -trustedLearningClients <ip_addr[/prefix]|ipv6_addr[/prefix]|*> | (-XMLDoSURL <expression> [-XMLMaxElementDepthCheck ( ON | OFF ) [-XMLMaxElementDepth <positive_integer>]] [-XMLMaxElementNameLengthCheck ( ON | OFF ) [-XMLMaxElementNameLength <positive_integer>]] [-XMLMaxElementsCheck ( ON | OFF ) [-XMLMaxElements <positive_integer>]] [-XMLMaxElementChildrenCheck ( ON | OFF ) [-XMLMaxElementChildren <positive_integer>]] [-XMLMaxAttributesCheck ( ON | OFF ) [-XMLMaxAttributes <positive_integer>]] [-XMLMaxAttributeNameLengthCheck ( ON | OFF ) [-XMLMaxAttributeNameLength <positive_integer>]] [-XMLMaxAttributeValueLengthCheck ( ON | OFF ) [-XMLMaxAttributeValueLength <positive_integer>]] [-XMLMaxCharDATALengthCheck ( ON | OFF ) [-XMLMaxCharDATALength <positive_integer>]] [-XMLMaxFileSizeCheck ( ON | OFF ) [-XMLMaxFileSize <positive_integer>]] [-XMLMinFileSizeCheck ( ON | OFF ) [-XMLMinFileSize <positive_integer>]] [-XMLBlockPI ( ON | OFF )] [-XMLBlockDTD ( ON | OFF )] [-XMLBlockExternalEntities ( ON | OFF )] [-XMLMaxEntityExpansionsCheck ( ON | OFF ) [-XMLMaxEntityExpansions <positive_integer>]] [-XMLMaxEntityExpansionDepthCheck ( ON | OFF ) [-XMLMaxEntityExpansionDepth <positive_integer>]] [-XMLMaxNamespacesCheck ( ON | OFF ) [-XMLMaxNamespaces <positive_integer>]] [-XMLMaxNamespaceUriLengthCheck ( ON | OFF ) [-XMLMaxNamespaceUriLength <positive_integer>]] [-XMLSOAPArrayCheck ( ON | OFF ) [-XMLMaxSOAPArraySize <positive_integer>] [-XMLMaxSOAPArrayRank <positive_integer>]]) | (-XMLWSIURL <expression> [-XMLWSIChecks <string>]) | (-XMLValidationURL <expression> (-XMLRequestSchema <string> | (-XMLWSDL <string> [-XMLAdditionalSOAPHeaders ( ON | OFF )] [-XMLEndPointCheck ( ABSOLUTE | RELATIVE )]) | -XMLValidateSOAPEnvelope ( ON | OFF )) [-XMLResponseSchema <string>] [-XMLValidateResponse ( ON | OFF )]) | (-XMLAttachmentURL <expression> [-XMLMaxAttachmentSizeCheck ( ON | OFF ) [-XMLMaxAttachmentSize <positive_integer>]] [-XMLAttachmentContentTypeCheck ( ON | OFF ) [-XMLAttachmentContentType <expression>]]) | (-XMLSQLInjection <string> [-isRegex ( REGEX | NOTREGEX )] [-location ( ELEMENT | ATTRIBUTE )]) | (-XMLXSS <string> [-isRegex ( REGEX | NOTREGEX )] [-location ( ELEMENT | ATTRIBUTE )]) | -contentType <expression> | -excludeResContentType <expression> | (-CreditCardNumber <expression> <CreditCardNumberUrl>)) [-comment <string>] [-state ( ENABLED | DISABLED )]

Arguments

name

Name of the profile to which to bind an exemption or rule.

startURL

Add the specified URL to the start URL list.

Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

denyURL

Add the specified URL to the deny URL list.

Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

fieldConsistency

Exempt the specified web form field and form action URL from the form field consistency check, or exempt the specified cookie from the cookie consistency check.

A form field consistency exemption (relaxation) consists of the following items:

• Web form field name. Name of the form field to exempt from this check.

• Form action URL. Action URL for the web form.

• IsRegex flag. The IsRegex flag, followed by YES if the form action URL is a regular expression, or NO if it is a literal string.

formActionURL

Form action URL.

isRegex

Is a regular expression?

Possible values: REGEX, NOTREGEX

cookieConsistency

A cookie consistency exemption (relaxation) consists of the following items:

• Cookie name. Name of the cookie to exempt from this check.

• IsRegex flag. The IsRegex flag, followed by YES if the cookie name is a regular expression, or NO if it is a literal string.

SQLInjection

Exempt the specified HTTP header, web form field and the form action URL, or cookie from the SQL injection check.

An SQL injection exemption (relaxation) consists of the following items:

*Item name. Name of the web form field, cookie, or HTTP header to exempt from this check.

• Form action URL. If the item to be exempted is a web form field, the action URL for the web form.

• IsRegex flag. The IsRegex flag, followed by YES if the name or form action URL is a regular expression, or NO if it is a literal string.

• Location. Location that should be examined by the SQL injection check, either FORMFIELD for web form field, HEADER for HTTP header, or COOKIE for cookie.

location

Location of XSS injection exception - XML Element or Attribute. Default location is 'ELEMENT'

Possible values: ELEMENT, ATTRIBUTE

Default value: AS_XMLLOCATION_ELEMENT

valueType

XSS value type. (Tag | Attribute | Pattern)

Possible values: Tag, Attribute, Pattern

valueExpression

XSS value expressions consistituting expressions for Tag, Attribute and Pattern.

isValueRegex

Is a regular expression?

Possible values: REGEX, NOTREGEX

CSRFTag

Exempt the specified form field and web form from the cross-site request forgery (CSRF tagging) check.

A CSRF tagging exemption (relaxation) consists of the following items:

• Web form field name. Regular expression that describes the web form field to exempt from this check.

• Form action URL. The action URL for the web form.

