Citrix NetScaler is an ADC (Application Delivery Controller) that provides flexible delivery services for traditional, containerized and microservice applications from your data center or any cloud. NetScaler, when it operates at layer 4+, can perform load balancing, content switching and rewriting, as well as act as an application layer firewall. It can inspect http traffic and make smart firewall type choices based on how an application expects inputs and so forth.
This document provides information about the NetScaler connector, which facilitates automated interactions, with a NetScaler server using FortiSOAR™ playbooks. Add the NetScaler connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating responder action and policy, retrieving the policy details of the application firewall, and updating the application firewall policy.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Citrix NetScaler VPX (1000) Versions: NS12.0 51.24.nc and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the NetScaler connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Hostname | IP address or FQDN of the Citrix NetScaler server to which you will connect and perform automated operations. |
Username | Username to access the Citrix NetScaler server. |
Password | Password to access the Citrix NetScaler server. |
Protocol | Protocol that will be used to communicate, choose either http and https. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get App FW Policy | Retrieves details of the application firewall policy such as the rule of the policy, the profile name and the priority of the policy. | get_policy Investigation |
Update Application Firewall Policy Expression | Updates an existing application firewall policy. | update_policy Containment |
Create Responder Action | Creates a responder action, whose default action type is Respond with HTML Page (Import From URL). Use this type of action to send an imported HTML page as the response. You must create a responder policy after you create a responder action. | |
Create Responder Policy | Creates a responder policy that is based on a rule, which consists of one or more expressions. The rule is associated with an action, which is performed if the request matches the rule. To put a responder policy into effect, you must bind it either globally, so that it applies to all the traffic that flows through NetScaler, or to a specific virtual server. | create_policy Containment |
Create IP Reputation Policy | Creates an IP Reputation policy that is based on a rule, which consists of one or more expressions. To put an IP reputation policy into effect, you must bind it either globally, so that it applies to all the traffic that flows through NetScaler, or to a specific virtual server. | create_policy Containment |
Parameter | Description |
---|---|
Policy Name | Name of the application firewall policy whose policy details you want to retrieve. |
The JSON output contains the details of the policy based on the specified policy name. The JSON output contains an appfwpolicy
key that you can use in subsequent queries to update a policy rule.
Following image displays a sample output:
Parameter | Description |
---|---|
Policy Name | Name of the application firewall policy whose policy you want to update. |
Replace or Append | You can choose to update the application firewall policy using either of the following options: Add to Existing: This will update the existing policy. Replace Existing: This will replace the existing policy. |
Expression | Name of the NetScaler named rule, or a NetScaler default syntax expression, that the policy uses to determine whether to filter the connection through the application firewall. Sample input if you use option 1 (Add to Existing) {{vars.steps.Get_Application_Firewall_Policy_Details.data.appfwpolicy[0].rule}} &&{{vars.new_expression}} Sample input if you use option 2 (Replace Existing) {{vars.new_expression} |
The JSON output generates the message
, errorcode,
and severity
keys. If the errorcode
is 0
then the policy has been updated successfully.
Following image displays a sample output:
Parameter | Description |
---|---|
Action Name | Name of the responder action. |
Type | Type of the responder action. By default, this is set to Respond with HTML Page (Import From URL). In this case, the response to the request is with the uploaded HTML page object specified as the target. |
Import HTML Page Name | Name that you want to assign to the HTML page object in the NetScaler appliance. |
URL | Specify the URL that will be used in the response if the policy is hit. |
Response Status Code | Code of the HTTP response status. Default value for the Respond with HTML Page (Import From URL) action type is 200 . |
Reason Phrase (Expression) | Expression that specifies the reason phrase of the HTTP response. The reason phrase might be a string literal with quotes or a PI expression. For example: "Invalid URL: " + HTTP.REQ.URL . |
The JSON output generates the action_name
and status
keys. You can use the action_name
key in subsequent queries to create a responder action.
Following image displays a sample output:
Parameter | Description |
---|---|
Policy Name | Name of the responder policy that you want to create. |
Expression | Expression that the policy uses to determine whether to respond to a specific request. For example: HTTP.REQ.URL.CONTAINS("xyz") . |
Action | Name of the responder action that will be performed if the request matches this responder policy. Actions can either be customized actions or built-in actions. Some of the built-in actions that you can use are: NOOP - Sends the request to the protected server instead of responding to it. RESET - Resets the client connection by closing it. The client program, such as a browser, will handle this and might inform the user. The client can then resend the request. DROP - Drops the request without sending a response to the user. |
The JSON output generates the policy_name
and status
keys. You can use the policy_name
key in subsequent queries to create a responder policy.
Following image displays a sample output:
Parameter | Description |
---|---|
Policy Name | Name of the IP Reputation policy that you want to create. |
Expression | Expression that the policy uses, which will be one of the following expressions:CLIENT.IP.SRC.IPREP_IS_MALICIOUS : This expression evaluates to TRUE if the client is to be included in the malicious IP list.CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(Category) : This expression evaluates to TRUE if the client IP is a malicious IP and it is present in the specified threat category. |
IP Reputation Threat Category | Applicable only for the CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(Category) expression and it specifies the threat categories. Available threat categories are:Spam Sources Windows Exploits Botnets Scanners DOS Reputation Phishing Proxy Network Cloud_Providers Mobile_Threats |
Action | Name of the responder action that will be performed if the request matches this responder policy. Actions can either be customized actions or built-in actions. Some of the built-in actions that you can use are: NOOP - Sends the request to the protected server instead of responding to it. RESET - Resets the client connection by closing it. The client program, such as a browser, will handle this and might inform the user. The client can then resend the request. DROP - Drops the request without sending a response to the user. |
The JSON output generates the policy_name
and status
keys. You can use the policy_name
key in subsequent queries to create an IP reputation policy.
Following image displays a sample output:
The Sample - Citrix NetScaler VPX - 1.0.0
playbook collection comes bundled with the Citrix NetScaler VPX
connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Citrix NetScaler VPX
connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
Citrix NetScaler is an ADC (Application Delivery Controller) that provides flexible delivery services for traditional, containerized and microservice applications from your data center or any cloud. NetScaler, when it operates at layer 4+, can perform load balancing, content switching and rewriting, as well as act as an application layer firewall. It can inspect http traffic and make smart firewall type choices based on how an application expects inputs and so forth.
This document provides information about the NetScaler connector, which facilitates automated interactions, with a NetScaler server using FortiSOAR™ playbooks. Add the NetScaler connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating responder action and policy, retrieving the policy details of the application firewall, and updating the application firewall policy.
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Citrix NetScaler VPX (1000) Versions: NS12.0 51.24.nc and later
For the procedure to install a connector, click here.
For the procedure to configure a connector, click here.
In FortiSOAR™, on the Connectors page, select the NetScaler connector and click Configure to configure the following parameters:
Parameter | Description |
---|---|
Hostname | IP address or FQDN of the Citrix NetScaler server to which you will connect and perform automated operations. |
Username | Username to access the Citrix NetScaler server. |
Password | Password to access the Citrix NetScaler server. |
Protocol | Protocol that will be used to communicate, choose either http and https. |
Verify SSL | Specifies whether the SSL certificate for the server is to be verified or not. By default, this option is set as True . |
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
Function | Description | Annotation and Category |
---|---|---|
Get App FW Policy | Retrieves details of the application firewall policy such as the rule of the policy, the profile name and the priority of the policy. | get_policy Investigation |
Update Application Firewall Policy Expression | Updates an existing application firewall policy. | update_policy Containment |
Create Responder Action | Creates a responder action, whose default action type is Respond with HTML Page (Import From URL). Use this type of action to send an imported HTML page as the response. You must create a responder policy after you create a responder action. | |
Create Responder Policy | Creates a responder policy that is based on a rule, which consists of one or more expressions. The rule is associated with an action, which is performed if the request matches the rule. To put a responder policy into effect, you must bind it either globally, so that it applies to all the traffic that flows through NetScaler, or to a specific virtual server. | create_policy Containment |
Create IP Reputation Policy | Creates an IP Reputation policy that is based on a rule, which consists of one or more expressions. To put an IP reputation policy into effect, you must bind it either globally, so that it applies to all the traffic that flows through NetScaler, or to a specific virtual server. | create_policy Containment |
Parameter | Description |
---|---|
Policy Name | Name of the application firewall policy whose policy details you want to retrieve. |
The JSON output contains the details of the policy based on the specified policy name. The JSON output contains an appfwpolicy
key that you can use in subsequent queries to update a policy rule.
