The Signature Auto Update functionality in Application Firewall allows the user to get the latest signatures to protect against the new vulnerabilities, thereby providing better protection without the need for ongoing manual intervention to get the latest updates.
The signatures are auto updated on an hourly basis thereby eliminating the need to constantly check for the availability of the most recent update. If you enable Signature Auto Update, then the NetScaler appliance connects to the server hosting the signatures to check if a newer version is available.
The latest Application Firewall signatures are hosted on Amazon which is configured as the default Signature URL to check for latest update.
However, the user has an option to download these signature mapping files to their internal server. User can then configure a different Signature URL path to download the signature mapping files from a local server. For the auto update feature to work, you might need to configure the DNS server to access the external site.
Updating the Signatures
All the user defined signature objects which are created using the appfw default signature object have a version greater than zero. If you enable Signature Auto Update, then all the signatures are updated automatically.
If the user has imported signatures with external format such as Cenzic or Qualys, then the signatures are imported with the version as zero. Similarly, if the user has created a signature object using the blank template, then it is created as a zero version signature. These signatures are not automatically updated, because the user might not be interested in the overhead of managing the default signatures that is not used.
However, Application Firewall also allows the user the flexibility to select these signatures and manually update them to add the default signature rules to the existing rules. After the signatures are manually updated, the version changes and then the signatures will also get auto updated along with the other signatures.
Configuring Signature Auto Update Feature
To configure Signature Auto Update feature, run the following commands from the command line interface:
set appfw settings SignatureAutoUpdate on
set appfw settings SignatureUrl https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml
To configure Signature Auto Update feature from the Configuration Utility, complete the following procedure:
Expand the Security node.
Expand the ApplicationFirewall node.
Select the Signatures node.
Select Auto Update Settings from Action.
Enable the Signatures Auto Update option.
You can specify a customized path for Signature Update URL, if required. Click Reset to reset to the default s3.amazonaws.com server.
Updating the Signatures Manually
To manually update a zero version signature or any other user defined signature, you must first get the latest update for the default signatures and then use this for updating the target user defined signature.
Run the following commands from the command line interface to update a signature file:
update appfw signatures “*Default Signatures”
update appfw signatures cenzic –mergedefault
Note: “*Default Signatures” is case sensitive. Cenzic in the preceding command is the name of the signature file that is updated.
Importing Default Signatures Without Internet Access
It is recommended to configure a proxy server to point to Amazon Web Services (AWS) server to get the latest update. However, if the NetScaler appliance does not have an internet connection to the external sites, then the user can store the updated signature files on a local server. The appliance can then download the signatures from the local server. In this scenario, the user must constantly check the Amazon site to get the latest updates. You can download and verify the signature file against the corresponding sha1 file which were created by using the Citrix public key to protect against tampering.
To copy the Signatures files to a local server, complete the following procedure:
To mirror the hosted web server, create a local directory such as <MySignatures> on a local server.
Open the AWS site.
Copy the SignaturesMapping.xml file to the <MySignatures> folder.
If you open the SignaturesMapping.xml file, you can see all the xml files for signatures and their corresponding sha1 files for different supported versions. One such pair is highlighted in the following screen shot:
- Create a sub-directory <sigs> in the <MySignatures> folder.
Copy all pairs of the *.xml files listed in the <file> tags and the *.xml.sha1 files listed in the corresponding <sha1> tags of the SignaturesMapping.xml file to the <sigs> folder. The following are few sample files that is copied to the <sigs> folder:
Note: You can give any name to the <MySignatures> folder and it can be in any location but the sub-directory <sigs> must be a sub-directory in the <MySignatures> folder where the mapping file is copied. In addition, ensure that as shown in the SignaturesMapping.xml, the sub-directory name <sigs> must have the exact name and is case sensitive. All Signature files and their corresponding sha1 files should be copied under this <sigs> directory.
After mirroring the contents from the hosted Amazon web server to the local server, change the path to the new local web server to set it as the SignatureUrl for auto update. For example, run the following command from the command line interface of the appliance:
>set appfw settings SignatureUrl https://myserver.example.net/MySignatures/SignaturesMapping.xml
The update operation can take several minutes, depending on the number of signatures to be updated. Allow sufficient time for the update operation to complete.
1. Please add the URL ‘https://myserver.example.net‘ to ‘/netscaler/ns_gui/admin_ui/php/application/controllers/common/utils.php’ so that Content Security Policy (CSP) security will not bock the URL access. Please note that these settings won’t persist in case of an upgrade. The user has to add it again after the upgrade.
$configuration_view_connect_src = “connect-src ‘self’ https://app.pendo.iohttps://s3.amazonaws.comhttps://myserver.example.net;“;
2. User need to configure the webserver ‘https://myserver.example.net‘ such that it will respond following CORS headers for https://myserver.example.net/MySignatures/SignaturesMapping.xml
Guidelines When Updating Signatures
Following guidelines are used when updating signatures:
The signatures are updated when the Signature update URL has a signature object which has the same or newer version.
Each Signature Rule is associated with a rule ID and version number. For example: <SignatureRule version=”16″ …>
Signature Rule from the incoming Signatures file with the same ID and version number as the existing one is ignored even if it has different patterns or log string.
Signature Rule with a new ID is added. All the actions and enabled flag are used from the new file.
Note: You might still need to review the updated signatures periodically to enable these newly added rules and change other action settings as per the requirements of the application.
Rules with the same ID but with a newer version number replaces the existing one. All the actions and enabled flag from the existing rule is preserved.
When you update the application firewall signatures from the NetScaler command line, you must first update the default signatures, and then issue additional update commands to update each custom signatures file that is based on the default signatures. If you do not update the default signatures first, a version mismatch error prevents updating of the custom signatures files.
The following applies to merging a third-party signature object with a user-defined signature object with Native rules and user-added rules: