ADC NITRO APIs
appfwprofile
Configuration for application firewall profile resource.
Properties
(click to see Operations )
| Name | Data Type | Permissions | Description |
|---|---|---|---|
| name |
|
Read-write | Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added. The following requirement applies only to the Citrix ADC CLI If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’). Minimum length = 1 |
| defaults |
|
Read-write | Default configuration to apply to the profile. Basic defaults are intended for standard content that requires little further configuration, such as static web site content. Advanced defaults are intended for specialized content that requires significant specialized configuration, such as heavily scripted or dynamic content.
CLI users: When adding an application firewall profile, you can set either the defaults or the type, but not both. To set both options, create the profile by using the add appfw profile command, and then use the set appfw profile command to configure the other option. Possible values = basic, advanced |
| starturlaction | <String[]> | Read-write | One or more Start URL actions. Available settings function as follows
|
| infercontenttypexmlpayloadaction | <String[]> | Read-write | One or more infer content type payload actions. Available settings function as follows
|
| contenttypeaction | <String[]> | Read-write | One or more Content-type actions. Available settings function as follows
|
| inspectcontenttypes | <String[]> | Read-write | One or more InspectContentType lists.
* application/x-www-form-urlencoded * multipart/form-data * text/x-gwt-rpc CLI users: To enable, type “set appfw profile -InspectContentTypes” followed by the content types to be inspected. Possible values = none, application/x-www-form-urlencoded, multipart/form-data, text/x-gwt-rpc |
| starturlclosure |
|
Read-write | Toggle the state of Start URL Closure.
Default value: OFF Possible values = ON, OFF |
| denyurlaction | <String[]> | Read-write | One or more Deny URL actions. Available settings function as follows
|
| refererheadercheck |
|
Read-write | Enable validation of Referer headers.
Referer validation ensures that a web form that a user sends to your web site originally came from your web site, not an outside attacker. Although this parameter is part of the Start URL check, referer validation protects against cross-site request forgery (CSRF) attacks, not Start URL attacks. Default value: OFF Possible values = OFF, if_present, AlwaysExceptStartURLs, AlwaysExceptFirstRequest |
| cookieconsistencyaction | <String[]> | Read-write | One or more Cookie Consistency actions. Available settings function as follows
|
| cookiehijackingaction | <String[]> | Read-write | One or more actions to prevent cookie hijacking. Available settings function as follows
|
| cookietransforms |
|
Read-write | Perform the specified type of cookie transformation.
Available settings function as follows
|
| cookieencryption |
|
Read-write | Type of cookie encryption. Available settings function as follows
|
| cookieproxying |
|
Read-write | Cookie proxy setting. Available settings function as follows
|
| addcookieflags |
|
Read-write | Add the specified flags to cookies. Available settings function as follows
|
| fieldconsistencyaction | <String[]> | Read-write | One or more Form Field Consistency actions. Available settings function as follows
|
| csrftagaction | <String[]> | Read-write | One or more Cross-Site Request Forgery (CSRF) Tagging actions. Available settings function as follows
|
| crosssitescriptingaction | <String[]> | Read-write | One or more Cross-Site Scripting (XSS) actions. Available settings function as follows
|
| crosssitescriptingtransformunsafehtml |
|
Read-write | Transform cross-site scripts. This setting configures the application firewall to disable dangerous HTML instead of blocking the request.
CAUTION: Make sure that this parameter is set to ON if you are configuring any cross-site scripting transformations. If it is set to OFF, no cross-site scripting transformations are performed regardless of any other settings. Default value: OFF Possible values = ON, OFF |
| crosssitescriptingcheckcompleteurls |
|
Read-write | Check complete URLs for cross-site scripts, instead of just the query portions of URLs.
Default value: OFF Possible values = ON, OFF |
| sqlinjectionaction | <String[]> | Read-write | One or more HTML SQL Injection actions. Available settings function as follows
|
| cmdinjectionaction | <String[]> | Read-write | Command injection action. Available settings function as follows
|
| cmdinjectiontype |
|
Read-write | Available CMD injection types.
-CMDSplChar : Checks for CMD Special Chars -CMDKeyword : Checks for CMD Keywords -CMDSplCharANDKeyword : Checks for both and blocks if both are found -CMDSplCharORKeyword : Checks for both and blocks if anyone is found. Default value: CMDSplCharANDKeyword Possible values = CMDSplChar, CMDKeyword, CMDSplCharORKeyword, CMDSplCharANDKeyword |
| sqlinjectiontransformspecialchars |
|
Read-write | Transform injected SQL code. This setting configures the application firewall to disable SQL special strings instead of blocking the request. Since most SQL servers require a special string to activate an SQL keyword, in most cases a request that contains injected SQL code is safe if special strings are disabled.
CAUTION: Make sure that this parameter is set to ON if you are configuring any SQL injection transformations. If it is set to OFF, no SQL injection transformations are performed regardless of any other settings. Default value: OFF Possible values = ON, OFF |
| sqlinjectiononlycheckfieldswithsqlchars |
|
Read-write | Check only form fields that contain SQL special strings (characters) for injected SQL code.
Most SQL servers require a special string to activate an SQL request, so SQL code without a special string is harmless to most SQL servers. Default value: ON Possible values = ON, OFF |
| sqlinjectiontype |
|
Read-write | Available SQL injection types.
-SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found. Default value: SQLSplCharANDKeyword Possible values = SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword |
| sqlinjectionchecksqlwildchars |
|
Read-write | Check for form fields that contain SQL wild chars .
Default value: OFF Possible values = ON, OFF |
| fieldformataction | <String[]> | Read-write | One or more Field Format actions. Available settings function as follows
|
| defaultfieldformattype |
|
Read-write | Designate a default field type to be applied to web form fields that do not have a field type explicitly assigned to them.