CSRFFormActionURL

CSRF form action URL.

crossSiteScripting

Exempt the specified string, found in the specified HTTP header, cookie, or web form, from the cross-site scripting check.

A cross-site scripting check exemption (relaxation) consists of the following items:

• HTML to exempt. The string to exempt from the cross-site scripting check.

• URL. The URL to exempt.

• IsRegex flag. The IsRegex flag, followed by YES if the URL is a regular expression, or NO if it is a literal string.

• location. Location which should be examined by the cross-site scripting check, either FORMFIELD for web form field, HEADER for HTTP header, or COOKIE for cookie.

fieldFormat

Impose the specified format on content returned by users in the specified web form field.

A field format rule consists of the following items:

• Form field name. The name of the form field.

• Form action URL. The form action URL for the web form.

• Field type. The field type (format) to enforce on the specified web form field.

• Field format minimum length. The minimum length allowed for data in the specified field. If 0, field can be left blank.

• Field format maximum length. The maximum length allowed for data in the specified field.

• IsRegex flag. The IsRegex flag, followed by YES if the URL is a regular expression, or NO if it is a literal string.

fieldType

Field type.

fieldFormatMinLength

Field format minimum length.

Default value: 0

Minimum value: 0

Maximum value: 65535

fieldFormatMaxLength

Field format maximum length.

Default value: 65535

Minimum value: 1

Maximum value: 65535

safeObject

Protect web sites from exposing sensitive private information such as social security numbers, credit card numbers, driver's license numbers, passport numbers, and any other type of private information that can be described by a regular expression.

A safe object consists of the following items:

• Name. A name that describes the type of information that the safe object is to protect.

• Expression. PCRE-format regular expression that describes the information to be protected.

• Maximum match length. Maximum length of a matched string.

• Action. "X-Out" to mask blocked information with the letter X, or "Remove" to remove the information.

expression

Safe Object regular expression.

maxMatchLength

Maximum match length for a Safe Object expression.

Default value: 1

Minimum value: 1

Maximum value: 65535

action

Safe Object action types. (BLOCK | LEARN | LOG | STATS | NONE)

trustedLearningClients

Trusted host/network learning IP.

This binding is appilicable to profile Type: HTML, XML.

comment

Any comments about the purpose of profile, or other useful information about the profile.

state

Enabled.

Possible values: ENABLED, DISABLED

Default value: ENABLED

XMLDoSURL

Exempt the specified URL from the specified XML denial-of-service (XDoS) attack protections.

An XDoS exemption (relaxation) consists of the following items:

• URL. PCRE-format regular expression for the URL or URLs to be exempted.

• Maximum-element-depth-check toggle. ON to enable this check, OFF to disable it.

• Maximum-element-depth-check toggle. ON to enable, OFF to disable.

• Maximum-element-depth-check level. Positive integer representing the maximum allowed depth of nested XML elements.

• Maximum-element-name-length-check toggle. ON to enable, OFF to disable.

• Maximum element name length. Positive integer representing the maximum allowed length of XML element names.

• Maximum-number-of-elements-check toggle. ON to enable, OFF to disable.

• Maximum number of elements. Positive integer representing the maximum allowed number of XML elements.

• Maximum-number-of-element-children-check toggle. ON to enable, OFF to disable.

• Maximum number of element children. Positive integer representing the maximum allowed number of XML element children.

• Maximum-number-of-attributes-check toggle. ON to enable, OFF to disable.

• Maximum number of attributes. Positive integer representing the maximum allowed number of XML attributes.

• Maximum-attribute-name-length-check toggle. ON to enable, OFF to disable.

• Maximum attribute name length. Positive integer representing the maximum allowed length of XML attribute names.

• Maximum-attribute-value-length-check toggle. ON to enable, OFF to disable.

• Maximum attribute value length. Positive integer representing the maximum allowed length of XML attribute values.

• Maximum-character-data-length-check toggle. ON to enable, OFF to disable.

• Maximum character-data length. Positive integer representing the maximum allowed length of XML character data.

• Maximum-file-size-check toggle. ON to enable, OFF to disable.

• Maximum file size. Positive integer representing the maximum allowed size, in bytes. of attached or uploaded files.

• Minimum-file-size-check toggle. ON to enable, OFF to disable.

• Minimum file size. Positive integer representing the minimum allowed size, in bytes, of attached or uploaded files.

• Maximum-number-of-entity-expansions-check toggle. ON to enable, OFF to disable.

• Maximum number of entity expansions. Positive integer representing the maximum allowed number of XML entity expansions.

• Maximum-number-of XML-namespaces-check toggle. ON to enable, OFF to disable.

• Maximum number of XML namespaces. Positive integer representing the maximum allowed number of XML namespaces.

• Maximum-XML-namespace-URI-length-check toggle. ON to enable, OFF to disable.

• MaximumXML-namespace URI length. Positive integer representing the maximum allowed length of XML namespace URIs.

• Block-processing-instructions toggle. Block XML processing instructions. ON to enable, OFF to disable.

• Block-DTD toggle. Block design type documents (DTDs). ON to enable, OFF to disable.

• Block-external-XML-entitites toggle. ON to enable, OFF to disable.

• Maximum-SOAP-array-check toggle. ON to enable, OFF to disable.

• Maximum SOAP-array size. Positive integer representing the maximum allowed size of XML SOAP arrays.

• Maximum SOAP-array rank. Positive integer representing the maximum rank (dimensions) of any single XML SOAP array.

XMLMaxElementDepthCheck

State if XML Max Element Depth Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxElementDepth

Maximum nesting (depth) of XML elements. This check protects against documents that have excessive depth of hierarchy.

Default value: 256

Minimum value: 1

Maximum value: 65535

XMLMaxElementNameLengthCheck

State if XML Max Element Name Length Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxElementNameLength

Specify the longest name of any element (including the prefix for qualified element name) to protect against overflow attacks.

Default value: 128

Minimum value: 1

Maximum value: 65535

XMLMaxElementsCheck

State if XML Max Elements Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxElements

Specifying maximum number of elements protects against overflow attacks.

Default value: 65535

Minimum value: 1

Maximum value: 65535

XMLMaxElementChildrenCheck

State if XML Max Element Children Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxElementChildren

Specifying maximum number of children allowed per element protects against overflow attacks.

Default value: 65535

Minimum value: 0

Maximum value: 65535

XMLMaxAttributesCheck

State if XML Max Attributes Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxAttributes

Specify maximum number of attributes per element. Protects against overflow attacks.

Default value: 256

Minimum value: 0

Maximum value: 65535

XMLMaxAttributeNameLengthCheck

State if XML Max Attribute Name Length Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxAttributeNameLength

Specify the longest name of any attribute (including the prefix for qualified attribute name). Protects against overflow attacks.

Default value: 128

Minimum value: 1

Maximum value: 65535

XMLMaxAttributeValueLengthCheck

State if XML Max Atribute Value Length is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxAttributeValueLength

Specify the longest value of any attribute. Protects against overflow attacks.

Default value: 2048

Minimum value: 0

Maximum value: 65535

XMLMaxCharDATALengthCheck

State if XML Max CDATA Length Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxCharDATALength

Maximum size of CDATA protects against overflow attacks and large unparsed data within XML messages.

Default value: 65535

Minimum value: 0

Maximum value: 1000000000

XMLMaxFileSizeCheck

State if XML Max File Size Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxFileSize

Maximum size of the XML messages protects against overflow attacks.

Default value: 20000000

Minimum value: 4

Maximum value: 1000000000

XMLMinFileSizeCheck

State if XML Min File Size Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMinFileSize

Enforces minimum message size.

Default value: 9

Minimum value: 4

Maximum value: 1000000000

XMLBlockPI

State if XML Block PI is ON or OFF. Protects resources from denial of service attacks as SOAP messages can not have Processing Instruction (PI) in the message.

Possible values: ON, OFF

Default value: OFF

XMLBlockDTD

State if XML DTD is ON or OFF. Protects against recursive Document Type Declaration (DTD) entity expansion attacks. Also, SOAP messages can not have DTD in the message.

Possible values: ON, OFF

Default value: OFF

XMLBlockExternalEntities

State if XML Block External Entities Check is ON or OFF. Protects against XML External Entity (XXE) attacks that force applications to parse untrusted external entities (sources) in XML documents.

Possible values: ON, OFF

Default value: OFF

XMLMaxEntityExpansionsCheck

State if XML Max Entity Expansions Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxEntityExpansions

Specify maximum allowed number of entity expansions. Protects aganist Entity Expansion Attack.

Default value: 512

Minimum value: 0

Maximum value: 1024

XMLMaxEntityExpansionDepthCheck

State if XML Max Entity Expansions Depth Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxEntityExpansionDepth

Specify maximum entity expansion depth. Protects aganist Entity Expansion Attack.

Default value: 8

Minimum value: 0

Maximum value: 24

XMLMaxNamespacesCheck

State if XML Max Namespaces Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxNamespaces

Specify maximum number of active namespaces. Protects against overflow attacks.

Default value: 16

Minimum value: 0

Maximum value: 512

XMLMaxNamespaceUriLengthCheck

State if XML Max Namspace URI Length Check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxNamespaceUriLength

Specify the longest URI of any XML namespace. Protects against overflow attacks.

Default value: 256

Minimum value: 0

Maximum value: 65535

XMLSOAPArrayCheck

State if XML SOAP Array check is ON or OFF.

Possible values: ON, OFF

Default value: OFF

XMLMaxSOAPArraySize

XML Max Total SOAP Array Size. Protects against SOAP Array Abuse attack.

Default value: 20000000

Minimum value: 0

Maximum value: 1000000000

XMLMaxSOAPArrayRank

XML Max Total SOAP Array Rank. Protects against SOAP Array Abuse attack.

Default value: 16

Minimum value: 0

Maximum value: 32

XMLWSIURL

Exempt the specified URL from the web services interoperability (WS-I) check. The URL is specified as a PCRE-format regular expression, which can match one or more URLs.

XMLWSIChecks

Synonym for XMLWISURL, but takes a literal URL instead of a PCRE-format regular expression.

XMLValidationURL

Exempt the specified URL from the XML message validation check.

An XML message validation exemption (relaxation) consists of the following items:

• URL. PCRE-format regular expression that matches the URL(s) to be exempted.

• XML-request-schema toggle. Use the specified XML schema to validate requests. ON to enable, OFF to disable.

• XML request schema. XML schema to use for validating requests.

• XML-response-schema toggle. Use the specified XML schema to validate responses. ON to enable, OFF to disable.

• XML response schema. XML schema to use for validating responses.

• WSDL toggle. Use the specified WSDL to validate. ON to enable, OFF to disable.

• WSDL. WSDL to use for validation.

• SOAP-envelope toggle. Validate against the SOAP envelope. ON to enable, OFF to disable.

• Additional-SOAP-headers toggle. Validate against the extended list of SOAP headers. ON to enable, OFF to disable.

• XML-end-point check. ABSOLUTE to use an absolute end point, RELATIVE to use a relative end point.

XMLRequestSchema

XML Schema object for request validation .

XMLResponseSchema

XML Schema object for response validation .

XMLWSDL

WSDL object for soap request validation .

XMLAdditionalSOAPHeaders

Allow addtional soap headers.

Possible values: ON, OFF

XMLEndPointCheck

Modifies the behaviour of the Request URL validation w.r.t. the Service URL.

If set to ABSOLUTE, the entire request URL is validated with the entire URL mentioned in Service of the associated WSDL.

    eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would FAIL the validation.

