kaiAsmOne
commented
1 week ago I have been trying to reverse engineer how Netscaler handles signatures.
To me there seems to be a discrepancy between the Nitro API Documentation and actual features
Nitro documentation indicates the abillity to enable / disable individual signatures based on Category and Signature ID
Documentation:
https://developer-docs.netscaler.com/en-us/adc-nitro-api/13-1/configuration/appfw/appfwsignatures vs the actual features available on how to manage WAF Signatures.
My claim on this discrepancy is confirmed by two approaches.
1: Capture Network Traffic when modifying signatures using Netscaler Diag Capture traffic 2: The yaml file found locally on Netscaler /var/netscaler/nitro/nitro-oas/config/appfw/appfwsignatures.yaml
To my understanding there are only to viable approaches to handle signatures:
1: /nitro/v1/config/appfwsignatures?action=update
This only supports fetching new signatures from the https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml
2: /nitro/v1/config/appfwsignatures?action=Import
This only supports importing a new signature file. If you packet capture the result of a simple task as enable/disable a single signature rule the HTTP data shows that the entire signature file is edited at clientside and a new signtature file is then uploaded to the Netscler
The result of these limitations is that managing signatures on a Netscaler means you will have to locally on your own machine or on your DevOps Agent / runner-image within a pipeline edit the Signature .xml file and upload it to the Netscler after editing the XML file manually using awk or similar tools.
This approach does not align very well with a dynamic DevOps Architecture.
Please tell me i am wrong and show me how you can using terraform. Alternative two show me how this can be done using REST API ( i have been trying with postman) direcly to the Netscaler.
Using 1: Nitro Documentatiion on appfwsignatures 2: Terraforms citrixadc_appfwsignatures 3: Packet Captures
All indicates the NiTRO API Documentation and Terraform Documentation for citrixadc_appfwsignatures are not really achievable
Terraform Core Version
1.5.7
citrixadc Provider Version
1.40.1
Operating system
macOS
Affected Resource(s)
citrixadc_appfwsignatures
Equivalent NetScaler CLI Command
N/A
Expected Behavior
I am trying to modify the signature behaviour for an existing signature object in an already existing signature file ( as in GUI: Security / Citrix Web Application Firewall / Signatures/ modifying already existing waf_sig_app.company.com).
Netscaler have to provide the following functionallity if not the Signatures in WAF Engine is useless when
1: You cannot on an entire Signature category ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))
2: You cannot on a individual Signature / Rules to ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))
2: You cannot set a list of Signature Entries / Rules to ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))
I have written terraform module for citrixadc_appfwsignatures as follows:
resource "citrixadc_appfwsignatures" "app_waf_signatures" { name = "wafsig${var.waf_profilename}" merge = var.waf_signature_merge == "" ? null : var.waf_signature_merge overwrite = var.waf_signature_overwrite == "" ? null : var.waf_signature_overwrite src = var.waf_signature_location == "" ? null : var.waf_signature_location preservedefactions = var.waf_signature_preservedefaction == "" ? null : var.waf_signature_preservedefaction autoenablenewsignatures = var.waf_signature_autoenablenewsignatures == "" ? null : var.waf_signature_autoenablenewsignatures ruleid = var.waf_signature_ruleid == "" ? null : var.waf_signature_ruleid category = var.waf_signature_category == "" ? null : var.waf_signature_category enabled = var.waf_signature_enabled == "" ? null : var.waf_signature_enabled action = var.waf_signature_action == "" ? null : var.waf_signature_action
}
I call this module from my Netscaler as follows:
module "netscaler-adc-waf-signatures-myapp_company_com" { source = "../modules/CitrixADC-Appfw-Signatures" waf_profilename = var.myapp_company_com_applicationname waf_signature_merge = true waf_signature_overwrite = true waf_signature_location = "local:wafsig${var.myapp_company_com_applicationname}" waf_signature_action = ["log", "stats"] waf_signature_enabled = "ON" waf_signature_ruleid = ["998418", "998419","998420","998420","998421","998422","998423","998424","998425","998426"] depends_on = [module.netscaler-adc-waf-myapp_company_com , module.app_myapp_company_com] }
Actual Behavior
│ Error: [ERROR] nitro-go: Failed to apply action on resource of type appfwsignatures, action=Import err=failed: 599 Netscaler specific error ({ "errorcode": 3197, "message": "Importing the resource failed", "severity": "ERROR" }) │ │ with module.netscaler-adc-waf-signatures-myapp_company_com.citrixadc_appfwsignatures.app_waf_signatures, │ on ../modules/CitrixADC-Appfw-Signatures/main.tf line 2, in resource "citrixadc_appfwsignatures" "app_waf_signatures": │ 2: resource "citrixadc_appfwsignatures" "app_waf_signatures" { │ ╵
Relevant Error/Panic Output Snippet