Minimum length = 1 |
| defaultfieldformatminlength |
|
Read-write | Minimum length, in characters, for data entered into a field that is assigned the default field type.
To disable the minimum and maximum length settings and allow data of any length to be entered into the field, set this parameter to zero (0). Default value: 0 Minimum value = 0 Maximum value = 2147483647 |
| defaultfieldformatmaxlength |
|
Read-write | Maximum length, in characters, for data entered into a field that is assigned the default field type.
Default value: 65535 Minimum value = 1 Maximum value = 2147483647 |
| bufferoverflowaction | <String[]> | Read-write | One or more Buffer Overflow actions. Available settings function as follows
|
| bufferoverflowmaxurllength |
|
Read-write | Maximum length, in characters, for URLs on your protected web sites. Requests with longer URLs are blocked.
Default value: 1024 Minimum value = 0 Maximum value = 65535 |
| bufferoverflowmaxheaderlength |
|
Read-write | Maximum length, in characters, for HTTP headers in requests sent to your protected web sites. Requests with longer headers are blocked.
Default value: 4096 Minimum value = 0 Maximum value = 65535 |
| bufferoverflowmaxcookielength |
|
Read-write | Maximum length, in characters, for cookies sent to your protected web sites. Requests with longer cookies are blocked.
Default value: 4096 Minimum value = 0 Maximum value = 65535 |
| bufferoverflowmaxquerylength |
|
Read-write | Maximum length, in bytes, for query string sent to your protected web sites. Requests with longer query strings are blocked.
Default value: 1024 Minimum value = 0 Maximum value = 65535 |
| bufferoverflowmaxtotalheaderlength |
|
Read-write | Maximum length, in bytes, for the total HTTP header length in requests sent to your protected web sites. The minimum value of this and maxHeaderLen in httpProfile will be used. Requests with longer length are blocked.
Default value: 24820 Minimum value = 0 Maximum value = 65535 |
| creditcardaction | <String[]> | Read-write | One or more Credit Card actions. Available settings function as follows
|
| creditcard | <String[]> | Read-write | Credit card types that the application firewall should protect.
Default value: none Possible values = none, visa, mastercard, discover, amex, jcb, dinersclub |
| creditcardmaxallowed |
|
Read-write | This parameter value is used by the block action. It represents the maximum number of credit card numbers that can appear on a web page served by your protected web sites. Pages that contain more credit card numbers are blocked.
Minimum value = 0 Maximum value = 255 |
| creditcardxout |
|
Read-write | Mask any credit card number detected in a response by replacing each digit, except the digits in the final group, with the letter “X.”.
Default value: OFF Possible values = ON, OFF |
| dosecurecreditcardlogging |
|
Read-write | Setting this option logs credit card numbers in the response when the match is found.
Default value: ON Possible values = ON, OFF |
| streaming |
|
Read-write | Setting this option converts content-length form submission requests (requests with content-type “application/x-www-form-urlencoded” or “multipart/form-data”) to chunked requests when atleast one of the following protections : SQL injection protection, XSS protection, form field consistency protection, starturl closure, CSRF tagging is enabled. Please make sure that the backend server accepts chunked requests before enabling this option.
Default value: OFF Possible values = ON, OFF |
| trace |
|
Read-write | Toggle the state of trace.
Default value: OFF Possible values = ON, OFF |
| requestcontenttype |
|
Read-write | Default Content-Type header for requests.
A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters. Minimum length = 1 Maximum length = 255 |
| responsecontenttype |
|
Read-write | Default Content-Type header for responses.
A Content-Type header can contain 0-255 letters, numbers, and the hyphen (-) and underscore (_) characters. Minimum length = 1 Maximum length = 255 |
| jsonerrorobject |
|
Read-write | Name to the imported JSON Error Object to be set on application firewall profile. The following requirement applies only to the Citrix ADC CLI If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my JSON error object” or ‘my JSON error object’). Minimum length = 1 |
| jsondosaction | <String[]> | Read-write | One or more JSON Denial-of-Service (JsonDoS) actions. Available settings function as follows
|
| jsonsqlinjectionaction | <String[]> | Read-write | One or more JSON SQL Injection actions. Available settings function as follows
|
| jsonsqlinjectiontype |
|
Read-write | Available SQL injection types.
-SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found. Default value: SQLSplCharANDKeyword Possible values = SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword |
| jsonxssaction | <String[]> | Read-write | One or more JSON Cross-Site Scripting actions. Available settings function as follows
|
| xmldosaction | <String[]> | Read-write | One or more XML Denial-of-Service (XDoS) actions. Available settings function as follows
|
| xmlformataction | <String[]> | Read-write | One or more XML Format actions. Available settings function as follows
|
| xmlsqlinjectionaction | <String[]> | Read-write | One or more XML SQL Injection actions. Available settings function as follows
|
| xmlsqlinjectiononlycheckfieldswithsqlchars |
|
Read-write | Check only form fields that contain SQL special characters, which most SQL servers require before accepting an SQL command, for injected SQL.
Default value: ON Possible values = ON, OFF |
| xmlsqlinjectiontype |
|
Read-write | Available SQL injection types.
-SQLSplChar : Checks for SQL Special Chars -SQLKeyword : Checks for SQL Keywords -SQLSplCharANDKeyword : Checks for both and blocks if both are found -SQLSplCharORKeyword : Checks for both and blocks if anyone is found. Default value: SQLSplCharANDKeyword Possible values = SQLSplChar, SQLKeyword, SQLSplCharORKeyword, SQLSplCharANDKeyword |
| xmlsqlinjectionchecksqlwildchars |
|
Read-write | Check for form fields that contain SQL wild chars .
Default value: OFF Possible values = ON, OFF |
| xmlsqlinjectionparsecomments |
|
Read-write | Parse comments in XML Data and exempt those sections of the request that are from the XML SQL Injection check. You must configure the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows
|
| xmlxssaction | <String[]> | Read-write | One or more XML Cross-Site Scripting actions. Available settings function as follows
|
| xmlwsiaction | <String[]> | Read-write | One or more Web Services Interoperability (WSI) actions. Available settings function as follows
|
| xmlattachmentaction | <String[]> | Read-write | One or more XML Attachment actions. Available settings function as follows
|
| xmlvalidationaction | <String[]> | Read-write | One or more XML Validation actions. Available settings function as follows
|
| xmlerrorobject |
|
Read-write | Name to assign to the XML Error Object, which the application firewall displays when a user request is blocked. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the XML error object is added. The following requirement applies only to the Citrix ADC CLI If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my XML error object” or ‘my XML error object’). Minimum length = 1 |
| customsettings |
|
Read-write | Object name for custom settings.
This check is applicable to Profile Type: HTML, XML. . Minimum length = 1 |
| signatures |
|
Read-write | Object name for signatures.
This check is applicable to Profile Type: HTML, XML. . Minimum length = 1 |
| xmlsoapfaultaction | <String[]> | Read-write | One or more XML SOAP Fault Filtering actions. Available settings function as follows
|
| usehtmlerrorobject |
|
Read-write | Send an imported HTML Error object to a user when a request is blocked, instead of redirecting the user to the designated Error URL.
Default value: OFF Possible values = ON, OFF |
| errorurl |
|
Read-write | URL that application firewall uses as the Error URL.
Minimum length = 1 |
| htmlerrorobject |
|
Read-write | Name to assign to the HTML Error Object. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), colon (:), and underscore characters. Cannot be changed after the HTML error object is added. The following requirement applies only to the Citrix ADC CLI If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my HTML error object” or ‘my HTML error object’). Minimum length = 1 |
| logeverypolicyhit |
|
Read-write | Log every profile match, regardless of security checks results.
Default value: OFF Possible values = ON, OFF |
| stripcomments |
|
Read-write | Strip HTML comments.
This check is applicable to Profile Type: HTML. . Default value: OFF Possible values = ON, OFF |
| striphtmlcomments |
|
Read-write | Strip HTML comments before forwarding a web page sent by a protected web site in response to a user request.
Default value: none Possible values = none, all, exclude_script_tag |
| stripxmlcomments |
|
Read-write | Strip XML comments before forwarding a web page sent by a protected web site in response to a user request.
Default value: none Possible values = none, all |
| exemptclosureurlsfromsecuritychecks |
|
Read-write | Exempt URLs that pass the Start URL closure check from SQL injection, cross-site script, field format and field consistency security checks at locations other than headers.
Default value: ON Possible values = ON, OFF |
| defaultcharset |
|
Read-write | Default character set for protected web pages. Web pages sent by your protected web sites in response to user requests are assigned this character set if the page does not already specify a character set. The character sets supported by the application firewall are
|
| dynamiclearning | <String[]> | Read-write | One or more security checks. Available options are as follows
|
| postbodylimit |
|
Read-write | Maximum allowed HTTP post body size, in bytes. Maximum supported value is 10GB.
Default value: 20000000 |
| postbodylimitaction | <String[]> | Read-write | One or more Post Body Limit actions. Available settings function as follows
|
| postbodylimitsignature |
|
Read-write | Maximum allowed HTTP post body size for signature inspection for location HTTP_POST_BODY in the signatures, in bytes. Note that the changes in value could impact CPU and latency profile.
Default value: 2048 |
| fileuploadmaxnum |
|
Read-write | Maximum allowed number of file uploads per form-submission request. The maximum setting (65535) allows an unlimited number of uploads.
Default value: 65535 Minimum value = 0 Maximum value = 65535 |
| canonicalizehtmlresponse |
|
Read-write | Perform HTML entity encoding for any special characters in responses sent by your protected web sites.
Default value: ON Possible values = ON, OFF |
| enableformtagging |
|
Read-write | Enable tagging of web form fields for use by the Form Field Consistency and CSRF Form Tagging checks.
Default value: ON Possible values = ON, OFF |
| sessionlessfieldconsistency |
|
Read-write | Perform sessionless Field Consistency Checks.
Default value: OFF Possible values = OFF, ON, postOnly |
| sessionlessurlclosure |
|
Read-write | Enable session less URL Closure Checks.
This check is applicable to Profile Type: HTML. . Default value: OFF Possible values = ON, OFF |
| semicolonfieldseparator |
|
Read-write | Allow ‘;’ as a form field separator in URL queries and POST form bodies. .
Default value: OFF Possible values = ON, OFF |
| excludefileuploadfromchecks |
|
Read-write | Exclude uploaded files from Form checks.
Default value: OFF Possible values = ON, OFF |
| sqlinjectionparsecomments |
|
Read-write | Parse HTML comments and exempt them from the HTML SQL Injection check. You must specify the type of comments that the application firewall is to detect and exempt from this security check. Available settings function as follows
|
| invalidpercenthandling |
|
Read-write | Configure the method that the application firewall uses to handle percent-encoded names and values. Available settings function as follows
|
| type | <String[]> | Read-write | Application firewall profile type, which controls which security checks and settings are applied to content that is filtered with the profile. Available settings function as follows
|
| checkrequestheaders |
|
Read-write | Check request headers as well as web forms for injected SQL and cross-site scripts.
Default value: OFF Possible values = ON, OFF |
| inspectquerycontenttypes | <String[]> | Read-write | Inspect request query as well as web forms for injected SQL and cross-site scripts for following content types.
Possible values = HTML, XML, JSON, OTHER |
| optimizepartialreqs |
|
Read-write | Optimize handle of HTTP partial requests i.e. those with range headers.
Available settings are as follows
|
| urldecoderequestcookies |
|
Read-write | URL Decode request cookies before subjecting them to SQL and cross-site scripting checks.
Default value: OFF Possible values = ON, OFF |
| comment |
|
Read-write | Any comments about the purpose of profile, or other useful information about the profile. |
| percentdecoderecursively |
|
Read-write | Configure whether the application firewall should use percentage recursive decoding.
Default value: ON Possible values = ON, OFF |
| multipleheaderaction | <String[]> | Read-write | One or more multiple header actions. Available settings function as follows
|
| rfcprofile |
|
Read-write | Object name of the rfc profile.
Minimum length = 1 |
| fileuploadtypesaction | <String[]> | Read-write | One or more file upload types actions. Available settings function as follows
|
| verboseloglevel |
|
Read-write | Detailed Logging Verbose Log Level.
Default value: pattern Possible values = pattern, patternPayload, patternPayloadHeader |
| archivename |
|
Read-write | Source for tar archive.
Minimum length = 1 Maximum length = 31 |
| relaxationrules |
|
Read-write | Import all appfw relaxation rules. |
| importprofilename |
|
Read-write | Name of the profile which will be created/updated to associate the relaxation rules.
Maximum length = 31 |
| matchurlstring |
|
Read-write | Match this action url in archived Relaxation Rules to replace.
Maximum length = 2047 |
| replaceurlstring |
|
Read-write | Replace matched url string with this action url string while restoring Relaxation Rules.
Maximum length = 2047 |
| overwrite |
|
Read-write | Purge existing Relaxation Rules and replace during import. |
| augment |
|
Read-write | Augment Relaxation Rules during import. |
| state |
|
Read-only | Enabled.
Possible values = ENABLED, DISABLED |
| learning |
|
Read-only | Profile level learning option that overrides the protection level learning.
Available settings are as follows
|
| csrftag |
|
Read-only | The web form originating URL. |
| builtin |
|
Read-only | Indicates that a profile is a built-in entity. |
| __count |
|
Read-only | count parameter |
Operations
(click to see Properties )
- ADD
- DELETE
- UPDATE
- UNSET
- GET (ALL)
- GET
- COUNT
- RESTORE
Some options that you can use for each operations:
-
Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the 'warning' query parameter as 'yes'. For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:
http:// <netscaler-ip-address> /nitro/v1/config/login?warning=yes
If any, the warnings are displayed in the response payload with the HTTP code '209 X-NITRO-WARNING'.
-
Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,
To do this, you must specify the username and password in the request header of the NITRO request as follows:
X-NITRO-USER: <username>
X-NITRO-PASS: <password>
Note: In such cases, make sure that the request header DOES not include the following:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
*Note:
*
Mandatory parameters are marked in red and placeholder content is marked in green
add
URL: http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile
HTTP Method: POST
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Content-Type:application/json
Request Payload:
{"appfwprofile":{
<b> "name":<String_value>,
</b> "defaults":<String_value>,
"starturlaction":<String[]_value>,
"infercontenttypexmlpayloadaction":<String[]_value>,
"contenttypeaction":<String[]_value>,
"inspectcontenttypes":<String[]_value>,
"starturlclosure":<String_value>,
"denyurlaction":<String[]_value>,
"refererheadercheck":<String_value>,
"cookieconsistencyaction":<String[]_value>,
"cookiehijackingaction":<String[]_value>,
"cookietransforms":<String_value>,
"cookieencryption":<String_value>,
"cookieproxying":<String_value>,
"addcookieflags":<String_value>,
"fieldconsistencyaction":<String[]_value>,
"csrftagaction":<String[]_value>,
"crosssitescriptingaction":<String[]_value>,
"crosssitescriptingtransformunsafehtml":<String_value>,
"crosssitescriptingcheckcompleteurls":<String_value>,
"sqlinjectionaction":<String[]_value>,
"cmdinjectionaction":<String[]_value>,
"cmdinjectiontype":<String_value>,
"sqlinjectiontransformspecialchars":<String_value>,
"sqlinjectiononlycheckfieldswithsqlchars":<String_value>,
"sqlinjectiontype":<String_value>,
"sqlinjectionchecksqlwildchars":<String_value>,
"fieldformataction":<String[]_value>,
"defaultfieldformattype":<String_value>,
"defaultfieldformatminlength":<Double_value>,
"defaultfieldformatmaxlength":<Double_value>,
"bufferoverflowaction":<String[]_value>,
"bufferoverflowmaxurllength":<Double_value>,
"bufferoverflowmaxheaderlength":<Double_value>,
"bufferoverflowmaxcookielength":<Double_value>,
"bufferoverflowmaxquerylength":<Double_value>,
"bufferoverflowmaxtotalheaderlength":<Double_value>,
"creditcardaction":<String[]_value>,
"creditcard":<String[]_value>,
"creditcardmaxallowed":<Double_value>,
"creditcardxout":<String_value>,
"dosecurecreditcardlogging":<String_value>,
"streaming":<String_value>,
"trace":<String_value>,
"requestcontenttype":<String_value>,
"responsecontenttype":<String_value>,
"jsonerrorobject":<String_value>,
"jsondosaction":<String[]_value>,
"jsonsqlinjectionaction":<String[]_value>,
"jsonsqlinjectiontype":<String_value>,
"jsonxssaction":<String[]_value>,
"xmldosaction":<String[]_value>,
"xmlformataction":<String[]_value>,
"xmlsqlinjectionaction":<String[]_value>,
"xmlsqlinjectiononlycheckfieldswithsqlchars":<String_value>,
"xmlsqlinjectiontype":<String_value>,
"xmlsqlinjectionchecksqlwildchars":<String_value>,
"xmlsqlinjectionparsecomments":<String_value>,
"xmlxssaction":<String[]_value>,
"xmlwsiaction":<String[]_value>,
"xmlattachmentaction":<String[]_value>,
"xmlvalidationaction":<String[]_value>,
"xmlerrorobject":<String_value>,
"customsettings":<String_value>,
"signatures":<String_value>,
"xmlsoapfaultaction":<String[]_value>,
"usehtmlerrorobject":<String_value>,
"errorurl":<String_value>,
"htmlerrorobject":<String_value>,
"logeverypolicyhit":<String_value>,
"stripcomments":<String_value>,
"striphtmlcomments":<String_value>,
"stripxmlcomments":<String_value>,
"exemptclosureurlsfromsecuritychecks":<String_value>,
"defaultcharset":<String_value>,
"dynamiclearning":<String[]_value>,
"postbodylimit":<Double_value>,
"postbodylimitaction":<String[]_value>,
"postbodylimitsignature":<Double_value>,
"fileuploadmaxnum":<Double_value>,
"canonicalizehtmlresponse":<String_value>,
"enableformtagging":<String_value>,
"sessionlessfieldconsistency":<String_value>,
"sessionlessurlclosure":<String_value>,
"semicolonfieldseparator":<String_value>,
"excludefileuploadfromchecks":<String_value>,
"sqlinjectionparsecomments":<String_value>,
"invalidpercenthandling":<String_value>,
"type":<String[]_value>,
"checkrequestheaders":<String_value>,
"inspectquerycontenttypes":<String[]_value>,
"optimizepartialreqs":<String_value>,
"urldecoderequestcookies":<String_value>,
"comment":<String_value>,
"percentdecoderecursively":<String_value>,
"multipleheaderaction":<String[]_value>,
"rfcprofile":<String_value>,
"fileuploadtypesaction":<String[]_value>,
"verboseloglevel":<String_value>
}}
<!--NeedCopy-->
Response:
HTTP Status Code on Success: 201 Created
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
delete
URL: http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile/ name_value<String>
HTTP Method: DELETE
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Response:
HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
update
URL: http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile
HTTP Method: PUT
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Content-Type:application/json
Request Payload:
{"appfwprofile":{
<b> "name":<String_value>,
</b> "starturlaction":<String[]_value>,
"infercontenttypexmlpayloadaction":<String[]_value>,
"contenttypeaction":<String[]_value>,
"inspectcontenttypes":<String[]_value>,
"starturlclosure":<String_value>,
"denyurlaction":<String[]_value>,
"refererheadercheck":<String_value>,
"cookieconsistencyaction":<String[]_value>,
"cookiehijackingaction":<String[]_value>,
"cookietransforms":<String_value>,
"cookieencryption":<String_value>,
"cookieproxying":<String_value>,
"addcookieflags":<String_value>,
"fieldconsistencyaction":<String[]_value>,
"csrftagaction":<String[]_value>,
"crosssitescriptingaction":<String[]_value>,
"crosssitescriptingtransformunsafehtml":<String_value>,
"crosssitescriptingcheckcompleteurls":<String_value>,
"sqlinjectionaction":<String[]_value>,
"cmdinjectionaction":<String[]_value>,
"cmdinjectiontype":<String_value>,
"sqlinjectiontransformspecialchars":<String_value>,
"sqlinjectiononlycheckfieldswithsqlchars":<String_value>,
"sqlinjectiontype":<String_value>,
"sqlinjectionchecksqlwildchars":<String_value>,
"fieldformataction":<String[]_value>,
"defaultfieldformattype":<String_value>,
"defaultfieldformatminlength":<Double_value>,
"defaultfieldformatmaxlength":<Double_value>,
"bufferoverflowaction":<String[]_value>,
"bufferoverflowmaxurllength":<Double_value>,
"bufferoverflowmaxheaderlength":<Double_value>,
"bufferoverflowmaxcookielength":<Double_value>,
"bufferoverflowmaxquerylength":<Double_value>,
"bufferoverflowmaxtotalheaderlength":<Double_value>,
"creditcardaction":<String[]_value>,
"creditcard":<String[]_value>,
"creditcardmaxallowed":<Double_value>,
"creditcardxout":<String_value>,
"dosecurecreditcardlogging":<String_value>,
"streaming":<String_value>,
"trace":<String_value>,
"requestcontenttype":<String_value>,
"responsecontenttype":<String_value>,
"jsonerrorobject":<String_value>,
"jsondosaction":<String[]_value>,
"jsonsqlinjectionaction":<String[]_value>,
"jsonsqlinjectiontype":<String_value>,
"jsonxssaction":<String[]_value>,
"xmldosaction":<String[]_value>,
"xmlformataction":<String[]_value>,
"xmlsqlinjectionaction":<String[]_value>,
"xmlsqlinjectiononlycheckfieldswithsqlchars":<String_value>,
"xmlsqlinjectiontype":<String_value>,
"xmlsqlinjectionchecksqlwildchars":<String_value>,
"xmlsqlinjectionparsecomments":<String_value>,
"xmlxssaction":<String[]_value>,
"xmlwsiaction":<String[]_value>,
"xmlattachmentaction":<String[]_value>,
"xmlvalidationaction":<String[]_value>,
"xmlerrorobject":<String_value>,
"customsettings":<String_value>,
"signatures":<String_value>,
"xmlsoapfaultaction":<String[]_value>,
"usehtmlerrorobject":<String_value>,
"errorurl":<String_value>,
"htmlerrorobject":<String_value>,
"logeverypolicyhit":<String_value>,
"stripcomments":<String_value>,
"striphtmlcomments":<String_value>,
"stripxmlcomments":<String_value>,
"dynamiclearning":<String[]_value>,
"exemptclosureurlsfromsecuritychecks":<String_value>,
"defaultcharset":<String_value>,
"postbodylimit":<Double_value>,
"postbodylimitaction":<String[]_value>,
"postbodylimitsignature":<Double_value>,
"fileuploadmaxnum":<Double_value>,
"canonicalizehtmlresponse":<String_value>,
"enableformtagging":<String_value>,
"sessionlessfieldconsistency":<String_value>,
"sessionlessurlclosure":<String_value>,
"semicolonfieldseparator":<String_value>,
"excludefileuploadfromchecks":<String_value>,
"sqlinjectionparsecomments":<String_value>,
"invalidpercenthandling":<String_value>,
"type":<String[]_value>,
"checkrequestheaders":<String_value>,
"inspectquerycontenttypes":<String[]_value>,
"optimizepartialreqs":<String_value>,
"urldecoderequestcookies":<String_value>,
"comment":<String_value>,
"percentdecoderecursively":<String_value>,
"multipleheaderaction":<String[]_value>,
"rfcprofile":<String_value>,
"fileuploadtypesaction":<String[]_value>,
"verboseloglevel":<String_value>
}}
<!--NeedCopy-->
Response:
HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
unset
URL: http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile? action=unset
HTTP Method: POST
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Content-Type:application/json
Request Payload:
{"appfwprofile":{
<b> "name":<String_value>,
</b> "starturlaction":true,
"infercontenttypexmlpayloadaction":true,
"contenttypeaction":true,
"inspectcontenttypes":true,
"starturlclosure":true,
"denyurlaction":true,
"refererheadercheck":true,
"cookieconsistencyaction":true,
"cookiehijackingaction":true,
"cookietransforms":true,
"cookieencryption":true,
"cookieproxying":true,
"addcookieflags":true,
"fieldconsistencyaction":true,
"csrftagaction":true,
"crosssitescriptingaction":true,
"crosssitescriptingtransformunsafehtml":true,
"crosssitescriptingcheckcompleteurls":true,
"sqlinjectionaction":true,
"cmdinjectionaction":true,
"cmdinjectiontype":true,
"sqlinjectiontransformspecialchars":true,
"sqlinjectiononlycheckfieldswithsqlchars":true,
"sqlinjectiontype":true,
"sqlinjectionchecksqlwildchars":true,
"fieldformataction":true,
"defaultfieldformattype":true,
"defaultfieldformatminlength":true,
"defaultfieldformatmaxlength":true,
"bufferoverflowaction":true,
"bufferoverflowmaxurllength":true,
"bufferoverflowmaxheaderlength":true,
"bufferoverflowmaxcookielength":true,
"bufferoverflowmaxquerylength":true,
"bufferoverflowmaxtotalheaderlength":true,
"creditcardaction":true,
"creditcard":true,
"creditcardmaxallowed":true,
"creditcardxout":true,
"dosecurecreditcardlogging":true,
"streaming":true,
"trace":true,
"requestcontenttype":true,
"responsecontenttype":true,
"jsonerrorobject":true,
"jsondosaction":true,
"jsonsqlinjectionaction":true,
"jsonsqlinjectiontype":true,
"jsonxssaction":true,
"xmldosaction":true,
"xmlformataction":true,
"xmlsqlinjectionaction":true,
"xmlsqlinjectiononlycheckfieldswithsqlchars":true,
"xmlsqlinjectiontype":true,
"xmlsqlinjectionchecksqlwildchars":true,
"xmlsqlinjectionparsecomments":true,
"xmlxssaction":true,
"xmlwsiaction":true,
"xmlattachmentaction":true,
"xmlvalidationaction":true,
"xmlerrorobject":true,
"customsettings":true,
"signatures":true,
"xmlsoapfaultaction":true,
"usehtmlerrorobject":true,
"errorurl":true,
"htmlerrorobject":true,
"logeverypolicyhit":true,
"stripcomments":true,
"striphtmlcomments":true,
"stripxmlcomments":true,
"dynamiclearning":true,
"exemptclosureurlsfromsecuritychecks":true,
"defaultcharset":true,
"postbodylimit":true,
"postbodylimitaction":true,
"postbodylimitsignature":true,
"fileuploadmaxnum":true,
"canonicalizehtmlresponse":true,
"enableformtagging":true,
"sessionlessfieldconsistency":true,
"sessionlessurlclosure":true,
"semicolonfieldseparator":true,
"excludefileuploadfromchecks":true,
"sqlinjectionparsecomments":true,
"invalidpercenthandling":true,
"type":true,
"checkrequestheaders":true,
"inspectquerycontenttypes":true,
"optimizepartialreqs":true,
"urldecoderequestcookies":true,
"comment":true,
"percentdecoderecursively":true,
"multipleheaderaction":true,
"rfcprofile":true,
"fileuploadtypesaction":true,
"verboseloglevel":true
}}
<!--NeedCopy-->
Response:
HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
restore
URL: http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile? action=restore
HTTP Method: POST
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Content-Type:application/json
Request Payload:
{"appfwprofile":{
<b> "archivename":<String_value>,
</b> "relaxationrules":<Boolean_value>,
"importprofilename":<String_value>,
"matchurlstring":<String_value>,
"replaceurlstring":<String_value>,
"overwrite":<Boolean_value>,
"augment":<Boolean_value>
}}
<!--NeedCopy-->
Response:
HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
get (all)
URL: http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile
Query-parameters:
attrs
http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile? attrs=property-name1,property-name2
Use this query parameter to specify the resource details that you want to retrieve.
filter
http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile? filter=property-name1:property-val1,property-name2:property-val2
Use this query-parameter to get the filtered set of appfwprofile resources configured on NetScaler.Filtering can be done on any of the properties of the resource.
view
http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile? view=summary
Use this query-parameter to get the summary output of appfwprofile resources configured on NetScaler.
