About the connector
Citrix NetScaler is an ADC (Application Delivery Controller) that provides flexible delivery services for traditional, containerized and microservice applications from your data center or any cloud. NetScaler, when it operates at layer 4+, can perform load balancing, content switching and rewriting, as well as act as an application layer firewall. It can inspect http traffic and make smart firewall type choices based on how an application expects inputs and so forth.
This document provides information about the NetScaler connector, which facilitates automated interactions, with a NetScaler server using FortiSOAR™ playbooks. Add the NetScaler connector as a step in FortiSOAR™ playbooks and perform automated operations, such as creating responder action and policy, retrieving the policy details of the application firewall, and updating the application firewall policy.
Version information
Connector Version: 1.0.0
Compatibility with FortiSOAR™ Versions: 4.9.0.0-708 and later
Compatibility with Citrix NetScaler VPX (1000) Versions: NS12.0 51.24.nc and later
Installing the connector
For the procedure to install a connector, click here.
Prerequisites to configuring the connector
- You must have the URL of the NetScaler server to which you will connect and perform the automated operations and credentials to access that server.
- To access the FortiSOAR™ UI, ensure that port 443 is open through the firewall for the FortiSOAR™ instance.
- You must enable the IP reputation, application firewall, and responder features of Citrix NetScaler VPX.
Configuring the connector
For the procedure to configure a connector, click here.
Configuration parameters
In FortiSOAR™, on the Connectors page, select the NetScaler connector and click Configure to configure the following parameters:
| Parameter |
Description |
| Hostname |
IP address or FQDN of the Citrix NetScaler server to which you will connect and perform automated operations. |
| Username |
Username to access the Citrix NetScaler server. |
| Password |
Password to access the Citrix NetScaler server. |
| Protocol |
Protocol that will be used to communicate, choose either http and https. |
| Verify SSL |
Specifies whether the SSL certificate for the server is to be verified or not.
By default, this option is set as True. |
Actions supported by the connector
The following automated operations can be included in playbooks and you can also use the annotations to access operations from FortiSOAR™ release 4.10.0 onwards:
| Function |
Description |
Annotation and Category |
| Get App FW Policy |
Retrieves details of the application firewall policy such as the rule of the policy, the profile name and the priority of the policy. |
get_policy
Investigation |
| Update Application Firewall Policy Expression |
Updates an existing application firewall policy. |
update_policy
Containment |
| Create Responder Action |
Creates a responder action, whose default action type is Respond with HTML Page (Import From URL). Use this type of action to send an imported HTML page as the response. You must create a responder policy after you create a responder action. |
|
| Create Responder Policy |
Creates a responder policy that is based on a rule, which consists of one or more expressions. The rule is associated with an action, which is performed if the request matches the rule. To put a responder policy into effect, you must bind it either globally, so that it applies to all the traffic that flows through NetScaler, or to a specific virtual server. |
create_policy
Containment |
| Create IP Reputation Policy |
Creates an IP Reputation policy that is based on a rule, which consists of one or more expressions. To put an IP reputation policy into effect, you must bind it either globally, so that it applies to all the traffic that flows through NetScaler, or to a specific virtual server. |
create_policy
Containment |
operation: Get App FW Policy
Input parameters
| Parameter |
Description |
| Policy Name |
Name of the application firewall policy whose policy details you want to retrieve. |
Output
The JSON output contains the details of the policy based on the specified policy name. The JSON output contains an appfwpolicy key that you can use in subsequent queries to update a policy rule.
Following image displays a sample output:
operation: Update Application Firewall Policy Expression
Input parameters
| Parameter |
Description |
| Policy Name |
Name of the application firewall policy whose policy you want to update. |
| Replace or Append |
You can choose to update the application firewall policy using either of the following options:
Add to Existing: This will update the existing policy.
Replace Existing: This will replace the existing policy. |
| Expression |
Name of the NetScaler named rule, or a NetScaler default syntax expression, that the policy uses to determine whether to filter the connection through the application firewall.