If set to RELATIVE, only the non-hostname part of the request URL is validated against the non-hostname part of the Service URL.

    eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would PASS the validation.

Possible values: ABSOLUTE, RELATIVE

Default value: ABSOLUTE

XMLValidateSOAPEnvelope

Validate SOAP Evelope only.

Possible values: ON, OFF

XMLValidateResponse

Validate response message.

Possible values: ON, OFF

XMLAttachmentURL

Exempt the specified URL from the XML attachment check.

An XML attachment exemption (relaxation) consists of the following items:

• URL. PCRE-format regular expression that matches the URL(s) to be exempted.

• Maximum-attachment-size-check toggle. ON to enable, OFF to disable.

• Maximum attachment size. Positive integer representing the maximum allowed size in bytes for each XML attachment.

• Attachment-content-type-check toggle. ON to enable, OFF to disable.

• Attachment content type. PCRE-format regular expression that specifies the list of MIME content types allowed for XML attachments.

XMLMaxAttachmentSizeCheck

State if XML max attachment size check is ON or OFF. Protects against XML requests with large attachment data.

Possible values: ON, OFF

Default value: OFF

XMLMaxAttachmentSize

Specify maximum attachment size.

Minimum value: 0

Maximum value: 1000000000

XMLAttachmentContentTypeCheck

State if XML attachment content-type check is ON or OFF. Protects against XML requests with illegal attachments.

Possible values: ON, OFF

Default value: OFF

XMLAttachmentContentType

Specify content-type regular expression.

XMLSQLInjection

Exempt the specified URL from the XML SQL injection check.

An XML SQL injection exemption (relaxation) consists of the following items:

• URL. URL to exempt, as a string or a PCRE-format regular expression.

• ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.

• Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.

XMLXSS

Exempt the specified URL from the XML cross-site scripting (XSS) check.

An XML cross-site scripting exemption (relaxation) consists of the following items:

• URL. URL to exempt, as a string or a PCRE-format regular expression.

• ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.

• Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.

contentType

Add the specified content-type to the content-type list.Enclose content-type in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.

excludeResContentType

Add the specified content-type to the response content-type list that are to be excluded from inspection. Enclose content-type in double quotes to ensure preservation

of any embedded spaces or non-alphanumeric characters.

CreditCardNumber

Add expression to the list of object expression which are to be bypassed from safe commerce checks.

CreditCardNumberUrl

The url for which the list of credit card numbers are needed to be bypassed from inspection

unbind appfw profile

Unbinds the specified exemption (relaxation) or rule from the specified application firewall profile. See the bind appfw profile command for a description of the parameters.

Synopsys

unbind appfw profile <name> (-startURL <expression> | -denyURL <expression> | (-fieldConsistency <string> <formActionURL>) | -cookieConsistency <string> | (-SQLInjection <string> <formActionURL> [-location <location>] [-valueType <valueType> [<valueExpression>]]) | (-CSRFTag <string> <CSRFFormActionURL>) | (-crossSiteScripting <string> <formActionURL> [-location <location>] [-valueType <valueType> [<valueExpression>]]) | (-fieldFormat <string> <formActionURL>) | -safeObject <string> | -trustedLearningClients <ip_addr[/prefix]|ipv6_addr[/prefix]|*> | -XMLDoSURL <expression> | -XMLWSIURL <expression> | -XMLValidationURL <expression> | -XMLAttachmentURL <expression> | (-XMLSQLInjection <string> [-location ( ELEMENT | ATTRIBUTE )]) | (-XMLXSS <string> [-location ( ELEMENT | ATTRIBUTE )]) | -contentType <expression> | -excludeResContentType <expression> | (-CreditCardNumber <expression> <CreditCardNumberUrl>))

Arguments

name

Name of the exemption (relaxation) or rule that you want to unbind.

startURL

Start URL regular expression.

denyURL

Deny URL regular expression.

fieldConsistency

Form field name.

formActionURL

Form action URL.

cookieConsistency

Cookie name.

SQLInjection

Form field, header or cookie name.

location

Location of XSS injection exception - XML Element or Attribute. Default location is 'ELEMENT'

Possible values: ELEMENT, ATTRIBUTE

Default value: AS_XMLLOCATION_ELEMENT

valueType

The web form value type.

Possible values: Tag, Attribute, Pattern

valueExpression

The web form value expression.

CSRFTag

CSRF Form origin URL.

This binding is applicable to Profile Type: HTML.

CSRFFormActionURL

CSRF form action URL.

crossSiteScripting

Form field, header or cookie name.

fieldFormat

Field format name.

safeObject

Safe Object name.

trustedLearningClients

Trusted learning Clients IP

XMLDoSURL

XML DoS URL regular expression.

XMLWSIURL

XML WS-I URL regular expression.

XMLValidationURL

XML Message URL regular expression.

XMLAttachmentURL

XML Attachment URL regular expression.

XMLSQLInjection

Exempt the specified URL from the XML SQL injection check.

An XML SQL injection exemption (relaxation) consists of the following items:

• URL. URL to exempt, as a string or a PCRE-format regular expression.

• ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.

• Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.

XMLXSS

Exempt the specified URL from the XML cross-site scripting (XSS) check.

An XML cross-site scripting exemption (relaxation) consists of the following items:

• URL. URL to exempt, as a string or a PCRE-format regular expression.

• ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.

• Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.

contentType

content-type regular expression.

excludeResContentType

Response content type regular expression that are to be excluded from inspection.

CreditCardNumber

The object expression that is to be excluded from safe commerce check.

CreditCardNumberUrl

The url for which the list of credit card numbers are needed to be bypassed from inspection

show appfw profile

Displays details of the specified application firewall profile. If no profile is specified, displays a list of all application firewall profiles on the NetScaler appliance.

Synopsys

show appfw profile [<name>]

Arguments

name

Name of the application firewall profile.