Following image displays a sample output:
Parameter | Description |
---|---|
Policy Name | Name of the application firewall policy whose policy you want to update. |
Replace or Append | You can choose to update the application firewall policy using either of the following options: Add to Existing: This will update the existing policy. Replace Existing: This will replace the existing policy. |
Expression | Name of the NetScaler named rule, or a NetScaler default syntax expression, that the policy uses to determine whether to filter the connection through the application firewall. Sample input if you use option 1 (Add to Existing) {{vars.steps.Get_Application_Firewall_Policy_Details.data.appfwpolicy[0].rule}} &&{{vars.new_expression}} Sample input if you use option 2 (Replace Existing) {{vars.new_expression} |
The JSON output generates the message
, errorcode,
and severity
keys. If the errorcode
is 0
then the policy has been updated successfully.
Following image displays a sample output:
Parameter | Description |
---|---|
Action Name | Name of the responder action. |
Type | Type of the responder action. By default, this is set to Respond with HTML Page (Import From URL). In this case, the response to the request is with the uploaded HTML page object specified as the target. |
Import HTML Page Name | Name that you want to assign to the HTML page object in the NetScaler appliance. |
URL | Specify the URL that will be used in the response if the policy is hit. |
Response Status Code | Code of the HTTP response status. Default value for the Respond with HTML Page (Import From URL) action type is 200 . |
Reason Phrase (Expression) | Expression that specifies the reason phrase of the HTTP response. The reason phrase might be a string literal with quotes or a PI expression. For example: "Invalid URL: " + HTTP.REQ.URL . |
The JSON output generates the action_name
and status
keys. You can use the action_name
key in subsequent queries to create a responder action.
Following image displays a sample output:
Parameter | Description |
---|---|
Policy Name | Name of the responder policy that you want to create. |
Expression | Expression that the policy uses to determine whether to respond to a specific request. For example: HTTP.REQ.URL.CONTAINS("xyz") . |
Action | Name of the responder action that will be performed if the request matches this responder policy. Actions can either be customized actions or built-in actions. Some of the built-in actions that you can use are: NOOP - Sends the request to the protected server instead of responding to it. RESET - Resets the client connection by closing it. The client program, such as a browser, will handle this and might inform the user. The client can then resend the request. DROP - Drops the request without sending a response to the user. |
The JSON output generates the policy_name
and status
keys. You can use the policy_name
key in subsequent queries to create a responder policy.
Following image displays a sample output:
Parameter | Description |
---|---|
Policy Name | Name of the IP Reputation policy that you want to create. |
Expression | Expression that the policy uses, which will be one of the following expressions:CLIENT.IP.SRC.IPREP_IS_MALICIOUS : This expression evaluates to TRUE if the client is to be included in the malicious IP list.CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(Category) : This expression evaluates to TRUE if the client IP is a malicious IP and it is present in the specified threat category. |
IP Reputation Threat Category | Applicable only for the CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(Category) expression and it specifies the threat categories. Available threat categories are:Spam Sources Windows Exploits Botnets Scanners DOS Reputation Phishing Proxy Network Cloud_Providers Mobile_Threats |
Action | Name of the responder action that will be performed if the request matches this responder policy. Actions can either be customized actions or built-in actions. Some of the built-in actions that you can use are: NOOP - Sends the request to the protected server instead of responding to it. RESET - Resets the client connection by closing it. The client program, such as a browser, will handle this and might inform the user. The client can then resend the request. DROP - Drops the request without sending a response to the user. |
The JSON output generates the policy_name
and status
keys. You can use the policy_name
key in subsequent queries to create an IP reputation policy.
Following image displays a sample output:
The Sample - Citrix NetScaler VPX - 1.0.0
playbook collection comes bundled with the Citrix NetScaler VPX
connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Citrix NetScaler VPX
connector.
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.