Sample input if you use option 1 (Add to Existing)
{{vars.steps.Get_Application_Firewall_Policy_Details.data.appfwpolicy[0].rule}} &&{{vars.new_expression}}
Sample input if you use option 2 (Replace Existing)
{{vars.new_expression} |
Output
The JSON output generates the message, errorcode, and severity keys. If the errorcode is 0 then the policy has been updated successfully.
Following image displays a sample output:
operation: Create Responder Action
Input parameters
| Parameter |
Description |
| Action Name |
Name of the responder action. |
| Type |
Type of the responder action.
By default, this is set to Respond with HTML Page (Import From URL). In this case, the response to the request is with the uploaded HTML page object specified as the target. |
| Import HTML Page Name |
Name that you want to assign to the HTML page object in the NetScaler appliance. |
| URL |
Specify the URL that will be used in the response if the policy is hit. |
| Response Status Code |
Code of the HTTP response status.
Default value for the Respond with HTML Page (Import From URL) action type is 200. |
| Reason Phrase (Expression) |
Expression that specifies the reason phrase of the HTTP response. The reason phrase might be a string literal with quotes or a PI expression. For example: "Invalid URL: " + HTTP.REQ.URL. |
Output
The JSON output generates the action_name and status keys. You can use the action_name key in subsequent queries to create a responder action.
Following image displays a sample output:
operation: Create Responder Policy
Input parameters
| Parameter |
Description |
| Policy Name |
Name of the responder policy that you want to create. |
| Expression |
Expression that the policy uses to determine whether to respond to a specific request.
For example: HTTP.REQ.URL.CONTAINS("xyz"). |
| Action |
Name of the responder action that will be performed if the request matches this responder policy. Actions can either be customized actions or built-in actions. Some of the built-in actions that you can use are:
NOOP - Sends the request to the protected server instead of responding to it.
RESET - Resets the client connection by closing it. The client program, such as a browser, will handle this and might inform the user. The client can then resend the request.
DROP - Drops the request without sending a response to the user. |
Output
The JSON output generates the policy_name and status keys. You can use the policy_name key in subsequent queries to create a responder policy.
Following image displays a sample output:
operation: Create IP Reputation Policy
Input parameters
| Parameter |
Description |
| Policy Name |
Name of the IP Reputation policy that you want to create. |
| Expression |
Expression that the policy uses, which will be one of the following expressions:
CLIENT.IP.SRC.IPREP_IS_MALICIOUS: This expression evaluates to TRUE if the client is to be included in the malicious IP list.
CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(Category): This expression evaluates to TRUE if the client IP is a malicious IP and it is present in the specified threat category. |
| IP Reputation Threat Category |
Applicable only for the CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(Category) expression and it specifies the threat categories. Available threat categories are:
Spam Sources
Windows Exploits
Botnets
Scanners
DOS
Reputation
Phishing
Proxy
Network
Cloud_Providers
Mobile_Threats |
| Action |
Name of the responder action that will be performed if the request matches this responder policy.
Actions can either be customized actions or built-in actions. Some of the built-in actions that you can use are:
NOOP - Sends the request to the protected server instead of responding to it.
RESET - Resets the client connection by closing it. The client program, such as a browser, will handle this and might inform the user. The client can then resend the request.
DROP - Drops the request without sending a response to the user. |
Output
The JSON output generates the policy_name and status keys. You can use the policy_name key in subsequent queries to create an IP reputation policy.
Following image displays a sample output:
Included playbooks
The Sample - Citrix NetScaler VPX - 1.0.0 playbook collection comes bundled with the Citrix NetScaler VPX connector. This playbook contains steps using which you can perform all supported actions. You can see the bundled playbooks in the Automation > Playbooks section in FortiSOAR™ after importing the Citrix NetScaler VPX connector.
- Create IP Reputation Policy
- Create Responder Action and Policy
- Get and Update Application Firewall Policy
Note: If you are planning to use any of the sample playbooks in your environment, ensure that you clone those playbooks and move them to a different collection since the sample playbook collection gets deleted during connector upgrade and delete.