Outputs

stateflag

type

The profile type of of this Application Firewall profile. If the profile is of the HTML type, only checks relevant to HTML are applied. If the profile is of the XML type, only checks relevent to XML are applied. if the profile is of the Web 2.0 type, then both types of checks are applied.

defaults

Default configuration to apply to the profile. Basic defaults are intended for standard content that requires little further configuration, such as static web site content. Advanced defaults are intended for specialized content that requires significant specialized configuration, such as heavily scripted or dynamic content.

CLI users: When adding an application firewall profile, you can set either the defaults or the type, but not both. To set both options, create the profile by using the add appfw profile command, and then use the set appfw profile command to configure the other option.

useHTMLErrorObject

Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.

errorURL

The error page for this profile.

HTMLErrorObject

Name to assign to the HTML Error Object.

Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the HTML error object is added.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my HTML error object" or 'my HTML error object'\).

logEveryPolicyHit

Log every profile match, regardless of security checks results.

stripComments

Tells the Application Firewall to strip HTML comments from responses before sending them to the user.

stripHtmlComments

Tells the Application Firewall to strip HTML comments from responses before sending them to the user.

stripXmlComments

Tells the Application Firewall to strip XML comments from responses before sending them to the user.

defaultCharSet

The default character set. The character set that the Application Firewall uses for web pages that do not explicitly set a different character set.

postBodyLimit

The maximum body size for an HTTP POST.

fileUploadMaxNum

Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads.

canonicalizeHTMLResponse

Tells the Application Firewall to convert any non-ASCII characters into HTML entities before sending responses to the user. This is called 'canonicalization' of HTML responses.

enableFormTagging

Enables tagging of web forms for form field Consistency checks.

sessionlessFieldConsistency

Enable session less form field consistency checks.

sessionlessURLClosure

Enable session less URL closure checks.

semicolonFieldSeparator

Allow ';' as a form field separator in URL queries and POST form bodies.

excludeFileUploadFromChecks

Excludes uploaded files from all web form checks.

SQLInjectionParseComments

Canonicalizes SQL Comments in form fields.

checkRequestHeaders

Check request headers as well as web forms for injected SQL and cross-site scripts.

optimizePartialReqs

Optimize handle of HTTP partial requests i.e. those with range headers.

Available settings are as follows:

• ON - Partial requests by the client result in partial requests to the backend server in most cases.

• OFF - Partial requests by the client are changed to full requests to the backend server

URLDecodeRequestCookies

URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.

comment

Comments associated with this profile.

startURLAction

Start URL action types. (BLOCK | LEARN | LOG | STATS | NONE)

contentTypeAction

Content-type action types. (BLOCK | LOG | NONE)

inspectContentTypes

Inspection content types associated with this profile

startURL

A regular expression that designates a URL on the Start URL list.

startURLClosure

Enable Start URL closure. When enabled, this feature allows users to start their session at a designated start URL, then navigate from that start URL to any URL on a protected web site by clicking a link on another web page on that web site. Otherwise, requests to any URL that is not explicitly allowed are blocked.

denyURLAction

Deny URL action types. (BLOCK | LOG | STATS | NONE)

denyURL

A regular expression that designates a URL on the Deny URL list.

RefererHeaderCheck

Enable validation of Referer headers.

Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker.

Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.

CSRFtagAction

Cross-site request forgery tagging action types. (BLOCK | LEARN | LOG | STATS | NONE)

CSRFTag

The web form originating URL.

CSRFFormActionURL

The web form action URL.

crossSiteScriptingAction

Cross-site scripting action types. (BLOCK | LEARN | LOG | STATS | NONE)

crossSiteScriptingTransformUnsafeHTML

Enables transformation of unsafe HTML into safe HTML before forwarding a request to the web server.

crossSiteScriptingCheckCompleteURLs

Tells the Application Firewall to check complete URLs rather than just the query portion of URLs for cross-site scripting violations.

crossSiteScripting

The web form field name.

isRegex

Is the XML XSS exempted field name a regular expression?

formActionURL

Action URL of the form field to which a field format will be assigned.

exemptClosureURLsFromSecurityChecks

Tells the Application Firewall to exempt closure URLs from security checks.

location

Location of XSS injection exception - XML Element or Attribute.

valueType

The web form value type.

valueExpression

The web form value expression.

isValueRegex

Is the web form field value a regular expression?

SQLInjectionAction

SQL injection action types. (BLOCK | LEARN | LOG | STATS | NONE)

SQLInjectionTransformSpecialChars

Enables transformation of SQL special characters found in web forms into safe equivalents.

SQLInjectionOnlyCheckFieldsWithSQLChars

Tells the Application Firewall to check form fields that contain SQL special characters only, rather than all form fields, for SQL injection violations.

SQLInjectionType

Available SQL Injection types.

SQLInjectionCheckSQLWildChars

Check for form fields that contain SQL wild chars .

SQLInjection

The web form field name.

invalidPercentHandling

Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:

• apache_mode - Apache format.

• asp_mode - Microsoft ASP format.

• secure_mode - Secure format.

fieldConsistencyAction

Form Field Consistency action types. (BLOCK | LEARN | LOG | STATS | NONE)

fieldConsistency

The web form field name.

cookieConsistencyAction

Cookie consistency action types. (BLOCK | LEARN | LOG | STATS | NONE)

cookieConsistency

The name of the cookie to be checked.

cookieTransforms

Perform the specified type of cookie transformation.

Available settings function as follows:

• Encryption - Encrypt cookies.

• Proxying - Mask contents of server cookies by sending proxy cookie to users.

• Cookie flags - Flag cookies as HTTP only to prevent scripts on user's browser from accessing and possibly modifying them.

CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.

cookieEncryption

Type of cookie encryption. Available settings function as follows:

• None - Do not encrypt cookies.

• Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.

• Encrypt Session Only - Encrypt session cookies, but not permanent cookies.

