appfw profile¶
The following operations can be performed on "appfw profile":
add | rm | set | unset | bind | unbind | show | stat | archive | restore
add appfw profile¶
Creates an application firewall profile, which specifies how the application firewall should protect a given type of web content. (A profile is equivalent to an action in other NetScaler features.)
Synopsys¶
add appfw profile <name> [-defaults ( basic | advanced )] [-startURLAction <startURLAction> ...] [-contentTypeAction <contentTypeAction> ...] [-inspectContentTypes <inspectContentTypes> ...] [-startURLClosure ( ON | OFF )] [-denyURLAction <denyURLAction> ...] [-RefererHeaderCheck <RefererHeaderCheck>] [-cookieConsistencyAction <cookieConsistencyAction> ...] [-cookieTransforms ( ON | OFF )] [-cookieEncryption <cookieEncryption>] [-cookieProxying ( none | sessionOnly )] [-addCookieFlags <addCookieFlags>] [-fieldConsistencyAction <fieldConsistencyAction> ...] [-CSRFtagAction <CSRFtagAction> ...] [-crossSiteScriptingAction <crossSiteScriptingAction> ...] [-crossSiteScriptingTransformUnsafeHTML ( ON | OFF )] [-crossSiteScriptingCheckCompleteURLs ( ON | OFF )] [-SQLInjectionAction <SQLInjectionAction> ...] [-SQLInjectionTransformSpecialChars ( ON | OFF )] [-SQLInjectionType <SQLInjectionType>] [-SQLInjectionCheckSQLWildChars ( ON | OFF )] [-fieldFormatAction <fieldFormatAction> ...] [-defaultFieldFormatType <string>] [-defaultFieldFormatMinLength <positive_integer>] [-defaultFieldFormatMaxLength <positive_integer>] [-bufferOverflowAction <bufferOverflowAction> ...] [-bufferOverflowMaxURLLength <positive_integer>] [-bufferOverflowMaxHeaderLength <positive_integer>] [-bufferOverflowMaxCookieLength <positive_integer>] [-creditCardAction <creditCardAction> ...] [-creditCard <creditCard> ...] [-creditCardMaxAllowed <positive_integer>] [-creditCardXOut ( ON | OFF )] [-doSecureCreditCardLogging ( ON | OFF )] [-streaming ( ON | OFF )] [-trace ( ON | OFF )] [-requestContentType <string>] [-responseContentType <string>] [-XMLDoSAction <XMLDoSAction> ...] [-XMLFormatAction <XMLFormatAction> ...] [-XMLSQLInjectionAction <XMLSQLInjectionAction> ...] [-XMLSQLInjectionType <XMLSQLInjectionType>] [-XMLSQLInjectionCheckSQLWildChars ( ON | OFF )] [-XMLSQLInjectionParseComments <XMLSQLInjectionParseComments>] [-XMLXSSAction <XMLXSSAction> ...] [-XMLWSIAction <XMLWSIAction> ...] [-XMLAttachmentAction <XMLAttachmentAction> ...] [-XMLValidationAction <XMLValidationAction> ...] [-XMLErrorObject <string>] [-signatures <string>] [-XMLSOAPFaultAction <XMLSOAPFaultAction> ...] [-useHTMLErrorObject ( ON | OFF )] [-errorURL <expression>] [-HTMLErrorObject <string>] [-logEveryPolicyHit ( ON | OFF )] [-stripHtmlComments <stripHtmlComments>] [-stripXmlComments ( none | all )] [-exemptClosureURLsFromSecurityChecks ( ON | OFF )] [-defaultCharSet <string>] [-postBodyLimit <positive_integer>] [-fileUploadMaxNum <positive_integer>] [-canonicalizeHTMLResponse ( ON | OFF )] [-enableFormTagging ( ON | OFF )] [-sessionlessFieldConsistency <sessionlessFieldConsistency>] [-sessionlessURLClosure ( ON | OFF )] [-semicolonFieldSeparator ( ON | OFF )] [-excludeFileUploadFromChecks ( ON | OFF )] [-SQLInjectionParseComments <SQLInjectionParseComments>] [-invalidPercentHandling <invalidPercentHandling>] [-type ( HTML | XML ) ...] [-checkRequestHeaders ( ON | OFF )] [-optimizePartialReqs ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-comment <string>]
Arguments¶
name
Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my profile" or 'my profile').
defaults
Default configuration to apply to the profile. Basic defaults are intended for standard content that requires little further configuration, such as static web site content. Advanced defaults are intended for specialized content that requires significant specialized configuration, such as heavily scripted or dynamic content.
CLI users: When adding an application firewall profile, you can set either the defaults or the type, but not both. To set both options, create the profile by using the add appfw profile command, and then use the set appfw profile command to configure the other option.
Possible values: basic, advanced
startURLAction
One or more Start URL actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -startURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -startURLaction none".
Default value: AS_DEFAULT_DISPOSITION
contentTypeAction
One or more Content-type actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -contentTypeaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -contentTypeaction none".
Default value: AS_DEFAULT_CONTENT_TYPE_DISPOSITION
inspectContentTypes
One or more InspectContentType lists.
-
application/x-www-form-urlencoded
-
multipart/form-data
-
text/x-gwt-rpc
CLI users: To enable, type "set appfw profile -InspectContentTypes" followed by the content types to be inspected.
Default value: AS_DEFAULT_INSPECTION_CONTENT_TYPE
startURLClosure
Toggle the state of Start URL Closure.
Possible values: ON, OFF
Default value: OFF
denyURLAction
One or more Deny URL actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
NOTE: The Deny URL check takes precedence over the Start URL check. If you enable blocking for the Deny URL check, the application firewall blocks any URL that is explicitly blocked by a Deny URL, even if the same URL would otherwise be allowed by the Start URL check.
CLI users: To enable one or more actions, type "set appfw profile -denyURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -denyURLaction none".
Default value: AS_DEFAULT_DISPOSITION
RefererHeaderCheck
Enable validation of Referer headers.
Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker.
Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.
Possible values: OFF, if_present, AlwaysExceptStartURLs, AlwaysExceptFirstRequest
Default value: OFF
cookieConsistencyAction
One or more Cookie Consistency actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -cookieConsistencyAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -cookieConsistencyAction none".
Default value: none
cookieTransforms
Perform the specified type of cookie transformation.
Available settings function as follows:
-
Encryption - Encrypt cookies.
-
Proxying - Mask contents of server cookies by sending proxy cookie to users.
-
Cookie flags - Flag cookies as HTTP only to prevent scripts on user's browser from accessing and possibly modifying them.
CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.
Possible values: ON, OFF
Default value: OFF
cookieEncryption
Type of cookie encryption. Available settings function as follows:
-
None - Do not encrypt cookies.
-
Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.
-
Encrypt Session Only - Encrypt session cookies, but not permanent cookies.
-
Encrypt All - Encrypt all cookies.
Possible values: none, decryptOnly, encryptSessionOnly, encryptAll
Default value: none
cookieProxying
Cookie proxy setting. Available settings function as follows:
-
None - Do not proxy cookies.
-
Session Only - Proxy session cookies by using the NetScaler session ID, but do not proxy permanent cookies.
Possible values: none, sessionOnly
Default value: none
addCookieFlags
Add the specified flags to cookies. Available settings function as follows:
-
None - Do not add flags to cookies.
-
HTTP Only - Add the HTTP Only flag to cookies, which prevents scripts from accessing cookies.
-
Secure - Add Secure flag to cookies.
-
All - Add both HTTPOnly and Secure flags to cookies.
Possible values: none, httpOnly, secure, all
Default value: none
fieldConsistencyAction
One or more Form Field Consistency actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -fieldConsistencyaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldConsistencyAction none".
Default value: none
CSRFtagAction
One or more Cross-Site Request Forgery (CSRF) Tagging actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -CSRFTagAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -CSRFTagAction none".
Default value: none
crossSiteScriptingAction
One or more Cross-Site Scripting (XSS) actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -crossSiteScriptingAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -crossSiteScriptingAction none".
Default value: AS_DEFAULT_DISPOSITION
crossSiteScriptingTransformUnsafeHTML
Transform cross-site scripts. This setting configures the application firewall to disable dangerous HTML instead of blocking the request.
CAUTION: Make sure that this parameter is set to ON if you are configuring any cross-site scripting transformations. If it is set to OFF, no cross-site scripting transformations are performed regardless of any other settings.
Possible values: ON, OFF
Default value: OFF
crossSiteScriptingCheckCompleteURLs
Check complete URLs for cross-site scripts, instead of just the query portions of URLs.
Possible values: ON, OFF
Default value: OFF
SQLInjectionAction
One or more HTML SQL Injection actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -SQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -SQLInjectionAction none".
Default value: AS_DEFAULT_DISPOSITION
SQLInjectionTransformSpecialChars
Transform injected SQL code. This setting configures the application firewall to disable SQL special strings instead of blocking the request. Since most SQL servers require a special string to activate an SQL keyword, in most cases a request that contains injected SQL code is safe if special strings are disabled.
CAUTION: Make sure that this parameter is set to ON if you are configuring any SQL injection transformations. If it is set to OFF, no SQL injection transformations are performed regardless of any other settings.
Possible values: ON, OFF
Default value: OFF
SQLInjectionType
Available SQL injection types.
-SQLSplChar : Checks for SQL Special Chars
-SQLKeyword : Checks for SQL Keywords
-SQLSplCharANDKeyword : Checks for both and blocks if both are found
-SQLSplCharORKeyword : Checks for both and blocks if anyone is found
Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword
Default value: SQLSplCharANDKeyword
SQLInjectionCheckSQLWildChars
Check for form fields that contain SQL wild chars .
Possible values: ON, OFF
Default value: OFF
fieldFormatAction
One or more Field Format actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of suggested web form fields and field format assignments.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -fieldFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldFormatAction none".
Default value: AS_DEFAULT_DISPOSITION
defaultFieldFormatType
Designate a default field type to be applied to web form fields that do not have a field type explicitly assigned to them.
defaultFieldFormatMinLength
Minimum length, in characters, for data entered into a field that is assigned the default field type.
To disable the minimum and maximum length settings and allow data of any length to be entered into the field, set this parameter to zero (0).
Default value: 0
Minimum value: 0
Maximum value: 65535
defaultFieldFormatMaxLength
Maximum length, in characters, for data entered into a field that is assigned the default field type.
Default value: 65535
Minimum value: 1
Maximum value: 65535
bufferOverflowAction
One or more Buffer Overflow actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -bufferOverflowAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -bufferOverflowAction none".
Default value: AS_DEFAULT_DISPOSITION
bufferOverflowMaxURLLength
Maximum length, in characters, for URLs on your protected web sites. Requests with longer URLs are blocked.
Default value: 1024
Minimum value: 0
Maximum value: 65535
bufferOverflowMaxHeaderLength
Maximum length, in characters, for HTTP headers in requests sent to your protected web sites. Requests with longer headers are blocked.
Default value: 4096
Minimum value: 0
Maximum value: 65535
bufferOverflowMaxCookieLength
Maximum length, in characters, for cookies sent to your protected web sites. Requests with longer cookies are blocked.
Default value: 4096
Minimum value: 0
Maximum value: 65535
creditCardAction
One or more Credit Card actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -creditCardAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -creditCardAction none".
Default value: none
creditCard
Credit card types that the application firewall should protect.
Default value: AS_CCARD_DEFAULT_CARD_TYPE
creditCardMaxAllowed
Maximum number of credit card numbers that can appear on a web page served by your protected web sites. Pages that contain more credit card numbers are blocked
Minimum value: 0
Maximum value: 255
creditCardXOut
Mask any credit card number detected in a response by replacing each digit, except the digits in the final group, with the letter "X."
Possible values: ON, OFF
Default value: OFF
doSecureCreditCardLogging
Setting this option logs credit card numbers in the response when the match is found.
Possible values: ON, OFF
Default value: ON
streaming
Setting this option converts content-length form submission requests (requests with content-type "application/x-www-form-urlencoded" or "multipart/form-data") to chunked requests when atleast one of the following protections : SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging is enabled. Please make sure that the backend server accepts chunked requests before enabling this option.
Possible values: ON, OFF
Default value: OFF
trace
Toggle the state of trace
Possible values: ON, OFF
Default value: OFF
requestContentType
Default Content-Type header for requests.
A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters.
Default value: NS_S_AS_DEFAULT_REQUEST_CONTENT_TYPE
responseContentType
Default Content-Type header for responses.
A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters.
Default value: NS_S_AS_DEFAULT_RESPONSE_CONTENT_TYPE
XMLDoSAction
One or more XML Denial-of-Service (XDoS) actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLDoSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLDoSAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLFormatAction
One or more XML Format actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLFormatAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLSQLInjectionAction
One or more XML SQL Injection actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLSQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLSQLInjectionAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLSQLInjectionType
Available SQL injection types.
-SQLSplChar : Checks for SQL Special Chars
-SQLKeyword : Checks for SQL Keywords
-SQLSplCharANDKeyword : Checks for both and blocks if both are found
-SQLSplCharORKeyword : Checks for both and blocks if anyone is found
Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword
Default value: SQLSplCharANDKeyword
XMLSQLInjectionCheckSQLWildChars
Check for form fields that contain SQL wild chars .
Possible values: ON, OFF
Default value: OFF
XMLSQLInjectionParseComments
Parse comments in XML Data and exempt those sections of the request that are from the XML SQL Injection check. You must configure the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:
-
Check all - Check all content.
-
ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.
-
Nested - Exempt content that is part of a nested (Microsoft-style) comment.
-
ANSI Nested - Exempt content that is part of any type of comment.
Possible values: checkall, ansi, nested, ansinested
Default value: checkall
XMLXSSAction
One or more XML Cross-Site Scripting actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLXSSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLXSSAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLWSIAction
One or more Web Services Interoperability (WSI) actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLWSIAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLWSIAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLAttachmentAction
One or more XML Attachment actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLAttachmentAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLAttachmentAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLValidationAction
One or more XML Validation actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLValidationAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLValidationAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLErrorObject
Name to assign to the XML Error Object, which the application firewall displays when a user request is blocked.
Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the XML error object is added.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my XML error object" or 'my XML error object'\).
Default value: NS_S_AS_ERROR_OBJECT_DEFAULT
signatures
Object name for signatures.
This check is applicable to Profile Type: HTML, XML.
Default value: NS_S_AS_CUSTOM_OBJECT_DEFAULT
XMLSOAPFaultAction
One or more XML SOAP Fault Filtering actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
-
Remove - Remove all violations for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLSOAPFaultAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLSOAPFaultAction none".
Default value: AS_DEFAULT_DISPOSITION
useHTMLErrorObject
Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.
Possible values: ON, OFF
Default value: OFF
errorURL
URL that application firewall uses as the Error URL.
Default value: NS_S_AS_ERROR_URL_DEFAULT
HTMLErrorObject
Name to assign to the HTML Error Object.
Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the HTML error object is added.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my HTML error object" or 'my HTML error object'\).
Default value: NS_S_AS_ERROR_OBJECT_DEFAULT
logEveryPolicyHit
Log every profile match, regardless of security checks results.
Possible values: ON, OFF
Default value: OFF
stripHtmlComments
Strip HTML comments before forwarding a web page sent by a protected web site in response to a user request.
Possible values: none, all, exclude_script_tag
Default value: none
stripXmlComments
Strip XML comments before forwarding a web page sent by a protected web site in response to a user request.
Possible values: none, all
Default value: none
exemptClosureURLsFromSecurityChecks
Exempt URLs that pass the Start URL closure check from SQL injection, cross-site script, field format and field consistency security checks at locations other than headers.
Possible values: ON, OFF
Default value: ON
defaultCharSet
Default character set for protected web pages. Web pages sent by your protected web sites in response to user requests are assigned this character set if the page does not already specify a character set. The character sets supported by the application firewall are:
-
iso-8859-1 (English US)
-
big5 (Chinese Traditional)
-
gb2312 (Chinese Simplified)
-
sjis (Japanese Shift-JIS)
-
euc-jp (Japanese EUC-JP)
-
iso-8859-9 (Turkish)
-
utf-8 (Unicode)
-
euc-kr (Korean)
Default value: NS_S_AS_CHARSET_DEFAULT
Maximum value: 31
postBodyLimit
Maximum allowed HTTP post body size, in bytes.
Default value: 20000000
Minimum value: 0
Maximum value: 1000000000
fileUploadMaxNum
Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads.
Default value: 65535
Minimum value: 0
Maximum value: 65535
canonicalizeHTMLResponse
Perform HTML entity encoding for any special characters in responses sent by your protected web sites.
Possible values: ON, OFF
Default value: ON
enableFormTagging
Enable tagging of web form fields for use by the Form Field Consistency and CSRF Form Tagging checks.
Possible values: ON, OFF
Default value: ON
sessionlessFieldConsistency
Perform sessionless Field Consistency Checks.
Possible values: OFF, ON, postOnly
Default value: OFF
sessionlessURLClosure
Enable session less URL Closure Checks.
This check is applicable to Profile Type: HTML.
Possible values: ON, OFF
Default value: OFF
semicolonFieldSeparator
Allow ';' as a form field separator in URL queries and POST form bodies.
Possible values: ON, OFF
Default value: OFF
excludeFileUploadFromChecks
Exclude uploaded files from Form checks.
Possible values: ON, OFF
Default value: OFF
SQLInjectionParseComments
Parse HTML comments and exempt them from the HTML SQL Injection check. You must specify the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:
-
Check all - Check all content.
-
ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.
-
Nested - Exempt content that is part of a nested (Microsoft-style) comment.
-
ANSI Nested - Exempt content that is part of any type of comment.
Possible values: checkall, ansi, nested, ansinested
Default value: AS_DEFAULT_SQLINJECTIONPARSECOMMENTS
invalidPercentHandling
Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:
-
apache_mode - Apache format.
-
asp_mode - Microsoft ASP format.
-
secure_mode - Secure format.
Possible values: apache_mode, asp_mode, secure_mode
Default value: secure_mode
type
Application firewall profile type, which controls which security checks and settings are applied to content that is filtered with the profile. Available settings function as follows:
-
HTML - HTML-based web sites.
-
XML - XML-based web sites and services.
-
HTML XML (Web 2.0) - Sites that contain both HTML and XML content, such as ATOM feeds, blogs, and RSS feeds.
Default value: HTML
checkRequestHeaders
Check request headers as well as web forms for injected SQL and cross-site scripts.
Possible values: ON, OFF
Default value: OFF
optimizePartialReqs
Optimize handle of HTTP partial requests i.e. those with range headers.
Available settings are as follows:
-
ON - Partial requests by the client result in partial requests to the backend server in most cases.
-
OFF - Partial requests by the client are changed to full requests to the backend server
Possible values: ON, OFF
Default value: ON
URLDecodeRequestCookies
URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.
Possible values: ON, OFF
Default value: OFF
comment
Any comments about the purpose of profile, or other useful information about the profile.
rm appfw profile¶
Removes the specified application firewall profile.
Synopsys¶
rm appfw profile <name>
Arguments¶
name
Name of the profile.
set appfw profile¶
Modifies the specified parameters of the specified application firewall profile.
Synopsys¶
set appfw profile <name> [-startURLAction <startURLAction> ...] [-contentTypeAction <contentTypeAction> ...] [-inspectContentTypes <inspectContentTypes> ...] [-startURLClosure ( ON | OFF )] [-denyURLAction <denyURLAction> ...] [-RefererHeaderCheck <RefererHeaderCheck>] [-cookieConsistencyAction <cookieConsistencyAction> ...] [-cookieTransforms ( ON | OFF )] [-cookieEncryption <cookieEncryption>] [-cookieProxying ( none | sessionOnly )] [-addCookieFlags <addCookieFlags>] [-fieldConsistencyAction <fieldConsistencyAction> ...] [-CSRFtagAction <CSRFtagAction> ...] [-crossSiteScriptingAction <crossSiteScriptingAction> ...] [-crossSiteScriptingTransformUnsafeHTML ( ON | OFF )] [-crossSiteScriptingCheckCompleteURLs ( ON | OFF )] [-SQLInjectionAction <SQLInjectionAction> ...] [-SQLInjectionTransformSpecialChars ( ON | OFF )] [-SQLInjectionType <SQLInjectionType>] [-SQLInjectionCheckSQLWildChars ( ON | OFF )] [-fieldFormatAction <fieldFormatAction> ...] [-defaultFieldFormatType <string>] [-defaultFieldFormatMinLength <positive_integer>] [-defaultFieldFormatMaxLength <positive_integer>] [-bufferOverflowAction <bufferOverflowAction> ...] [-bufferOverflowMaxURLLength <positive_integer>] [-bufferOverflowMaxHeaderLength <positive_integer>] [-bufferOverflowMaxCookieLength <positive_integer>] [-creditCardAction <creditCardAction> ...] [-creditCard <creditCard> ...] [-creditCardMaxAllowed <positive_integer>] [-creditCardXOut ( ON | OFF )] [-doSecureCreditCardLogging ( ON | OFF )] [-streaming ( ON | OFF )] [-trace ( ON | OFF )] [-requestContentType <string>] [-responseContentType <string>] [-XMLDoSAction <XMLDoSAction> ...] [-XMLFormatAction <XMLFormatAction> ...] [-XMLSQLInjectionAction <XMLSQLInjectionAction> ...] [-XMLSQLInjectionType <XMLSQLInjectionType>] [-XMLSQLInjectionCheckSQLWildChars ( ON | OFF )] [-XMLSQLInjectionParseComments <XMLSQLInjectionParseComments>] [-XMLXSSAction <XMLXSSAction> ...] [-XMLWSIAction <XMLWSIAction> ...] [-XMLAttachmentAction <XMLAttachmentAction> ...] [-XMLValidationAction <XMLValidationAction> ...] [-XMLErrorObject <string>] [-signatures <string>] [-XMLSOAPFaultAction <XMLSOAPFaultAction> ...] [-useHTMLErrorObject ( ON | OFF )] [-errorURL <expression>] [-HTMLErrorObject <string>] [-logEveryPolicyHit ( ON | OFF )] [-stripHtmlComments <stripHtmlComments>] [-stripXmlComments ( none | all )] [-exemptClosureURLsFromSecurityChecks ( ON | OFF )] [-defaultCharSet <string>] [-postBodyLimit <positive_integer>] [-fileUploadMaxNum <positive_integer>] [-canonicalizeHTMLResponse ( ON | OFF )] [-enableFormTagging ( ON | OFF )] [-sessionlessFieldConsistency <sessionlessFieldConsistency>] [-sessionlessURLClosure ( ON | OFF )] [-semicolonFieldSeparator ( ON | OFF )] [-excludeFileUploadFromChecks ( ON | OFF )] [-SQLInjectionParseComments <SQLInjectionParseComments>] [-invalidPercentHandling <invalidPercentHandling>] [-type ( HTML | XML ) ...] [-checkRequestHeaders ( ON | OFF )] [-optimizePartialReqs ( ON | OFF )] [-URLDecodeRequestCookies ( ON | OFF )] [-comment <string>]
Arguments¶
name
Name of the profile that you want to modify.
startURLAction
One or more Start URL actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -startURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -startURLaction none".
Default value: AS_DEFAULT_DISPOSITION
contentTypeAction
One or more Content-type actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -contentTypeaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -contentTypeaction none".
Default value: AS_DEFAULT_CONTENT_TYPE_DISPOSITION
inspectContentTypes
One or more InspectContentType lists.
-
application/x-www-form-urlencoded
-
multipart/form-data
-
text/x-gwt-rpc
CLI users: To enable, type "set appfw profile -InspectContentTypes" followed by the content types to be inspected.
Default value: AS_DEFAULT_INSPECTION_CONTENT_TYPE
startURLClosure
Toggle the state of Start URL Closure.
Possible values: ON, OFF
Default value: OFF
denyURLAction
One or more Deny URL actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
NOTE: The Deny URL check takes precedence over the Start URL check. If you enable blocking for the Deny URL check, the application firewall blocks any URL that is explicitly blocked by a Deny URL, even if the same URL would otherwise be allowed by the Start URL check.
CLI users: To enable one or more actions, type "set appfw profile -denyURLaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -denyURLaction none".
Default value: AS_DEFAULT_DISPOSITION
RefererHeaderCheck
Enable validation of Referer headers.
Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker.
Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.
Possible values: OFF, if_present, AlwaysExceptStartURLs, AlwaysExceptFirstRequest
Default value: OFF
cookieConsistencyAction
One or more Cookie Consistency actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -cookieConsistencyAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -cookieConsistencyAction none".
Default value: none
cookieTransforms
Perform the specified type of cookie transformation.
Available settings function as follows:
-
Encryption - Encrypt cookies.
-
Proxying - Mask contents of server cookies by sending proxy cookie to users.
-
Cookie flags - Flag cookies as HTTP only to prevent scripts on user's browser from accessing and possibly modifying them.
CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.
Possible values: ON, OFF
cookieEncryption
Type of cookie encryption. Available settings function as follows:
-
None - Do not encrypt cookies.
-
Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.
-
Encrypt Session Only - Encrypt session cookies, but not permanent cookies.
-
Encrypt All - Encrypt all cookies.
Possible values: none, decryptOnly, encryptSessionOnly, encryptAll
Default value: none
cookieProxying
Cookie proxy setting. Available settings function as follows:
-
None - Do not proxy cookies.
-
Session Only - Proxy session cookies by using the NetScaler session ID, but do not proxy permanent cookies.
Possible values: none, sessionOnly
Default value: none
addCookieFlags
Add HttpOnly and Secure flags to cookies
Possible values: none, httpOnly, secure, all
Default value: none
fieldConsistencyAction
One or more Form Field Consistency actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -fieldConsistencyaction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldConsistencyAction none".
Default value: none
CSRFtagAction
One or more Cross-Site Request Forgery (CSRF) Tagging actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -CSRFTagAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -CSRFTagAction none".
Default value: none
crossSiteScriptingAction
One or more Cross-Site Scripting (XSS) actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -crossSiteScriptingAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -crossSiteScriptingAction none".
Default value: AS_DEFAULT_DISPOSITION
crossSiteScriptingTransformUnsafeHTML
Transform cross-site scripts. This setting configures the application firewall to disable dangerous HTML instead of blocking the request.
CAUTION: Make sure that this parameter is set to ON if you are configuring any cross-site scripting transformations. If it is set to OFF, no cross-site scripting transformations are performed regardless of any other settings.
Possible values: ON, OFF
crossSiteScriptingCheckCompleteURLs
Check complete URLs for cross-site scripts, instead of just the query portions of URLs.
Possible values: ON, OFF
SQLInjectionAction
One or more HTML SQL Injection actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -SQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -SQLInjectionAction none".
Default value: AS_DEFAULT_DISPOSITION
SQLInjectionTransformSpecialChars
Transform injected SQL code. This setting configures the application firewall to disable SQL special strings instead of blocking the request. Since most SQL servers require a special string to activate an SQL keyword, in most cases a request that contains injected SQL code is safe if special strings are disabled.
CAUTION: Make sure that this parameter is set to ON if you are configuring any SQL injection transformations. If it is set to OFF, no SQL injection transformations are performed regardless of any other settings.
Possible values: ON, OFF
SQLInjectionType
Available SQL injection types.
-SQLSplChar : Checks for SQL Special Chars
-SQLKeyword : Checks for SQL Keywords
-SQLSplCharANDKeyword : Checks for both and blocks if both are found
-SQLSplCharORKeyword : Checks for both and blocks if anyone is found
Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword
SQLInjectionCheckSQLWildChars
Check for form fields that contain SQL wild chars .
Possible values: ON, OFF
fieldFormatAction
One or more Field Format actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of suggested web form fields and field format assignments.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -fieldFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -fieldFormatAction none".
Default value: AS_DEFAULT_DISPOSITION
defaultFieldFormatType
Designate a default field type to be applied to web form fields that do not have a field type explicitly assigned to them.
defaultFieldFormatMinLength
Minimum length, in characters, for data entered into a field that is assigned the default field type.
To disable the minimum and maximum length settings and allow data of any length to be entered into the field, set this parameter to zero (0).
Default value: 0
Minimum value: 0
Maximum value: 65535
defaultFieldFormatMaxLength
Maximum length, in characters, for data entered into a field that is assigned the default field type.
Default value: 65535
Minimum value: 1
Maximum value: 65535
bufferOverflowAction
One or more Buffer Overflow actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -bufferOverflowAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -bufferOverflowAction none".
Default value: AS_DEFAULT_DISPOSITION
bufferOverflowMaxURLLength
Maximum length, in characters, for URLs on your protected web sites. Requests with longer URLs are blocked.
Default value: 1024
Minimum value: 0
Maximum value: 65535
bufferOverflowMaxHeaderLength
Maximum length, in characters, for HTTP headers in requests sent to your protected web sites. Requests with longer headers are blocked.
Default value: 4096
Minimum value: 0
Maximum value: 65535
bufferOverflowMaxCookieLength
Maximum length, in characters, for cookies sent to your protected web sites. Requests with longer cookies are blocked.
Default value: 4096
Minimum value: 0
Maximum value: 65535
creditCardAction
One or more Credit Card actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -creditCardAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -creditCardAction none".
Default value: none
creditCard
Credit card types that the application firewall should protect.
Default value: AS_CCARD_DEFAULT_CARD_TYPE
creditCardMaxAllowed
Maximum number of credit card numbers that can appear on a web page served by your protected web sites. Pages that contain more credit card numbers are blocked
Minimum value: 0
Maximum value: 255
creditCardXOut
Mask any credit card number detected in a response by replacing each digit, except the digits in the final group, with the letter "X."
Possible values: ON, OFF
doSecureCreditCardLogging
Setting this option logs credit card numbers in the response when the match is found.
Possible values: ON, OFF
streaming
Setting this option converts content-length form submission requests (requests with content-type "application/x-www-form-urlencoded" or "multipart/form-data") to chunked requests when atleast one of the following protections : SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging is enabled. Please make sure that the backend server accepts chunked requests before enabling this option.
Possible values: ON, OFF
trace
Toggle the state of trace
Possible values: ON, OFF
requestContentType
Default Content-Type header for requests.
A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters.
Default value: NS_S_AS_DEFAULT_REQUEST_CONTENT_TYPE
responseContentType
Default Content-Type header for responses.
A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters.
Default value: NS_S_AS_DEFAULT_RESPONSE_CONTENT_TYPE
XMLDoSAction
One or more XML Denial-of-Service (XDoS) actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLDoSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLDoSAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLFormatAction
One or more XML Format actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLFormatAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLFormatAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLSQLInjectionAction
One or more XML SQL Injection actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLSQLInjectionAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLSQLInjectionAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLSQLInjectionType
Available SQL injection types.
-SQLSplChar : Checks for SQL Special Chars
-SQLKeyword : Checks for SQL Keywords
-SQLSplCharANDKeyword : Checks for both and blocks if both are found
-SQLSplCharORKeyword : Checks for both and blocks if anyone is found
Possible values: SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword
XMLSQLInjectionCheckSQLWildChars
Check for form fields that contain SQL wild chars .
Possible values: ON, OFF
XMLSQLInjectionParseComments
Parse comments in XML Data and exempt those sections of the request that are from the XML SQL Injection check. You must configure the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:
-
Check all - Check all content.
-
ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.
-
Nested - Exempt content that is part of a nested (Microsoft-style) comment.
-
ANSI Nested - Exempt content that is part of any type of comment.
Possible values: checkall, ansi, nested, ansinested
Default value: checkall
XMLXSSAction
One or more XML Cross-Site Scripting actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLXSSAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLXSSAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLWSIAction
One or more Web Services Interoperability (WSI) actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLWSIAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLWSIAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLAttachmentAction
One or more XML Attachment actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Learn - Use the learning engine to generate a list of exceptions to this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLAttachmentAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLAttachmentAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLValidationAction
One or more XML Validation actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLValidationAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLValidationAction none".
Default value: AS_DEFAULT_DISPOSITION
XMLErrorObject
Name to assign to the XML Error Object, which the application firewall displays when a user request is blocked.
Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the XML error object is added.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my XML error object" or 'my XML error object'\).
Default value: NS_S_AS_ERROR_OBJECT_DEFAULT
signatures
Object name for signatures.
This check is applicable to Profile Type: HTML, XML.
Default value: NS_S_AS_CUSTOM_OBJECT_DEFAULT
XMLSOAPFaultAction
One or more XML SOAP Fault Filtering actions. Available settings function as follows:
-
Block - Block connections that violate this security check.
-
Log - Log violations of this security check.
-
Stats - Generate statistics for this security check.
-
None - Disable all actions for this security check.
-
Remove - Remove all violations for this security check.