Note: By default, the retrieved results are displayed in detail view (?view=detail).
pagination
http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile? pagesize=#no;pageno=#no
Use this query-parameter to get the appfwprofile resources in chunks.
HTTP Method: GET
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Accept:application/json
Response:
HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
Response Header:
Content-Type:application/json
Response Payload:
{ "appfwprofile": [ {
"name":<String_value>,
"type":<String[]_value>,
"state":<String_value>,
"defaults":<String_value>,
"usehtmlerrorobject":<String_value>,
"errorurl":<String_value>,
"htmlerrorobject":<String_value>,
"logeverypolicyhit":<String_value>,
"stripcomments":<String_value>,
"striphtmlcomments":<String_value>,
"stripxmlcomments":<String_value>,
"defaultcharset":<String_value>,
"postbodylimit":<Double_value>,
"postbodylimitaction":<String[]_value>,
"dynamiclearning":<String[]_value>,
"postbodylimitsignature":<Double_value>,
"learning":<String_value>,
"fileuploadmaxnum":<Double_value>,
"canonicalizehtmlresponse":<String_value>,
"enableformtagging":<String_value>,
"sessionlessfieldconsistency":<String_value>,
"sessionlessurlclosure":<String_value>,
"semicolonfieldseparator":<String_value>,
"excludefileuploadfromchecks":<String_value>,
"sqlinjectionparsecomments":<String_value>,
"checkrequestheaders":<String_value>,
"inspectquerycontenttypes":<String[]_value>,
"optimizepartialreqs":<String_value>,
"urldecoderequestcookies":<String_value>,
"starturlaction":<String[]_value>,
"infercontenttypexmlpayloadaction":<String[]_value>,
"contenttypeaction":<String[]_value>,
"inspectcontenttypes":<String[]_value>,
"starturlclosure":<String_value>,
"denyurlaction":<String[]_value>,
"refererheadercheck":<String_value>,
"csrftagaction":<String[]_value>,
"csrftag":<String_value>,
"crosssitescriptingaction":<String[]_value>,
"crosssitescriptingtransformunsafehtml":<String_value>,
"crosssitescriptingcheckcompleteurls":<String_value>,
"exemptclosureurlsfromsecuritychecks":<String_value>,
"sqlinjectionaction":<String[]_value>,
"cmdinjectionaction":<String[]_value>,
"sqlinjectiontransformspecialchars":<String_value>,
"sqlinjectiononlycheckfieldswithsqlchars":<String_value>,
"sqlinjectiontype":<String_value>,
"cmdinjectiontype":<String_value>,
"sqlinjectionchecksqlwildchars":<String_value>,
"invalidpercenthandling":<String_value>,
"fieldconsistencyaction":<String[]_value>,
"cookieconsistencyaction":<String[]_value>,
"cookiehijackingaction":<String[]_value>,
"cookietransforms":<String_value>,
"cookieencryption":<String_value>,
"cookieproxying":<String_value>,
"addcookieflags":<String_value>,
"bufferoverflowaction":<String[]_value>,
"bufferoverflowmaxurllength":<Double_value>,
"bufferoverflowmaxheaderlength":<Double_value>,
"bufferoverflowmaxcookielength":<Double_value>,
"bufferoverflowmaxquerylength":<Double_value>,
"bufferoverflowmaxtotalheaderlength":<Double_value>,
"fieldformataction":<String[]_value>,
"defaultfieldformattype":<String_value>,
"defaultfieldformatminlength":<Double_value>,
"defaultfieldformatmaxlength":<Double_value>,
"creditcardaction":<String[]_value>,
"creditcard":<String[]_value>,
"creditcardmaxallowed":<Double_value>,
"creditcardxout":<String_value>,
"dosecurecreditcardlogging":<String_value>,
"streaming":<String_value>,
"trace":<String_value>,
"requestcontenttype":<String_value>,
"responsecontenttype":<String_value>,
"xmlerrorobject":<String_value>,
"signatures":<String_value>,
"xmlformataction":<String[]_value>,
"xmldosaction":<String[]_value>,
"xmlsqlinjectionaction":<String[]_value>,
"xmlsqlinjectiononlycheckfieldswithsqlchars":<String_value>,
"xmlsqlinjectiontype":<String_value>,
"xmlsqlinjectionchecksqlwildchars":<String_value>,
"xmlsqlinjectionparsecomments":<String_value>,
"xmlxssaction":<String[]_value>,
"xmlwsiaction":<String[]_value>,
"xmlattachmentaction":<String[]_value>,
"xmlvalidationaction":<String[]_value>,
"xmlsoapfaultaction":<String[]_value>,
"builtin":<Boolean_value>,
"comment":<String_value>,
"percentdecoderecursively":<String_value>,
"multipleheaderaction":<String[]_value>,
"rfcprofile":<String_value>,
"jsonerrorobject":<String_value>,
"jsondosaction":<String[]_value>,
"jsonsqlinjectionaction":<String[]_value>,
"jsonsqlinjectiontype":<String_value>,
"jsonxssaction":<String[]_value>,
"fileuploadtypesaction":<String[]_value>,
"verboseloglevel":<String_value>
}]}
<!--NeedCopy-->
get
URL: http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile/ name_value<String>
Query-parameters:
attrs
http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile/ name_value<String> ? attrs=property-name1,property-name2
Use this query parameter to specify the resource details that you want to retrieve.
view
http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile/ name_value<String> ? view=summary
Use this query-parameter to get the summary output of appfwprofile resources configured on NetScaler.