• Encrypt All - Encrypt all cookies.

cookieProxying

Proxies server cookies using the Application Firewall session

addCookieFlags

Add the specified flags to cookies. Available settings function as follows:

• None - Do not add flags to cookies.

• HTTP Only - Add the HTTP Only flag to cookies, which prevents scripts from accessing cookies.

• Secure - Add Secure flag to cookies.

• All - Add both HTTPOnly and Secure flags to cookies.

bufferOverflowAction

Buffer overflow action types. (BLOCK | LOG | STATS | NONE)

bufferOverflowMaxURLLength

Maximum allowed length for URLs.

bufferOverflowMaxHeaderLength

Maximum allowed length for HTTP headers.

bufferOverflowMaxCookieLength

Maximum allowed length for cookies.

fieldFormatAction

Field format action types. (BLOCK | LEARN | LOG | STATS | NONE)

defaultFieldFormatType

Name of the default field type, the field type that the Application Firewall will assign to a form field when no specific field type is assigned to that particular form field.

defaultFieldFormatMinLength

Default field type minimum length setting.

defaultFieldFormatMaxLength

Default field type maximum length setting.

fieldFormat

Name of the form field to which a field format will be assigned.

fieldType

The field type you are assigning to this form field.

fieldFormatMinLength

The minimum allowed length for data in this form field.

fieldFormatMaxLength

The maximum allowed length for data in this form field.

creditCardAction

Credit Card action types. (BLOCK | LOG | STATS | NONE)

creditCard

Credit card types. (AMEX | DINERSCLUB| DISCOVER | JBC | MASTERCARD | VISA)

creditCardMaxAllowed

Maximum number of times a credit card number may be seen before action is taken.

creditCardXOut

X-out credit card numbers.

doSecureCreditCardLogging

Setting this option logs credit card numbers in the response when the match is found.

streaming

Setting this option converts content-length form submission requests (requests with content-type "application/x-www-form-urlencoded" or "multipart/form-data") to chunked requests when atleast one of the following protections : SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging is enabled. Please make sure that the backend server accepts chunked requests before enabling this option.

trace

Toggle the state of trace

safeObject

Name of the Safe Object.

expression

A regular expression that defines the Safe Object.

maxMatchLength

Maximum match length for a Safe Object expression.

action

Safe Object action types. (BLOCK | LOG | STATS | NONE)

requestContentType

Default content-type for request messages.

responseContentType

Default content-type for response messages.

XMLErrorObject

URL for the xml error page

signatures

Signatures for the profile

XMLFormatAction

XML well-formed request action types. (BLOCK | LOG | STATS | NONE)

XMLDoSAction

XML DOS action types. (BLOCK | LEARN | LOG | STATS | NONE)

XMLSQLInjectionAction

XML SQL Injection action types. (BLOCK | LOG | STATS | NONE)

XMLSQLInjectionOnlyCheckFieldsWithSQLChars

XML flag to check only fields with SQL characters.

XMLSQLInjectionType

Available XML SQL Injection types.

XMLSQLInjectionCheckSQLWildChars

XML flag to check for SQL wild chars.

XMLSQLInjectionParseComments

Canonicalize SQL Comments in XML data.

XMLXSSAction

XML cross-site scripting action types. (BLOCK | LOG | STATS | NONE)

XMLWSIAction

XML WSI action types. (BLOCK | LEARN | LOG | STATS | NONE)

XMLAttachmentAction

XML attachment action types. (BLOCK | LEARN | LOG | STATS | NONE)

XMLValidationAction

XML message validation action types. (BLOCK | LOG | STATS | NONE)

XMLSOAPFaultAction

XML SOAP fault filtering action types. (BLOCK | LOG | STATS | REMOVE | NONE)

XMLDoSURL

XML DoS URL regular expression length.

XMLWSIURL

XML WS-I URL regular expression length.

XMLValidationURL

XML Validation URL regular expression.

XMLAttachmentURL

XML attachment URL regular expression length.

XMLSQLInjection

Exempt the specified URL from the XML SQL injection check.

An XML SQL injection exemption (relaxation) consists of the following items:

• URL. URL to exempt, as a string or a PCRE-format regular expression.

• ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.

• Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.

XMLXSS

Exempt the specified URL from the XML cross-site scripting (XSS) check.

An XML cross-site scripting exemption (relaxation) consists of the following items:

• URL. URL to exempt, as a string or a PCRE-format regular expression.

• ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.

• Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.

state

Enabled.

XMLMaxElementDepthCheck

State if XML Max element depth check is ON or OFF.

XMLMaxElementDepth

Maximum nesting (depth) of XML elements. This check protects against documents that have excessive hierarchy depths.

XMLMaxElementNameLengthCheck

State if XML Max element name length check is ON or OFF.

XMLMaxElementNameLength

Specify the longest name of any element (including the expanded namespace) to protect against overflow attacks.

XMLMaxElementsCheck

State if XML Max elements check is ON or OFF.

XMLMaxElements

Specify the maximum number of XML elements allowed. Protects against overflow attacks.

XMLMaxElementChildrenCheck

State if XML Max element children check is ON or OFF.

XMLMaxElementChildren

Specify the maximum number of children allowed per XML element. Protects against overflow attacks.

XMLMaxNodesCheck

State if XML Max nodes check is ON or OFF.

XMLMaxNodes

Specify the maximum number of XML nodes. Protects against overflow attacks.

XMLMaxAttributesCheck

State if XML Max attributes check is ON or OFF.

XMLMaxAttributes

Specify maximum number of attributes per XML element. Protects against overflow attacks.

XMLMaxAttributeNameLengthCheck

State if XML Max attribute name length check is ON or OFF.

XMLMaxAttributeNameLength

Specify the longest name of any XML attribute. Protects against overflow attacks.

XMLMaxAttributeValueLengthCheck

State if XML Max atribute value length is ON or OFF.

XMLMaxAttributeValueLength

Specify the longest value of any XML attribute. Protects against overflow attacks.

XMLMaxCharDATALengthCheck

State if XML Max CDATA length check is ON or OFF.

XMLMaxCharDATALength

Specify the maximum size of CDATA. Protects against overflow attacks and large quantities of unparsed data within XML messages.

XMLMaxFileSizeCheck

State if XML Max file size check is ON or OFF.

XMLMaxFileSize

Specify the maximum size of XML messages. Protects against overflow attacks.

XMLMinFileSizeCheck

State if XML Min file size check is ON or OFF.

XMLMinFileSize

Enforces minimum message size.

XMLBlockPI

State if XML Block PI is ON or OFF. Protects resources from denial of service attacks as SOAP messages cannot have processing instructions (PI) in messages.

XMLBlockDTD

State if XML DTD is ON or OFF. Protects against recursive Document Type Declaration (DTD) entity expansion attacks. Also, SOAP messages cannot have DTDs in messages.

XMLBlockExternalEntities

State if XML Block External Entities Check is ON or OFF. Protects against XML External Entity (XXE) attacks that force applications to parse untrusted external entities (sources) in XML documents.

XMLMaxEntityExpansionsCheck

State if XML Max Entity Expansions Check is ON or OFF.

XMLMaxEntityExpansions

Specify maximum allowed number of entity expansions. Protects aganist Entity Expansion Attack.

XMLMaxEntityExpansionDepthCheck

State if XML Max Entity Expansions Depth Check is ON or OFF.

XMLMaxEntityExpansionDepth

Specify maximum entity expansion depth. Protects aganist Entity Expansion Attack.

XMLMaxNamespacesCheck

State if XML Max namespaces check is ON or OFF.

XMLMaxNamespaces

Specify maximum number of active namespaces. Protects against overflow attacks.

XMLMaxNamespaceUriLengthCheck

State if XML Max namespace URI length check is ON or OFF.

XMLMaxNamespaceUriLength

Specify the longest URI of any XML namespace. Protects against overflow attacks.

XMLSOAPArrayCheck

State if XML SOAP Array check is ON or OFF.

XMLMaxSOAPArraySize

XML Max Total SOAP Array Size. Protects against SOAP Array Abuse attack.

XMLMaxSOAPArrayRank

XML Max Individual SOAP Array Rank. This is the dimension of the SOAP array.

XMLWSIChecks

Specify a comma separated list of relevant WS-I rule IDs. (R1140, R1141)

XMLRequestSchema

XML Schema object for request validation .

XMLResponseSchema

XML Schema object for response validation.

XMLWSDL

WSDL object for soap request validation.

XMLAdditionalSOAPHeaders

Allow addtional soap headers.

XMLEndPointCheck

Modifies the behaviour of the Request URL validation w.r.t. the Service URL.

If set to ABSOLUTE, the entire request URL is validated with the entire URL mentioned in Service of the associated WSDL.

    eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would FAIL the validation.

If set to RELAIVE, only the non-hostname part of the request URL is validated against the non-hostname part of the Service URL.

    eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would PASS the validation.

XMLValidateSOAPEnvelope

Validate SOAP Evelope only.

XMLValidateResponse

Validate response message.

XMLMaxAttachmentSizeCheck

State if XML Max attachment size Check is ON or OFF. Protects against XML requests with large attachment data.

XMLMaxAttachmentSize

Specify maximum attachment size.

XMLAttachmentContentTypeCheck

State if XML attachment content-type check is ON or OFF. Protects against XML requests with illegal attachments.

XMLAttachmentContentType

Specify content-type regular expression.

builtin

Indicates that a profile is a built-in entity.

builtinType

Type of built-in profiles

trustedLearningClients

Specify trusted host/network IP

contentType

A regular expression that designates a content-type on the content-types list.

excludeResContentType

A regular expression that represents the content type of the response that are to be excluded from inspection.

CreditCardNumber

The object expression that is to be excluded from safe commerce check

CreditCardNumberUrl

The url for which the list of credit card numbers are needed to be bypassed from inspection

devno

count

stat appfw profile

Displays statistics for the specified application firewall profile. If no profile is specified, displays abbreviated statistics for all profiles.

Synopsys

stat appfw profile [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>] [-clearstats ( basic | full )]

Arguments

name

Name of the application firewall profile.

detail

Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.

fullValues

Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated

ntimes

The number of times, in intervals of seven seconds, the statistics should be displayed.

Default value: 1

Minimum value: 0

logFile

The name of the log file to be used as input.

clearstats

Clear the statsistics / counters

Possible values: basic, full

Outputs

count

devno

stateflag

Outputs

requests (reqs)

HTTP/HTTPS requests sent to your protected web servers via the Application Firewall.

Request Bytes (reqBytes)

Number of bytes transfered for requests

responses (resps)

HTTP/HTTPS responses sent by your protected web servers via the Application Firewall.

Response Bytes (resBytes)

Number of bytes transfered for responses

aborts

Incomplete HTTP/HTTPS requests aborted by the client before the Application Firewall could finish processing them.

redirects (redirect)

HTTP/HTTPS requests redirected by the Application Firewall to a different Web page or web server. (HTTP 302)

Long Term Ave Response Time (ms) (longAvgRespTimePP)

Average backend response time in milliseconds since reboot

Recent Ave Response Time (ms) (shortAvgRespTimePP)

Average backend response time in milliseconds over the last 7 seconds

start URL (startURL)

Number of Start URL security check violations seen by the Application Firewall.

deny URL (denyURL)

Number of Deny URL security check violations seen by the Application Firewall.

referer header (refererHdr)

Number of Referer Header security check violations seen by the Application Firewall.

buffer overflow (bufovfl)

Number of Buffer Overflow security check violations seen by the Application Firewall.

cookie consistency (cookie)

Number of Cookie Consistency security check violations seen by the Application Firewall.