CLI users: To enable one or more actions, type "set appfw profile -XMLSOAPFaultAction" followed by the actions to be enabled. To turn off all actions, type "set appfw profile -XMLSOAPFaultAction none".
Default value: AS_DEFAULT_DISPOSITION
useHTMLErrorObject
Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.
Possible values: ON, OFF
errorURL
URL that application firewall uses as the Error URL.
Default value: NS_S_AS_ERROR_URL_DEFAULT
HTMLErrorObject
Name to assign to the HTML Error Object.
Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the HTML error object is added.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my HTML error object" or 'my HTML error object'\).
Default value: NS_S_AS_ERROR_OBJECT_DEFAULT
logEveryPolicyHit
Log every profile match, regardless of security checks results.
Possible values: ON, OFF
stripHtmlComments
Strip HTML comments before forwarding a web page sent by a protected web site in response to a user request.
Possible values: none, all, exclude_script_tag
stripXmlComments
Strip XML comments before forwarding a web page sent by a protected web site in response to a user request.
Possible values: none, all
exemptClosureURLsFromSecurityChecks
Exempt URLs that pass the Start URL closure check from SQL injection, cross-site script, field format and field consistency security checks at locations other than headers.
Possible values: ON, OFF
defaultCharSet
Default character set for protected web pages. Web pages sent by your protected web sites in response to user requests are assigned this character set if the page does not already specify a character set. The character sets supported by the application firewall are:
-
iso-8859-1 (English US)
-
big5 (Chinese Traditional)
-
gb2312 (Chinese Simplified)
-
sjis (Japanese Shift-JIS)
-
euc-jp (Japanese EUC-JP)
-
iso-8859-9 (Turkish)
-
utf-8 (Unicode)
-
euc-kr (Korean)
Default value: NS_S_AS_CHARSET_DEFAULT
Maximum value: 31
postBodyLimit
Maximum allowed HTTP post body size, in bytes.
Default value: 20000000
Minimum value: 0
Maximum value: 1000000000
fileUploadMaxNum
Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads.
Default value: 65535
Minimum value: 0
Maximum value: 65535
canonicalizeHTMLResponse
Perform HTML entity encoding for any special characters in responses sent by your protected web sites.
Possible values: ON, OFF
Default value: ON
enableFormTagging
Enable tagging of web form fields for use by the Form Field Consistency and CSRF Form Tagging checks.
Possible values: ON, OFF
Default value: ON
sessionlessFieldConsistency
Perform sessionless Field Consistency Checks.
Possible values: OFF, ON, postOnly
Default value: OFF
sessionlessURLClosure
Enable session less URL Closure Checks.
This check is applicable to Profile Type: HTML.
Possible values: ON, OFF
Default value: OFF
semicolonFieldSeparator
Allow ';' as a form field separator in URL queries and POST form bodies.
Possible values: ON, OFF
Default value: OFF
excludeFileUploadFromChecks
Exclude uploaded files from Form checks.
Possible values: ON, OFF
Default value: OFF
SQLInjectionParseComments
Parse HTML comments and exempt them from the HTML SQL Injection check. You must specify the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows:
-
Check all - Check all content.
-
ANSI - Exempt content that is part of an ANSI (Mozilla-style) comment.
-
Nested - Exempt content that is part of a nested (Microsoft-style) comment.
-
ANSI Nested - Exempt content that is part of any type of comment.
Possible values: checkall, ansi, nested, ansinested
Default value: AS_DEFAULT_SQLINJECTIONPARSECOMMENTS
invalidPercentHandling
Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:
-
apache_mode - Apache format.
-
asp_mode - Microsoft ASP format.
-
secure_mode - Secure format.
Possible values: apache_mode, asp_mode, secure_mode
Default value: secure_mode
type
Application firewall profile type, which controls which security checks and settings are applied to content that is filtered with the profile. Available settings function as follows:
-
HTML - HTML-based web sites.
-
XML - XML-based web sites and services.
-
HTML XML (Web 2.0) - Sites that contain both HTML and XML content, such as ATOM feeds, blogs, and RSS feeds.
Default value: HTML
checkRequestHeaders
Check request headers as well as web forms for injected SQL and cross-site scripts.
Possible values: ON, OFF
Default value: OFF
optimizePartialReqs
Optimize handle of HTTP partial requests i.e. those with range headers.
Available settings are as follows:
-
ON - Partial requests by the client result in partial requests to the backend server in most cases.
-
OFF - Partial requests by the client are changed to full requests to the backend server
Possible values: ON, OFF
URLDecodeRequestCookies
URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.
Possible values: ON, OFF
Default value: OFF
comment
Any comments about the purpose of profile, or other useful information about the profile.
unset appfw profile¶
Use this command to remove appfw profile settings.Refer to the set appfw profile command for meanings of the arguments.
Synopsys¶
unset appfw profile <name> [-startURLAction] [-contentTypeAction] [-inspectContentTypes] [-startURLClosure] [-denyURLAction] [-RefererHeaderCheck] [-cookieConsistencyAction] [-cookieTransforms] [-cookieEncryption] [-cookieProxying] [-addCookieFlags] [-fieldConsistencyAction] [-CSRFtagAction] [-crossSiteScriptingAction] [-crossSiteScriptingTransformUnsafeHTML] [-crossSiteScriptingCheckCompleteURLs] [-SQLInjectionAction] [-SQLInjectionTransformSpecialChars] [-SQLInjectionType] [-SQLInjectionCheckSQLWildChars] [-fieldFormatAction] [-defaultFieldFormatType] [-defaultFieldFormatMinLength] [-defaultFieldFormatMaxLength] [-bufferOverflowAction] [-bufferOverflowMaxURLLength] [-bufferOverflowMaxHeaderLength] [-bufferOverflowMaxCookieLength] [-creditCardAction] [-creditCard] [-creditCardMaxAllowed] [-creditCardXOut] [-doSecureCreditCardLogging] [-streaming] [-trace] [-requestContentType] [-responseContentType] [-XMLDoSAction] [-XMLFormatAction] [-XMLSQLInjectionAction] [-XMLSQLInjectionType] [-XMLSQLInjectionCheckSQLWildChars] [-XMLSQLInjectionParseComments] [-XMLXSSAction] [-XMLWSIAction] [-XMLAttachmentAction] [-XMLValidationAction] [-XMLErrorObject] [-signatures] [-XMLSOAPFaultAction] [-useHTMLErrorObject] [-errorURL] [-HTMLErrorObject] [-logEveryPolicyHit] [-stripHtmlComments] [-stripXmlComments] [-exemptClosureURLsFromSecurityChecks] [-defaultCharSet] [-postBodyLimit] [-fileUploadMaxNum] [-canonicalizeHTMLResponse] [-enableFormTagging] [-sessionlessFieldConsistency] [-sessionlessURLClosure] [-semicolonFieldSeparator] [-excludeFileUploadFromChecks] [-SQLInjectionParseComments] [-invalidPercentHandling] [-type] [-checkRequestHeaders] [-optimizePartialReqs] [-URLDecodeRequestCookies] [-comment]
bind appfw profile¶
Binds the specified exemption (relaxation) or rule to the specified application firewall profile. NOTE: You should not attempt to bind more than one exemption or rule at a time by using this command.
Synopsys¶
bind appfw profile <name> (-startURL <expression> | -denyURL <expression> | (-fieldConsistency <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )]) | (-cookieConsistency <string> [-isRegex ( REGEX | NOTREGEX )]) | (-SQLInjection <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )] [-location <location>] [-valueType <valueType> <valueExpression> [-isValueRegex ( REGEX | NOTREGEX )]]) | (-CSRFTag <expression> <CSRFFormActionURL>) | (-crossSiteScripting <string> <formActionURL> [-isRegex ( REGEX | NOTREGEX )] [-location <location>] [-valueType <valueType> <valueExpression> [-isValueRegex ( REGEX | NOTREGEX )]]) | (-fieldFormat <string> <formActionURL> <fieldType> [-fieldFormatMinLength <positive_integer>] [-fieldFormatMaxLength <positive_integer>] [-isRegex ( REGEX | NOTREGEX )]) | (-safeObject <string> <expression> <maxMatchLength> [-action <action> ...]) | -trustedLearningClients <ip_addr[/prefix]|ipv6_addr[/prefix]|*> | (-XMLDoSURL <expression> [-XMLMaxElementDepthCheck ( ON | OFF ) [-XMLMaxElementDepth <positive_integer>]] [-XMLMaxElementNameLengthCheck ( ON | OFF ) [-XMLMaxElementNameLength <positive_integer>]] [-XMLMaxElementsCheck ( ON | OFF ) [-XMLMaxElements <positive_integer>]] [-XMLMaxElementChildrenCheck ( ON | OFF ) [-XMLMaxElementChildren <positive_integer>]] [-XMLMaxAttributesCheck ( ON | OFF ) [-XMLMaxAttributes <positive_integer>]] [-XMLMaxAttributeNameLengthCheck ( ON | OFF ) [-XMLMaxAttributeNameLength <positive_integer>]] [-XMLMaxAttributeValueLengthCheck ( ON | OFF ) [-XMLMaxAttributeValueLength <positive_integer>]] [-XMLMaxCharDATALengthCheck ( ON | OFF ) [-XMLMaxCharDATALength <positive_integer>]] [-XMLMaxFileSizeCheck ( ON | OFF ) [-XMLMaxFileSize <positive_integer>]] [-XMLMinFileSizeCheck ( ON | OFF ) [-XMLMinFileSize <positive_integer>]] [-XMLBlockPI ( ON | OFF )] [-XMLBlockDTD ( ON | OFF )] [-XMLBlockExternalEntities ( ON | OFF )] [-XMLMaxEntityExpansionsCheck ( ON | OFF ) [-XMLMaxEntityExpansions <positive_integer>]] [-XMLMaxEntityExpansionDepthCheck ( ON | OFF ) [-XMLMaxEntityExpansionDepth <positive_integer>]] [-XMLMaxNamespacesCheck ( ON | OFF ) [-XMLMaxNamespaces <positive_integer>]] [-XMLMaxNamespaceUriLengthCheck ( ON | OFF ) [-XMLMaxNamespaceUriLength <positive_integer>]] [-XMLSOAPArrayCheck ( ON | OFF ) [-XMLMaxSOAPArraySize <positive_integer>] [-XMLMaxSOAPArrayRank <positive_integer>]]) | (-XMLWSIURL <expression> [-XMLWSIChecks <string>]) | (-XMLValidationURL <expression> (-XMLRequestSchema <string> | (-XMLWSDL <string> [-XMLAdditionalSOAPHeaders ( ON | OFF )] [-XMLEndPointCheck ( ABSOLUTE | RELATIVE )]) | -XMLValidateSOAPEnvelope ( ON | OFF )) [-XMLResponseSchema <string>] [-XMLValidateResponse ( ON | OFF )]) | (-XMLAttachmentURL <expression> [-XMLMaxAttachmentSizeCheck ( ON | OFF ) [-XMLMaxAttachmentSize <positive_integer>]] [-XMLAttachmentContentTypeCheck ( ON | OFF ) [-XMLAttachmentContentType <expression>]]) | (-XMLSQLInjection <string> [-isRegex ( REGEX | NOTREGEX )] [-location ( ELEMENT | ATTRIBUTE )]) | (-XMLXSS <string> [-isRegex ( REGEX | NOTREGEX )] [-location ( ELEMENT | ATTRIBUTE )]) | -contentType <expression> | -excludeResContentType <expression> | (-CreditCardNumber <expression> <CreditCardNumberUrl>)) [-comment <string>] [-state ( ENABLED | DISABLED )]
Arguments¶
name
Name of the profile to which to bind an exemption or rule.
startURL
Add the specified URL to the start URL list.
Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.
denyURL
Add the specified URL to the deny URL list.
Enclose URLs in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.
fieldConsistency
Exempt the specified web form field and form action URL from the form field consistency check, or exempt the specified cookie from the cookie consistency check.
A form field consistency exemption (relaxation) consists of the following items:
-
Web form field name. Name of the form field to exempt from this check.
-
Form action URL. Action URL for the web form.
-
IsRegex flag. The IsRegex flag, followed by YES if the form action URL is a regular expression, or NO if it is a literal string.
formActionURL
Form action URL.
isRegex
Is a regular expression?
Possible values: REGEX, NOTREGEX
cookieConsistency
A cookie consistency exemption (relaxation) consists of the following items:
-
Cookie name. Name of the cookie to exempt from this check.
-
IsRegex flag. The IsRegex flag, followed by YES if the cookie name is a regular expression, or NO if it is a literal string.
SQLInjection
Exempt the specified HTTP header, web form field and the form action URL, or cookie from the SQL injection check.
An SQL injection exemption (relaxation) consists of the following items:
*Item name. Name of the web form field, cookie, or HTTP header to exempt from this check.
-
Form action URL. If the item to be exempted is a web form field, the action URL for the web form.
-
IsRegex flag. The IsRegex flag, followed by YES if the name or form action URL is a regular expression, or NO if it is a literal string.
-
Location. Location that should be examined by the SQL injection check, either FORMFIELD for web form field, HEADER for HTTP header, or COOKIE for cookie.
location
Location of XSS injection exception - XML Element or Attribute. Default location is 'ELEMENT'
Possible values: ELEMENT, ATTRIBUTE
Default value: AS_XMLLOCATION_ELEMENT
valueType
XSS value type. (Tag | Attribute | Pattern)
Possible values: Tag, Attribute, Pattern
valueExpression
XSS value expressions consistituting expressions for Tag, Attribute and Pattern.
isValueRegex
Is a regular expression?
Possible values: REGEX, NOTREGEX
CSRFTag
Exempt the specified form field and web form from the cross-site request forgery (CSRF tagging) check.
A CSRF tagging exemption (relaxation) consists of the following items:
-
Web form field name. Regular expression that describes the web form field to exempt from this check.
-
Form action URL. The action URL for the web form.
CSRFFormActionURL
CSRF form action URL.
crossSiteScripting
Exempt the specified string, found in the specified HTTP header, cookie, or web form, from the cross-site scripting check.
A cross-site scripting check exemption (relaxation) consists of the following items:
-
HTML to exempt. The string to exempt from the cross-site scripting check.
-
URL. The URL to exempt.
-
IsRegex flag. The IsRegex flag, followed by YES if the URL is a regular expression, or NO if it is a literal string.
-
location. Location which should be examined by the cross-site scripting check, either FORMFIELD for web form field, HEADER for HTTP header, or COOKIE for cookie.
fieldFormat
Impose the specified format on content returned by users in the specified web form field.
A field format rule consists of the following items:
-
Form field name. The name of the form field.
-
Form action URL. The form action URL for the web form.
-
Field type. The field type (format) to enforce on the specified web form field.
-
Field format minimum length. The minimum length allowed for data in the specified field. If 0, field can be left blank.
-
Field format maximum length. The maximum length allowed for data in the specified field.
-
IsRegex flag. The IsRegex flag, followed by YES if the URL is a regular expression, or NO if it is a literal string.
fieldType
Field type.
fieldFormatMinLength
Field format minimum length.
Default value: 0
Minimum value: 0
Maximum value: 65535
fieldFormatMaxLength
Field format maximum length.
Default value: 65535
Minimum value: 1
Maximum value: 65535
safeObject
Protect web sites from exposing sensitive private information such as social security numbers, credit card numbers, driver's license numbers, passport numbers, and any other type of private information that can be described by a regular expression.
A safe object consists of the following items:
-
Name. A name that describes the type of information that the safe object is to protect.
-
Expression. PCRE-format regular expression that describes the information to be protected.
-
Maximum match length. Maximum length of a matched string.
-
Action. "X-Out" to mask blocked information with the letter X, or "Remove" to remove the information.
expression
Safe Object regular expression.
maxMatchLength
Maximum match length for a Safe Object expression.
Default value: 1
Minimum value: 1
Maximum value: 65535
action
Safe Object action types. (BLOCK | LEARN | LOG | STATS | NONE)
trustedLearningClients
Trusted host/network learning IP.
This binding is appilicable to profile Type: HTML, XML.
comment
Any comments about the purpose of profile, or other useful information about the profile.
state
Enabled.
Possible values: ENABLED, DISABLED
Default value: ENABLED
XMLDoSURL
Exempt the specified URL from the specified XML denial-of-service (XDoS) attack protections.
An XDoS exemption (relaxation) consists of the following items:
-
URL. PCRE-format regular expression for the URL or URLs to be exempted.
-
Maximum-element-depth-check toggle. ON to enable this check, OFF to disable it.
-
Maximum-element-depth-check toggle. ON to enable, OFF to disable.
-
Maximum-element-depth-check level. Positive integer representing the maximum allowed depth of nested XML elements.
-
Maximum-element-name-length-check toggle. ON to enable, OFF to disable.
-
Maximum element name length. Positive integer representing the maximum allowed length of XML element names.
-
Maximum-number-of-elements-check toggle. ON to enable, OFF to disable.
-
Maximum number of elements. Positive integer representing the maximum allowed number of XML elements.
-
Maximum-number-of-element-children-check toggle. ON to enable, OFF to disable.
-
Maximum number of element children. Positive integer representing the maximum allowed number of XML element children.
-
Maximum-number-of-attributes-check toggle. ON to enable, OFF to disable.
-
Maximum number of attributes. Positive integer representing the maximum allowed number of XML attributes.
-
Maximum-attribute-name-length-check toggle. ON to enable, OFF to disable.
-
Maximum attribute name length. Positive integer representing the maximum allowed length of XML attribute names.
-
Maximum-attribute-value-length-check toggle. ON to enable, OFF to disable.
-
Maximum attribute value length. Positive integer representing the maximum allowed length of XML attribute values.
-
Maximum-character-data-length-check toggle. ON to enable, OFF to disable.
-
Maximum character-data length. Positive integer representing the maximum allowed length of XML character data.
-
Maximum-file-size-check toggle. ON to enable, OFF to disable.
-
Maximum file size. Positive integer representing the maximum allowed size, in bytes. of attached or uploaded files.
-
Minimum-file-size-check toggle. ON to enable, OFF to disable.
-
Minimum file size. Positive integer representing the minimum allowed size, in bytes, of attached or uploaded files.
-
Maximum-number-of-entity-expansions-check toggle. ON to enable, OFF to disable.
-
Maximum number of entity expansions. Positive integer representing the maximum allowed number of XML entity expansions.
-
Maximum-number-of XML-namespaces-check toggle. ON to enable, OFF to disable.
-
Maximum number of XML namespaces. Positive integer representing the maximum allowed number of XML namespaces.
-
Maximum-XML-namespace-URI-length-check toggle. ON to enable, OFF to disable.
-
MaximumXML-namespace URI length. Positive integer representing the maximum allowed length of XML namespace URIs.
-
Block-processing-instructions toggle. Block XML processing instructions. ON to enable, OFF to disable.
-
Block-DTD toggle. Block design type documents (DTDs). ON to enable, OFF to disable.
-
Block-external-XML-entitites toggle. ON to enable, OFF to disable.
-
Maximum-SOAP-array-check toggle. ON to enable, OFF to disable.
-
Maximum SOAP-array size. Positive integer representing the maximum allowed size of XML SOAP arrays.
-
Maximum SOAP-array rank. Positive integer representing the maximum rank (dimensions) of any single XML SOAP array.
XMLMaxElementDepthCheck
State if XML Max Element Depth Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxElementDepth
Maximum nesting (depth) of XML elements. This check protects against documents that have excessive depth of hierarchy.
Default value: 256
Minimum value: 1
Maximum value: 65535
XMLMaxElementNameLengthCheck
State if XML Max Element Name Length Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxElementNameLength
Specify the longest name of any element (including the prefix for qualified element name) to protect against overflow attacks.
Default value: 128
Minimum value: 1
Maximum value: 65535
XMLMaxElementsCheck
State if XML Max Elements Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxElements
Specifying maximum number of elements protects against overflow attacks.
Default value: 65535
Minimum value: 1
Maximum value: 65535
XMLMaxElementChildrenCheck
State if XML Max Element Children Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxElementChildren
Specifying maximum number of children allowed per element protects against overflow attacks.
Default value: 65535
Minimum value: 0
Maximum value: 65535
XMLMaxAttributesCheck
State if XML Max Attributes Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxAttributes
Specify maximum number of attributes per element. Protects against overflow attacks.
Default value: 256
Minimum value: 0
Maximum value: 65535
XMLMaxAttributeNameLengthCheck
State if XML Max Attribute Name Length Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxAttributeNameLength
Specify the longest name of any attribute (including the prefix for qualified attribute name). Protects against overflow attacks.
Default value: 128
Minimum value: 1
Maximum value: 65535
XMLMaxAttributeValueLengthCheck
State if XML Max Atribute Value Length is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxAttributeValueLength
Specify the longest value of any attribute. Protects against overflow attacks.
Default value: 2048
Minimum value: 0
Maximum value: 65535
XMLMaxCharDATALengthCheck
State if XML Max CDATA Length Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxCharDATALength
Maximum size of CDATA protects against overflow attacks and large unparsed data within XML messages.
Default value: 65535
Minimum value: 0
Maximum value: 1000000000
XMLMaxFileSizeCheck
State if XML Max File Size Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxFileSize
Maximum size of the XML messages protects against overflow attacks.
Default value: 20000000
Minimum value: 4
Maximum value: 1000000000
XMLMinFileSizeCheck
State if XML Min File Size Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMinFileSize
Enforces minimum message size.
Default value: 9
Minimum value: 4
Maximum value: 1000000000
XMLBlockPI
State if XML Block PI is ON or OFF. Protects resources from denial of service attacks as SOAP messages can not have Processing Instruction (PI) in the message.
Possible values: ON, OFF
Default value: OFF
XMLBlockDTD
State if XML DTD is ON or OFF. Protects against recursive Document Type Declaration (DTD) entity expansion attacks. Also, SOAP messages can not have DTD in the message.
Possible values: ON, OFF
Default value: OFF
XMLBlockExternalEntities
State if XML Block External Entities Check is ON or OFF. Protects against XML External Entity (XXE) attacks that force applications to parse untrusted external entities (sources) in XML documents.