Note: By default, the retrieved results are displayed in detail view (?view=detail).
HTTP Method: GET
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Accept:application/json
Response:
HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
Response Header:
Content-Type:application/json
Response Payload:
{ "appfwprofile": [ {
"name":<String_value>,
"type":<String[]_value>,
"state":<String_value>,
"defaults":<String_value>,
"usehtmlerrorobject":<String_value>,
"errorurl":<String_value>,
"htmlerrorobject":<String_value>,
"logeverypolicyhit":<String_value>,
"stripcomments":<String_value>,
"striphtmlcomments":<String_value>,
"stripxmlcomments":<String_value>,
"defaultcharset":<String_value>,
"postbodylimit":<Double_value>,
"postbodylimitaction":<String[]_value>,
"dynamiclearning":<String[]_value>,
"postbodylimitsignature":<Double_value>,
"learning":<String_value>,
"fileuploadmaxnum":<Double_value>,
"canonicalizehtmlresponse":<String_value>,
"enableformtagging":<String_value>,
"sessionlessfieldconsistency":<String_value>,
"sessionlessurlclosure":<String_value>,
"semicolonfieldseparator":<String_value>,
"excludefileuploadfromchecks":<String_value>,
"sqlinjectionparsecomments":<String_value>,
"checkrequestheaders":<String_value>,
"inspectquerycontenttypes":<String[]_value>,
"optimizepartialreqs":<String_value>,
"urldecoderequestcookies":<String_value>,
"starturlaction":<String[]_value>,
"infercontenttypexmlpayloadaction":<String[]_value>,
"contenttypeaction":<String[]_value>,
"inspectcontenttypes":<String[]_value>,
"starturlclosure":<String_value>,
"denyurlaction":<String[]_value>,
"refererheadercheck":<String_value>,
"csrftagaction":<String[]_value>,
"csrftag":<String_value>,
"crosssitescriptingaction":<String[]_value>,
"crosssitescriptingtransformunsafehtml":<String_value>,
"crosssitescriptingcheckcompleteurls":<String_value>,
"exemptclosureurlsfromsecuritychecks":<String_value>,
"sqlinjectionaction":<String[]_value>,
"cmdinjectionaction":<String[]_value>,
"sqlinjectiontransformspecialchars":<String_value>,
"sqlinjectiononlycheckfieldswithsqlchars":<String_value>,
"sqlinjectiontype":<String_value>,
"cmdinjectiontype":<String_value>,
"sqlinjectionchecksqlwildchars":<String_value>,
"invalidpercenthandling":<String_value>,
"fieldconsistencyaction":<String[]_value>,
"cookieconsistencyaction":<String[]_value>,
"cookiehijackingaction":<String[]_value>,
"cookietransforms":<String_value>,
"cookieencryption":<String_value>,
"cookieproxying":<String_value>,
"addcookieflags":<String_value>,
"bufferoverflowaction":<String[]_value>,
"bufferoverflowmaxurllength":<Double_value>,
"bufferoverflowmaxheaderlength":<Double_value>,
"bufferoverflowmaxcookielength":<Double_value>,
"bufferoverflowmaxquerylength":<Double_value>,
"bufferoverflowmaxtotalheaderlength":<Double_value>,
"fieldformataction":<String[]_value>,
"defaultfieldformattype":<String_value>,
"defaultfieldformatminlength":<Double_value>,
"defaultfieldformatmaxlength":<Double_value>,
"creditcardaction":<String[]_value>,
"creditcard":<String[]_value>,
"creditcardmaxallowed":<Double_value>,
"creditcardxout":<String_value>,
"dosecurecreditcardlogging":<String_value>,
"streaming":<String_value>,
"trace":<String_value>,
"requestcontenttype":<String_value>,
"responsecontenttype":<String_value>,
"xmlerrorobject":<String_value>,
"signatures":<String_value>,
"xmlformataction":<String[]_value>,
"xmldosaction":<String[]_value>,
"xmlsqlinjectionaction":<String[]_value>,
"xmlsqlinjectiononlycheckfieldswithsqlchars":<String_value>,
"xmlsqlinjectiontype":<String_value>,
"xmlsqlinjectionchecksqlwildchars":<String_value>,
"xmlsqlinjectionparsecomments":<String_value>,
"xmlxssaction":<String[]_value>,
"xmlwsiaction":<String[]_value>,
"xmlattachmentaction":<String[]_value>,
"xmlvalidationaction":<String[]_value>,
"xmlsoapfaultaction":<String[]_value>,
"builtin":<Boolean_value>,
"comment":<String_value>,
"percentdecoderecursively":<String_value>,
"multipleheaderaction":<String[]_value>,
"rfcprofile":<String_value>,
"jsonerrorobject":<String_value>,
"jsondosaction":<String[]_value>,
"jsonsqlinjectionaction":<String[]_value>,
"jsonsqlinjectiontype":<String_value>,
"jsonxssaction":<String[]_value>,
"fileuploadtypesaction":<String[]_value>,
"verboseloglevel":<String_value>
}]}
<!--NeedCopy-->
count
URL: http:// <netscaler-ip-address> /nitro/v1/config/appfwprofile? count=yes
HTTP Method: GET
Request Headers:
Cookie:NITRO_AUTH_TOKEN= <tokenvalue>
Accept:application/json
Response:
HTTP Status Code on Success: 200 OK
HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error
Response Header:
Content-Type:application/json
Response Payload:
{ "appfwprofile": [ { "__count": "#no"} ] }
<!--NeedCopy-->
appfwprofile
In this article
Copied!
Failed!