CSRF form tag (csrf_tag)

Number of Cross Site Request Forgery form tag security check violations seen by the Application Firewall.

HTML Cross-site scripting (xss)

Number of HTML Cross-Site Scripting security check violations seen by the Application Firewall.

HTML SQL injection (sql)

Number of HTML SQL Injection security check violations seen by the Application Firewall.

field format (fieldfmt)

Number of Field Format security check violations seen by the Application Firewall.

field consistency (fieldcon)

Number of Field Consistency security check violations seen by the Application Firewall.

credit card (ccard)

Number of Credit Card security check violations seen by the Application Firewall.

safe object (safeobj)

Number of Safe Object security check violations seen by the Application Firewall.

Signature Violations (sigs)

Number of Signature violations seen by the Application Firewall.

content Type (contentType)

Number of Content Type security check violations seen by the Application Firewall.

XML Format (wfcViolations)

Number of XML Format security check violations seen by the Application Firewall.

XML Denial of Service (XDoS) (xdosViolations)

Number of XML Denial-of-Service security check violations seen by the Application Firewall.

XML Message Validation (msgvalViolations)

Number of XML Message Validation security check violations seen by the Application Firewall.

Web Services Interoperability (wsIViolations)

Number of Web Services Interoperability (WS-I) security check violations seen by the Application Firewall.

XML SQL Injection (xmlSqlViolations)

Number of XML SQL Injection security check violations seen by the Application Firewall.

XML Cross-Site Scripting (xmlXssViolations)

Number of XML Cross-Site Scripting (XSS) security check violations seen by the Application Firewall.

XML Attachment (xmlAttachmentViolations)

Number of XML Attachment security check violations seen by the Application Firewall.

SOAP Fault Violations (soapflt)

Number of requests returning soap:fault from the backend server

XML Generic Violations (genflt)

Number of requests returning XML generic violation from the backend server

Total Violations (totperpr)

Number of violations seen by the application firewall on per profile basis

start URL logs (startURLLog)

Number of Start URL security check log messages generated by the Application Firewall.

deny URL logs (denyURLLog)

Number of Deny URL security check log messages generated by the Application Firewall.

referer header logs (refererHdrLog)

Number of Referer Header security check log messages generated by the Application Firewall.

buffer overflow logs (bufovflLog)

Number of Buffer Overflow security check log messages generated by the Application Firewall.

cookie consistency logs (cookieLog)

Number of Cookie Consistency security check log messages generated by the Application Firewall.

CSRF form tag logs (csrf_tagLog)

Number of Cross Site Request Forgery form tag security check log messages generated by the Application Firewall.

HTML XSS logs (xssLog)

Number of HTML Cross-Site Scripting security check log messages generated by the Application Firewall.

HTML XSS transform logs (xssXformLog)

Number of HTML Cross-Site Scripting security check transform log messages generated by the Application Firewall.

HTML SQL Injection logs (sqlLog)

Number of HTML SQL Injection security check log messages generated by the Application Firewall.

HTML SQL transform logs (sqlXformLog)

Number of HTML SQL Injection security check transform log messages generated by the Application Firewall.

field format logs (fieldfmtLog)

Number of Field Format security check log messages generated by the Application Firewall.

field consistency logs (fieldconLog)

Number of Field Consistency security check log messages generated by the Application Firewall.

credit cards (ccardLog)

Number of Credit Card security check log messages generated by the Application Firewall.

credit card transform logs (ccardXformLog)

Number of Credit Card security check transform log messages generated by the Application Firewall.

safe object logs (safeobjLog)

Number of Safe Object security check log messages generated by the Application Firewall.

Signature logs (sigs)

Number of Signature log messages generated by the Application Firewall.

content Type logs (contenttypeLog)

Number of Content type security check log messages generated by the Application Firewall.

XML Format logs (wfcLogs)

Number of XML Format security check log messages generated by the Application Firewall.

XML Denial of Service(XDoS) logs (xdosLogs)

Number of XML Denial-of-Service security check log messages generated by the Application Firewall.

XML Message Validation logs (msgvalLogs)

Number of XML Message Validation security check log messages generated by the Application Firewall.

WSI logs (wsILogs)

Number of Web Services Interoperability (WS-I) security check log messages generated by the Application Firewall.

XML SQL Injection logs (xmlSqlLogs)

Number of XML SQL Injection security check log messages generated by the Application Firewall.

XML XSS logs (xmlXssLogs)

Number of XML Cross-Site Scripting (XSS) security check log messages generated by the Application Firewall.

XML Attachment logs (xmlAttachmentLogs)

Number of XML Attachment security check log messages generated by the Application Firewall.

SOAP Fault logs (soapfltLogs)

Number of requests generating soap:fault log messages

XML Generic logs (genfltLog)

Number of requests generating XML Generic log messages

Total log messages (totlogperpr)

Number of log messages generated by the application firewall on per profile basis

HTTP Client Errors (4xx Resp) (4xxResps)

Number of requests returning HTTP 4xx from the backend server

HTTP Server Errors (5xx Resp) (5xxResps)

Number of requests returning HTTP 5xx from the backend server

Example

stat appfw profile

Related Commands

• stat appfw
• stat appfw policy
• stat appfw policylabel

archive appfw profile

Create archive for the profile.

Synopsys

archive appfw profile <name> <archivename> [-comment <string>]

Arguments

name

Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.

The following requirement applies only to the NetScaler CLI:

If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my profile" or 'my profile').

archivename

Source for tar archive.

comment

Any comments about the purpose of profile, or other useful information about the profile.

Related Commands

• export appfw archive
• import appfw archive

restore appfw profile

Restore configuration from archive file

Synopsys

restore appfw profile <archivename>

Arguments

archivename

Source for tar archive.

Related Commands

• export appfw archive
• import appfw archive