Possible values: ON, OFF
Default value: OFF
XMLMaxEntityExpansionsCheck
State if XML Max Entity Expansions Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxEntityExpansions
Specify maximum allowed number of entity expansions. Protects aganist Entity Expansion Attack.
Default value: 512
Minimum value: 0
Maximum value: 1024
XMLMaxEntityExpansionDepthCheck
State if XML Max Entity Expansions Depth Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxEntityExpansionDepth
Specify maximum entity expansion depth. Protects aganist Entity Expansion Attack.
Default value: 8
Minimum value: 0
Maximum value: 24
XMLMaxNamespacesCheck
State if XML Max Namespaces Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxNamespaces
Specify maximum number of active namespaces. Protects against overflow attacks.
Default value: 16
Minimum value: 0
Maximum value: 512
XMLMaxNamespaceUriLengthCheck
State if XML Max Namspace URI Length Check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxNamespaceUriLength
Specify the longest URI of any XML namespace. Protects against overflow attacks.
Default value: 256
Minimum value: 0
Maximum value: 65535
XMLSOAPArrayCheck
State if XML SOAP Array check is ON or OFF.
Possible values: ON, OFF
Default value: OFF
XMLMaxSOAPArraySize
XML Max Total SOAP Array Size. Protects against SOAP Array Abuse attack.
Default value: 20000000
Minimum value: 0
Maximum value: 1000000000
XMLMaxSOAPArrayRank
XML Max Total SOAP Array Rank. Protects against SOAP Array Abuse attack.
Default value: 16
Minimum value: 0
Maximum value: 32
XMLWSIURL
Exempt the specified URL from the web services interoperability (WS-I) check. The URL is specified as a PCRE-format regular expression, which can match one or more URLs.
XMLWSIChecks
Synonym for XMLWISURL, but takes a literal URL instead of a PCRE-format regular expression.
XMLValidationURL
Exempt the specified URL from the XML message validation check.
An XML message validation exemption (relaxation) consists of the following items:
-
URL. PCRE-format regular expression that matches the URL(s) to be exempted.
-
XML-request-schema toggle. Use the specified XML schema to validate requests. ON to enable, OFF to disable.
-
XML request schema. XML schema to use for validating requests.
-
XML-response-schema toggle. Use the specified XML schema to validate responses. ON to enable, OFF to disable.
-
XML response schema. XML schema to use for validating responses.
-
WSDL toggle. Use the specified WSDL to validate. ON to enable, OFF to disable.
-
WSDL. WSDL to use for validation.
-
SOAP-envelope toggle. Validate against the SOAP envelope. ON to enable, OFF to disable.
-
Additional-SOAP-headers toggle. Validate against the extended list of SOAP headers. ON to enable, OFF to disable.
-
XML-end-point check. ABSOLUTE to use an absolute end point, RELATIVE to use a relative end point.
XMLRequestSchema
XML Schema object for request validation .
XMLResponseSchema
XML Schema object for response validation .
XMLWSDL
WSDL object for soap request validation .
XMLAdditionalSOAPHeaders
Allow addtional soap headers.
Possible values: ON, OFF
XMLEndPointCheck
Modifies the behaviour of the Request URL validation w.r.t. the Service URL.
If set to ABSOLUTE, the entire request URL is validated with the entire URL mentioned in Service of the associated WSDL.
eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would FAIL the validation.
If set to RELATIVE, only the non-hostname part of the request URL is validated against the non-hostname part of the Service URL.
eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would PASS the validation.
Possible values: ABSOLUTE, RELATIVE
Default value: ABSOLUTE
XMLValidateSOAPEnvelope
Validate SOAP Evelope only.
Possible values: ON, OFF
XMLValidateResponse
Validate response message.
Possible values: ON, OFF
XMLAttachmentURL
Exempt the specified URL from the XML attachment check.
An XML attachment exemption (relaxation) consists of the following items:
-
URL. PCRE-format regular expression that matches the URL(s) to be exempted.
-
Maximum-attachment-size-check toggle. ON to enable, OFF to disable.
-
Maximum attachment size. Positive integer representing the maximum allowed size in bytes for each XML attachment.
-
Attachment-content-type-check toggle. ON to enable, OFF to disable.
-
Attachment content type. PCRE-format regular expression that specifies the list of MIME content types allowed for XML attachments.
XMLMaxAttachmentSizeCheck
State if XML max attachment size check is ON or OFF. Protects against XML requests with large attachment data.
Possible values: ON, OFF
Default value: OFF
XMLMaxAttachmentSize
Specify maximum attachment size.
Minimum value: 0
Maximum value: 1000000000
XMLAttachmentContentTypeCheck
State if XML attachment content-type check is ON or OFF. Protects against XML requests with illegal attachments.
Possible values: ON, OFF
Default value: OFF
XMLAttachmentContentType
Specify content-type regular expression.
XMLSQLInjection
Exempt the specified URL from the XML SQL injection check.
An XML SQL injection exemption (relaxation) consists of the following items:
-
URL. URL to exempt, as a string or a PCRE-format regular expression.
-
ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
-
Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.
XMLXSS
Exempt the specified URL from the XML cross-site scripting (XSS) check.
An XML cross-site scripting exemption (relaxation) consists of the following items:
-
URL. URL to exempt, as a string or a PCRE-format regular expression.
-
ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
-
Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.
contentType
Add the specified content-type to the content-type list.Enclose content-type in double quotes to ensure preservation of any embedded spaces or non-alphanumeric characters.
excludeResContentType
Add the specified content-type to the response content-type list that are to be excluded from inspection. Enclose content-type in double quotes to ensure preservation
of any embedded spaces or non-alphanumeric characters.
CreditCardNumber
Add expression to the list of object expression which are to be bypassed from safe commerce checks.
CreditCardNumberUrl
The url for which the list of credit card numbers are needed to be bypassed from inspection
unbind appfw profile¶
Unbinds the specified exemption (relaxation) or rule from the specified application firewall profile. See the bind appfw profile command for a description of the parameters.
Synopsys¶
unbind appfw profile <name> (-startURL <expression> | -denyURL <expression> | (-fieldConsistency <string> <formActionURL>) | -cookieConsistency <string> | (-SQLInjection <string> <formActionURL> [-location <location>] [-valueType <valueType> [<valueExpression>]]) | (-CSRFTag <string> <CSRFFormActionURL>) | (-crossSiteScripting <string> <formActionURL> [-location <location>] [-valueType <valueType> [<valueExpression>]]) | (-fieldFormat <string> <formActionURL>) | -safeObject <string> | -trustedLearningClients <ip_addr[/prefix]|ipv6_addr[/prefix]|*> | -XMLDoSURL <expression> | -XMLWSIURL <expression> | -XMLValidationURL <expression> | -XMLAttachmentURL <expression> | (-XMLSQLInjection <string> [-location ( ELEMENT | ATTRIBUTE )]) | (-XMLXSS <string> [-location ( ELEMENT | ATTRIBUTE )]) | -contentType <expression> | -excludeResContentType <expression> | (-CreditCardNumber <expression> <CreditCardNumberUrl>))
Arguments¶
name
Name of the exemption (relaxation) or rule that you want to unbind.
startURL
Start URL regular expression.
denyURL
Deny URL regular expression.
fieldConsistency
Form field name.
formActionURL
Form action URL.
cookieConsistency
Cookie name.
SQLInjection
Form field, header or cookie name.
location
Location of XSS injection exception - XML Element or Attribute. Default location is 'ELEMENT'
Possible values: ELEMENT, ATTRIBUTE
Default value: AS_XMLLOCATION_ELEMENT
valueType
The web form value type.
Possible values: Tag, Attribute, Pattern
valueExpression
The web form value expression.
CSRFTag
CSRF Form origin URL.
This binding is applicable to Profile Type: HTML.
CSRFFormActionURL
CSRF form action URL.
crossSiteScripting
Form field, header or cookie name.
fieldFormat
Field format name.
safeObject
Safe Object name.
trustedLearningClients
Trusted learning Clients IP
XMLDoSURL
XML DoS URL regular expression.
XMLWSIURL
XML WS-I URL regular expression.
XMLValidationURL
XML Message URL regular expression.
XMLAttachmentURL
XML Attachment URL regular expression.
XMLSQLInjection
Exempt the specified URL from the XML SQL injection check.
An XML SQL injection exemption (relaxation) consists of the following items:
-
URL. URL to exempt, as a string or a PCRE-format regular expression.
-
ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
-
Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.
XMLXSS
Exempt the specified URL from the XML cross-site scripting (XSS) check.
An XML cross-site scripting exemption (relaxation) consists of the following items:
-
URL. URL to exempt, as a string or a PCRE-format regular expression.
-
ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
-
Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.
contentType
content-type regular expression.
excludeResContentType
Response content type regular expression that are to be excluded from inspection.
CreditCardNumber
The object expression that is to be excluded from safe commerce check.
CreditCardNumberUrl
The url for which the list of credit card numbers are needed to be bypassed from inspection
show appfw profile¶
Displays details of the specified application firewall profile. If no profile is specified, displays a list of all application firewall profiles on the NetScaler appliance.
Synopsys¶
show appfw profile [<name>]
Arguments¶
name
Name of the application firewall profile.
Outputs¶
stateflag
type
The profile type of of this Application Firewall profile. If the profile is of the HTML type, only checks relevant to HTML are applied. If the profile is of the XML type, only checks relevent to XML are applied. if the profile is of the Web 2.0 type, then both types of checks are applied.
defaults
Default configuration to apply to the profile. Basic defaults are intended for standard content that requires little further configuration, such as static web site content. Advanced defaults are intended for specialized content that requires significant specialized configuration, such as heavily scripted or dynamic content.
CLI users: When adding an application firewall profile, you can set either the defaults or the type, but not both. To set both options, create the profile by using the add appfw profile command, and then use the set appfw profile command to configure the other option.
useHTMLErrorObject
Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.
errorURL
The error page for this profile.
HTMLErrorObject
Name to assign to the HTML Error Object.
Must begin with a letter, number, or the underscore character \(_\), and must contain only letters, numbers, and the hyphen \(-\), period \(.\) pound \(\#\), space \( \), at (@), equals \(=\), colon \(:\), and underscore characters. Cannot be changed after the HTML error object is added.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks \(for example, "my HTML error object" or 'my HTML error object'\).
logEveryPolicyHit
Log every profile match, regardless of security checks results.
stripComments
Tells the Application Firewall to strip HTML comments from responses before sending them to the user.
stripHtmlComments
Tells the Application Firewall to strip HTML comments from responses before sending them to the user.
stripXmlComments
Tells the Application Firewall to strip XML comments from responses before sending them to the user.
defaultCharSet
The default character set. The character set that the Application Firewall uses for web pages that do not explicitly set a different character set.
postBodyLimit
The maximum body size for an HTTP POST.
fileUploadMaxNum
Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads.
canonicalizeHTMLResponse
Tells the Application Firewall to convert any non-ASCII characters into HTML entities before sending responses to the user. This is called 'canonicalization' of HTML responses.
enableFormTagging
Enables tagging of web forms for form field Consistency checks.
sessionlessFieldConsistency
Enable session less form field consistency checks.
sessionlessURLClosure
Enable session less URL closure checks.
semicolonFieldSeparator
Allow ';' as a form field separator in URL queries and POST form bodies.
excludeFileUploadFromChecks
Excludes uploaded files from all web form checks.
SQLInjectionParseComments
Canonicalizes SQL Comments in form fields.
checkRequestHeaders
Check request headers as well as web forms for injected SQL and cross-site scripts.
optimizePartialReqs
Optimize handle of HTTP partial requests i.e. those with range headers.
Available settings are as follows:
-
ON - Partial requests by the client result in partial requests to the backend server in most cases.
-
OFF - Partial requests by the client are changed to full requests to the backend server
URLDecodeRequestCookies
URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.
comment
Comments associated with this profile.
startURLAction
Start URL action types. (BLOCK | LEARN | LOG | STATS | NONE)
contentTypeAction
Content-type action types. (BLOCK | LOG | NONE)
inspectContentTypes
Inspection content types associated with this profile
startURL
A regular expression that designates a URL on the Start URL list.
startURLClosure
Enable Start URL closure. When enabled, this feature allows users to start their session at a designated start URL, then navigate from that start URL to any URL on a protected web site by clicking a link on another web page on that web site. Otherwise, requests to any URL that is not explicitly allowed are blocked.
denyURLAction
Deny URL action types. (BLOCK | LOG | STATS | NONE)
denyURL
A regular expression that designates a URL on the Deny URL list.
RefererHeaderCheck
Enable validation of Referer headers.
Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker.
Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks.
CSRFtagAction
Cross-site request forgery tagging action types. (BLOCK | LEARN | LOG | STATS | NONE)
CSRFTag
The web form originating URL.
CSRFFormActionURL
The web form action URL.
crossSiteScriptingAction
Cross-site scripting action types. (BLOCK | LEARN | LOG | STATS | NONE)
crossSiteScriptingTransformUnsafeHTML
Enables transformation of unsafe HTML into safe HTML before forwarding a request to the web server.
crossSiteScriptingCheckCompleteURLs
Tells the Application Firewall to check complete URLs rather than just the query portion of URLs for cross-site scripting violations.
crossSiteScripting
The web form field name.
isRegex
Is the XML XSS exempted field name a regular expression?
formActionURL
Action URL of the form field to which a field format will be assigned.
exemptClosureURLsFromSecurityChecks
Tells the Application Firewall to exempt closure URLs from security checks.
location
Location of XSS injection exception - XML Element or Attribute.
valueType
The web form value type.
valueExpression
The web form value expression.
isValueRegex
Is the web form field value a regular expression?
SQLInjectionAction
SQL injection action types. (BLOCK | LEARN | LOG | STATS | NONE)
SQLInjectionTransformSpecialChars
Enables transformation of SQL special characters found in web forms into safe equivalents.
SQLInjectionOnlyCheckFieldsWithSQLChars
Tells the Application Firewall to check form fields that contain SQL special characters only, rather than all form fields, for SQL injection violations.
SQLInjectionType
Available SQL Injection types.
SQLInjectionCheckSQLWildChars
Check for form fields that contain SQL wild chars .
SQLInjection
The web form field name.
invalidPercentHandling
Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows:
-
apache_mode - Apache format.
-
asp_mode - Microsoft ASP format.
-
secure_mode - Secure format.
fieldConsistencyAction
Form Field Consistency action types. (BLOCK | LEARN | LOG | STATS | NONE)
fieldConsistency
The web form field name.
cookieConsistencyAction
Cookie consistency action types. (BLOCK | LEARN | LOG | STATS | NONE)
cookieConsistency
The name of the cookie to be checked.
cookieTransforms
Perform the specified type of cookie transformation.
Available settings function as follows:
-
Encryption - Encrypt cookies.
-
Proxying - Mask contents of server cookies by sending proxy cookie to users.
-
Cookie flags - Flag cookies as HTTP only to prevent scripts on user's browser from accessing and possibly modifying them.
CAUTION: Make sure that this parameter is set to ON if you are configuring any cookie transformations. If it is set to OFF, no cookie transformations are performed regardless of any other settings.
cookieEncryption
Type of cookie encryption. Available settings function as follows:
-
None - Do not encrypt cookies.
-
Decrypt Only - Decrypt encrypted cookies, but do not encrypt cookies.
-
Encrypt Session Only - Encrypt session cookies, but not permanent cookies.
-
Encrypt All - Encrypt all cookies.
cookieProxying
Proxies server cookies using the Application Firewall session
addCookieFlags
Add the specified flags to cookies. Available settings function as follows:
-
None - Do not add flags to cookies.
-
HTTP Only - Add the HTTP Only flag to cookies, which prevents scripts from accessing cookies.
-
Secure - Add Secure flag to cookies.
-
All - Add both HTTPOnly and Secure flags to cookies.
bufferOverflowAction
Buffer overflow action types. (BLOCK | LOG | STATS | NONE)
bufferOverflowMaxURLLength
Maximum allowed length for URLs.
bufferOverflowMaxHeaderLength
Maximum allowed length for HTTP headers.
bufferOverflowMaxCookieLength
Maximum allowed length for cookies.
fieldFormatAction
Field format action types. (BLOCK | LEARN | LOG | STATS | NONE)
defaultFieldFormatType
Name of the default field type, the field type that the Application Firewall will assign to a form field when no specific field type is assigned to that particular form field.
defaultFieldFormatMinLength
Default field type minimum length setting.
defaultFieldFormatMaxLength
Default field type maximum length setting.
fieldFormat
Name of the form field to which a field format will be assigned.
fieldType
The field type you are assigning to this form field.
fieldFormatMinLength
The minimum allowed length for data in this form field.
fieldFormatMaxLength
The maximum allowed length for data in this form field.
creditCardAction
Credit Card action types. (BLOCK | LOG | STATS | NONE)
creditCard
Credit card types. (AMEX | DINERSCLUB| DISCOVER | JBC | MASTERCARD | VISA)
creditCardMaxAllowed
Maximum number of times a credit card number may be seen before action is taken.
creditCardXOut
X-out credit card numbers.
doSecureCreditCardLogging
Setting this option logs credit card numbers in the response when the match is found.
streaming
Setting this option converts content-length form submission requests (requests with content-type "application/x-www-form-urlencoded" or "multipart/form-data") to chunked requests when atleast one of the following protections : SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging is enabled. Please make sure that the backend server accepts chunked requests before enabling this option.
trace
Toggle the state of trace
safeObject
Name of the Safe Object.
expression
A regular expression that defines the Safe Object.
maxMatchLength
Maximum match length for a Safe Object expression.
action
Safe Object action types. (BLOCK | LOG | STATS | NONE)
requestContentType
Default content-type for request messages.
responseContentType
Default content-type for response messages.
XMLErrorObject
URL for the xml error page
signatures
Signatures for the profile
XMLFormatAction
XML well-formed request action types. (BLOCK | LOG | STATS | NONE)
XMLDoSAction
XML DOS action types. (BLOCK | LEARN | LOG | STATS | NONE)
XMLSQLInjectionAction
XML SQL Injection action types. (BLOCK | LOG | STATS | NONE)
XMLSQLInjectionOnlyCheckFieldsWithSQLChars
XML flag to check only fields with SQL characters.
XMLSQLInjectionType
Available XML SQL Injection types.
XMLSQLInjectionCheckSQLWildChars
XML flag to check for SQL wild chars.
XMLSQLInjectionParseComments
Canonicalize SQL Comments in XML data.
XMLXSSAction
XML cross-site scripting action types. (BLOCK | LOG | STATS | NONE)
XMLWSIAction
XML WSI action types. (BLOCK | LEARN | LOG | STATS | NONE)
XMLAttachmentAction
XML attachment action types. (BLOCK | LEARN | LOG | STATS | NONE)
XMLValidationAction
XML message validation action types. (BLOCK | LOG | STATS | NONE)
XMLSOAPFaultAction
XML SOAP fault filtering action types. (BLOCK | LOG | STATS | REMOVE | NONE)
XMLDoSURL
XML DoS URL regular expression length.
XMLWSIURL
XML WS-I URL regular expression length.
XMLValidationURL
XML Validation URL regular expression.
XMLAttachmentURL
XML attachment URL regular expression length.
XMLSQLInjection
Exempt the specified URL from the XML SQL injection check.
An XML SQL injection exemption (relaxation) consists of the following items:
-
URL. URL to exempt, as a string or a PCRE-format regular expression.
-
ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
-
Location. ELEMENT if the injection is located in an XML element, ATTRIBUTE if located in an XML attribute.
XMLXSS
Exempt the specified URL from the XML cross-site scripting (XSS) check.
An XML cross-site scripting exemption (relaxation) consists of the following items:
-
URL. URL to exempt, as a string or a PCRE-format regular expression.
-
ISREGEX flag. REGEX if URL is a regular expression, NOTREGEX if URL is a fixed string.
-
Location. ELEMENT if the attachment is located in an XML element, ATTRIBUTE if located in an XML attribute.
state
Enabled.
XMLMaxElementDepthCheck
State if XML Max element depth check is ON or OFF.
XMLMaxElementDepth
Maximum nesting (depth) of XML elements. This check protects against documents that have excessive hierarchy depths.
XMLMaxElementNameLengthCheck
State if XML Max element name length check is ON or OFF.
XMLMaxElementNameLength
Specify the longest name of any element (including the expanded namespace) to protect against overflow attacks.
XMLMaxElementsCheck
State if XML Max elements check is ON or OFF.
XMLMaxElements
Specify the maximum number of XML elements allowed. Protects against overflow attacks.
XMLMaxElementChildrenCheck
State if XML Max element children check is ON or OFF.
XMLMaxElementChildren
Specify the maximum number of children allowed per XML element. Protects against overflow attacks.
XMLMaxNodesCheck
State if XML Max nodes check is ON or OFF.
XMLMaxNodes
Specify the maximum number of XML nodes. Protects against overflow attacks.
XMLMaxAttributesCheck
State if XML Max attributes check is ON or OFF.
XMLMaxAttributes
Specify maximum number of attributes per XML element. Protects against overflow attacks.
XMLMaxAttributeNameLengthCheck
State if XML Max attribute name length check is ON or OFF.
XMLMaxAttributeNameLength
Specify the longest name of any XML attribute. Protects against overflow attacks.
XMLMaxAttributeValueLengthCheck
State if XML Max atribute value length is ON or OFF.
XMLMaxAttributeValueLength
Specify the longest value of any XML attribute. Protects against overflow attacks.
XMLMaxCharDATALengthCheck
State if XML Max CDATA length check is ON or OFF.
XMLMaxCharDATALength
Specify the maximum size of CDATA. Protects against overflow attacks and large quantities of unparsed data within XML messages.
XMLMaxFileSizeCheck
State if XML Max file size check is ON or OFF.
