Citrix Systems Network Router 9.2 User Manual

256

Citrix NetScaler Policy Configuration and Reference Guide

To protect Web pages with cross-site scripting by using the configuration
utility

In the navigation pane, expand Application Firewall, and then click
Profiles.

In the details view, click Add.

In the Create Application Firewall Profile dialog box, create a Web
Application profile with advanced defaults and name it pr_xssokay.
Click Create and then click Close.

In the details view, click the profile, click Open, and in the Configure Web
Application Profile dialog box, configure the pr_xssokay profile as
shown below.

•

Start URL Check: Clear all actions.

•

Cookie Consistency Check: Disable blocking.

•

Form Field Consistency Check: Disable blocking.

•

Cross-Site Scripting Check: Disable blocking.

This should prevent blocking of legitimate requests involving Web pages
with cross-site scripting that you know are nonetheless safe.

Click Policies, and then click Add.

In the Create Application Firewall Policy dialog box, create a policy that
detects connections to your scripted Web pages and applies the
pr_xssokay

profile:

•

Policy name: pol_xssokay

•

Associated profile: pr_xssokay

•

Policy expression:

"REQ.HTTP.HEADER URL CONTAINS ^\.pl\?$ ||

REQ.HTTP.HEADER URL CONTAINS ^\.js$"

Globally bind your new policy to put it into effect.

DNS Policy to Drop Packets from Specific IPs

The following example describes how to create a DNS action and DNS policy
that detects connections from unwanted IPs or networks, such as those used in a
DDOS attack, and drops all packets from those locations. The example shows
networks within the IANA reserved IP block 192.168.0.0/16. A hostile
network will normally be on publicly routable IPs.