Importing/exporting Citrix NetScaler Application Firewall profiles

By Johannes Norz
10 April 2023
5 Min read
In Uncategorised
Add comment
I

Usually, we create profiles in a test environment. After thoughtful testing, we have to copy them to the production and the DR site.

Requirements:

AttentionTest, production and DR site have to be exactly the same version, or the import will fail. The user has to be able to use the shell (so it has to be equivalent to nsroot)

Exporting a profile

The profile can get exported at any time.

This can be done from the command line as well:
archive appfw profile <profile_name> <name of the tgz-file>
archive appfw profile waf_prof_myprof waf_prof_myprof.tgz
The exported profile can be found at /var/archive/appfw/.

Importing a profile

Go to Security -> Citrix Web App Firewall -> Profiles. Select the ZIP file exported before.


The import will take a little while, even after this progress bar reaches 100%, as it just reflects the file upload …

I would suggest watching the logs created during the import. This is the output in /var/log, that happened during the import of the ZIP file:
root@Innsbruck# tail -F -n 0 /var/log/ns.log
Apr 10 07:40:16 192.168.229.10 04/10/2023:07:40:16 GMT Innsbruck 0-PPE-0 : default CLI CMD_EXECUTED 214 0 : User nsroot - Remote_ip 192.168.229.1 - Command "sftp-server" - Status "Success"
Apr 10 07:40:16 192.168.229.10 04/10/2023:07:40:16 GMT Innsbruck 0-PPE-0 : default CLI CMD_EXECUTED 215 0 : User nsroot - Remote_ip 127.0.0.1 - Command "shell" - Status "Success"
Apr 10 07:40:21 192.168.229.10 04/10/2023:07:40:21 GMT Innsbruck 0-PPE-0 : default GUI CMD_EXECUTED 216 0 : User nsroot - Remote_ip 192.168.229.1 - Command "import appfw archive local:appfw_prof.tgz _arch_1681112421522" - Status "Success"
Apr 10 07:40:24 192.168.229.10 04/10/2023:07:40:24 GMT Innsbruck 0-PPE-0 : default GUI CMD_EXECUTED 277 0 : User nsroot - Remote_ip 192.168.229.1 - Command "restore appfw profile _arch_1681112421522" - Status "Success"
Apr 10 07:40:25 192.168.229.10 04/10/2023:07:40:25 GMT Innsbruck 0-PPE-0 : default CLI CMD_EXECUTED 278 0 : User nsroot - Remote_ip 192.168.229.1 - Command "sftp-server" - Status "Success"
Apr 10 07:40:25 192.168.229.10 04/10/2023:07:40:25 GMT Innsbruck 0-PPE-0 : default GUI CMD_EXECUTED 279 0 : User nsroot - Remote_ip 192.168.229.1 - Command "show appfw profile" - Status "Success"
Apr 10 07:40:25 Innsbruck remove: get_object_usage:1419... .
Apr 10 07:40:25 Innsbruck remove: get_object_usage:1437... .
Apr 10 07:40:25 Innsbruck remove: get_object_usage:1510... .
Apr 10 07:40:25 Innsbruck remove: get_object_usage:1519... .
Apr 10 07:40:25 192.168.229.10 04/10/2023:07:40:25 GMT Innsbruck 0-PPE-0 : default GUI CMD_EXECUTED 280 0 : User nsroot - Remote_ip 192.168.229.1 - Command "rm appfw archive _arch_1681112421522" - Status "Success"
Apr 10 07:40:25 192.168.229.10 04/10/2023:07:40:25 GMT Innsbruck 0-PPE-0 : default GUI CMD_EXECUTED 281 0 : User nsroot - Remote_ip 192.168.229.1 - Command "show appfw policy" - Status "Success"

Content of the file

The exported tile is a .tgz file. You can edit tar.gz files easily by using the Linux file manager. From Windows (if you really want to use Windows) you could view or edit its content by using tools like 7zip.

The file contains 4 files and a folder (containing subfolders and files)

The four files

  • autodprules.txt (autoupdate rules)
  • relaxation_rules.txt (all your relaxations. This could be a huge file)
  • showcmds.txt (all commands that have to get executed during import)
  • version (something like NetScaler NS13.1: Build 37.38.nc, Date: Nov 23 2022, 04:42:36 (64-bit))

The folder

The folder is called /var/download. So it’s content from NetScaler’s /var directory.

  • /var/download/custom/ (contains the signature definitions)
  • /var/download/htmlerrorurl (contains HTML error objects used with this profile)
  • /var/download/wsdl/ (imported wsdl files)
  • /var/download/xmlerrorurl/ (imported XML error object)
  • /var/download/xmlschema/ (imported XML schema files)
  • /var/download/mapping-custom (information about signature files)
  • /var/download/mapping-htmlerrorpage (information about HTML error pages)

Non-Supported methods

AttentionAttention: this is not supported. There is absolutely no guarantee! (and that’s why I have called this section non-supported)

WAF profiles and error pages can’t get renamed, like most of the other objects. It’s possible to export a profile and rename it’s content.

Renaming the profile

Renaming the profile is an easy one. You just have to search and replace all references to the profile name in relaxation_rules.txt and showcmds.txt.

Renaming the signature definition

The signature definition can be found at /var/download/custom/. Rename the definition file there. Next, you have to change references to this file in /var/download/mapping-custom. Don’t forget to update the reference to these signatures in showcmds.txt!

Renaming HTML error objects

follow the guideline for renaming the profile above.

 

FacebookXEmailLinkedInWhatsAppPinterest

About the author

Johannes Norz

Johannes Norz is a Citrix Certified Citrix Technology Advocate (CTA), Citrix Certified Instructor (CCI) and Citrix Certified Expert on Application Delivery and Security (CCE-AppDS).

He frequently works for Citrix international Consulting Services and several education centres all around the globe.

Johannes lives in Austria. He had been borne in Innsbruck, a small city (150.000 inhabitants) in the middle of the most beautiful Austrian mountains (https://www.youtube.com/watch?v=UvdF145Lf2I)

View all posts

Add comment

Read more

By Johannes Norz 10 April 2023
Add comment

Recent Posts

Recent Comments