XMLMaxFileSize
Specify the maximum size of XML messages. Protects against overflow attacks.
XMLMinFileSizeCheck
State if XML Min file size check is ON or OFF.
XMLMinFileSize
Enforces minimum message size.
XMLBlockPI
State if XML Block PI is ON or OFF. Protects resources from denial of service attacks as SOAP messages cannot have processing instructions (PI) in messages.
XMLBlockDTD
State if XML DTD is ON or OFF. Protects against recursive Document Type Declaration (DTD) entity expansion attacks. Also, SOAP messages cannot have DTDs in messages.
XMLBlockExternalEntities
State if XML Block External Entities Check is ON or OFF. Protects against XML External Entity (XXE) attacks that force applications to parse untrusted external entities (sources) in XML documents.
XMLMaxEntityExpansionsCheck
State if XML Max Entity Expansions Check is ON or OFF.
XMLMaxEntityExpansions
Specify maximum allowed number of entity expansions. Protects aganist Entity Expansion Attack.
XMLMaxEntityExpansionDepthCheck
State if XML Max Entity Expansions Depth Check is ON or OFF.
XMLMaxEntityExpansionDepth
Specify maximum entity expansion depth. Protects aganist Entity Expansion Attack.
XMLMaxNamespacesCheck
State if XML Max namespaces check is ON or OFF.
XMLMaxNamespaces
Specify maximum number of active namespaces. Protects against overflow attacks.
XMLMaxNamespaceUriLengthCheck
State if XML Max namespace URI length check is ON or OFF.
XMLMaxNamespaceUriLength
Specify the longest URI of any XML namespace. Protects against overflow attacks.
XMLSOAPArrayCheck
State if XML SOAP Array check is ON or OFF.
XMLMaxSOAPArraySize
XML Max Total SOAP Array Size. Protects against SOAP Array Abuse attack.
XMLMaxSOAPArrayRank
XML Max Individual SOAP Array Rank. This is the dimension of the SOAP array.
XMLWSIChecks
Specify a comma separated list of relevant WS-I rule IDs. (R1140, R1141)
XMLRequestSchema
XML Schema object for request validation .
XMLResponseSchema
XML Schema object for response validation.
XMLWSDL
WSDL object for soap request validation.
XMLAdditionalSOAPHeaders
Allow addtional soap headers.
XMLEndPointCheck
Modifies the behaviour of the Request URL validation w.r.t. the Service URL.
If set to ABSOLUTE, the entire request URL is validated with the entire URL mentioned in Service of the associated WSDL.
eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would FAIL the validation.
If set to RELAIVE, only the non-hostname part of the request URL is validated against the non-hostname part of the Service URL.
eg: Service URL: http://example.org/ExampleService, Request URL: http//example.com/ExampleService would PASS the validation.
XMLValidateSOAPEnvelope
Validate SOAP Evelope only.
XMLValidateResponse
Validate response message.
XMLMaxAttachmentSizeCheck
State if XML Max attachment size Check is ON or OFF. Protects against XML requests with large attachment data.
XMLMaxAttachmentSize
Specify maximum attachment size.
XMLAttachmentContentTypeCheck
State if XML attachment content-type check is ON or OFF. Protects against XML requests with illegal attachments.
XMLAttachmentContentType
Specify content-type regular expression.
builtin
Indicates that a profile is a built-in entity.
builtinType
Type of built-in profiles
trustedLearningClients
Specify trusted host/network IP
contentType
A regular expression that designates a content-type on the content-types list.
excludeResContentType
A regular expression that represents the content type of the response that are to be excluded from inspection.
CreditCardNumber
The object expression that is to be excluded from safe commerce check
CreditCardNumberUrl
The url for which the list of credit card numbers are needed to be bypassed from inspection
devno
count
stat appfw profile¶
Displays statistics for the specified application firewall profile. If no profile is specified, displays abbreviated statistics for all profiles.
Synopsys¶
stat appfw profile [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>] [-clearstats ( basic | full )]
Arguments¶
name
Name of the application firewall profile.
detail
Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.
fullValues
Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated
ntimes
The number of times, in intervals of seven seconds, the statistics should be displayed.
Default value: 1
Minimum value: 0
logFile
The name of the log file to be used as input.
clearstats
Clear the statsistics / counters
Possible values: basic, full
Outputs¶
count
devno
stateflag
Outputs¶
requests (reqs)
HTTP/HTTPS requests sent to your protected web servers via the Application Firewall.
Request Bytes (reqBytes)
Number of bytes transfered for requests
responses (resps)
HTTP/HTTPS responses sent by your protected web servers via the Application Firewall.
Response Bytes (resBytes)
Number of bytes transfered for responses
aborts
Incomplete HTTP/HTTPS requests aborted by the client before the Application Firewall could finish processing them.
redirects (redirect)
HTTP/HTTPS requests redirected by the Application Firewall to a different Web page or web server. (HTTP 302)
Long Term Ave Response Time (ms) (longAvgRespTimePP)
Average backend response time in milliseconds since reboot
Recent Ave Response Time (ms) (shortAvgRespTimePP)
Average backend response time in milliseconds over the last 7 seconds
start URL (startURL)
Number of Start URL security check violations seen by the Application Firewall.
deny URL (denyURL)
Number of Deny URL security check violations seen by the Application Firewall.
referer header (refererHdr)
Number of Referer Header security check violations seen by the Application Firewall.
buffer overflow (bufovfl)
Number of Buffer Overflow security check violations seen by the Application Firewall.
cookie consistency (cookie)
Number of Cookie Consistency security check violations seen by the Application Firewall.
CSRF form tag (csrf_tag)
Number of Cross Site Request Forgery form tag security check violations seen by the Application Firewall.
HTML Cross-site scripting (xss)
Number of HTML Cross-Site Scripting security check violations seen by the Application Firewall.
HTML SQL injection (sql)
Number of HTML SQL Injection security check violations seen by the Application Firewall.
field format (fieldfmt)
Number of Field Format security check violations seen by the Application Firewall.
field consistency (fieldcon)
Number of Field Consistency security check violations seen by the Application Firewall.
credit card (ccard)
Number of Credit Card security check violations seen by the Application Firewall.
safe object (safeobj)
Number of Safe Object security check violations seen by the Application Firewall.
Signature Violations (sigs)
Number of Signature violations seen by the Application Firewall.
content Type (contentType)
Number of Content Type security check violations seen by the Application Firewall.
XML Format (wfcViolations)
Number of XML Format security check violations seen by the Application Firewall.
XML Denial of Service (XDoS) (xdosViolations)
Number of XML Denial-of-Service security check violations seen by the Application Firewall.
XML Message Validation (msgvalViolations)
Number of XML Message Validation security check violations seen by the Application Firewall.
Web Services Interoperability (wsIViolations)
Number of Web Services Interoperability (WS-I) security check violations seen by the Application Firewall.
XML SQL Injection (xmlSqlViolations)
Number of XML SQL Injection security check violations seen by the Application Firewall.
XML Cross-Site Scripting (xmlXssViolations)
Number of XML Cross-Site Scripting (XSS) security check violations seen by the Application Firewall.
XML Attachment (xmlAttachmentViolations)
Number of XML Attachment security check violations seen by the Application Firewall.
SOAP Fault Violations (soapflt)
Number of requests returning soap:fault from the backend server
XML Generic Violations (genflt)
Number of requests returning XML generic violation from the backend server
Total Violations (totperpr)
Number of violations seen by the application firewall on per profile basis
start URL logs (startURLLog)
Number of Start URL security check log messages generated by the Application Firewall.
deny URL logs (denyURLLog)
Number of Deny URL security check log messages generated by the Application Firewall.
referer header logs (refererHdrLog)
Number of Referer Header security check log messages generated by the Application Firewall.
buffer overflow logs (bufovflLog)
Number of Buffer Overflow security check log messages generated by the Application Firewall.
cookie consistency logs (cookieLog)
Number of Cookie Consistency security check log messages generated by the Application Firewall.
CSRF form tag logs (csrf_tagLog)
Number of Cross Site Request Forgery form tag security check log messages generated by the Application Firewall.
HTML XSS logs (xssLog)
Number of HTML Cross-Site Scripting security check log messages generated by the Application Firewall.
HTML XSS transform logs (xssXformLog)
Number of HTML Cross-Site Scripting security check transform log messages generated by the Application Firewall.
HTML SQL Injection logs (sqlLog)
Number of HTML SQL Injection security check log messages generated by the Application Firewall.
HTML SQL transform logs (sqlXformLog)
Number of HTML SQL Injection security check transform log messages generated by the Application Firewall.
field format logs (fieldfmtLog)
Number of Field Format security check log messages generated by the Application Firewall.
field consistency logs (fieldconLog)
Number of Field Consistency security check log messages generated by the Application Firewall.
credit cards (ccardLog)
Number of Credit Card security check log messages generated by the Application Firewall.
credit card transform logs (ccardXformLog)
Number of Credit Card security check transform log messages generated by the Application Firewall.
safe object logs (safeobjLog)
Number of Safe Object security check log messages generated by the Application Firewall.
Signature logs (sigs)
Number of Signature log messages generated by the Application Firewall.
content Type logs (contenttypeLog)
Number of Content type security check log messages generated by the Application Firewall.
XML Format logs (wfcLogs)
Number of XML Format security check log messages generated by the Application Firewall.
XML Denial of Service(XDoS) logs (xdosLogs)
Number of XML Denial-of-Service security check log messages generated by the Application Firewall.
XML Message Validation logs (msgvalLogs)
Number of XML Message Validation security check log messages generated by the Application Firewall.
WSI logs (wsILogs)
Number of Web Services Interoperability (WS-I) security check log messages generated by the Application Firewall.
XML SQL Injection logs (xmlSqlLogs)
Number of XML SQL Injection security check log messages generated by the Application Firewall.
XML XSS logs (xmlXssLogs)
Number of XML Cross-Site Scripting (XSS) security check log messages generated by the Application Firewall.
XML Attachment logs (xmlAttachmentLogs)
Number of XML Attachment security check log messages generated by the Application Firewall.
SOAP Fault logs (soapfltLogs)
Number of requests generating soap:fault log messages
XML Generic logs (genfltLog)
Number of requests generating XML Generic log messages
Total log messages (totlogperpr)
Number of log messages generated by the application firewall on per profile basis
HTTP Client Errors (4xx Resp) (4xxResps)
Number of requests returning HTTP 4xx from the backend server
HTTP Server Errors (5xx Resp) (5xxResps)
Number of requests returning HTTP 5xx from the backend server
Example¶
stat appfw profile
Related Commands¶
archive appfw profile¶
Create archive for the profile.
Synopsys¶
archive appfw profile <name> <archivename> [-comment <string>]
Arguments¶
name
Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.
The following requirement applies only to the NetScaler CLI:
If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, "my profile" or 'my profile').
archivename
Source for tar archive.
comment
Any comments about the purpose of profile, or other useful information about the profile.
Related Commands¶
restore appfw profile¶
Restore configuration from archive file
Synopsys¶
restore appfw profile <archivename>
Arguments¶
archivename
Source for tar archive.