NetScaler - Common WAF blocks for own Products

Reading Time: < 1 minute

Table of Contents

Introduction

As you might know I’m a big fan of the integrated WAF for Gateway an AAA (With newer 14.1 – also for WebGUI MGMT) – I’ve stumbled across some issues where that WAF is blocking some “own” Citrix products or auth-processes.

This is a list of my findings where I’m trying to update the relexation rules, so you’re able to fix the issue with an exclusion / whitelist. I’m always sharing these findings with Citrix Support so they can hopefully engineer on that to optimize future Firmware Builds.

Please comment if you found other examples so I can extend that.

Solution

How did I get these URL’s / findings? Use NetScaler Console or ns.log (searching for the buzzword APPFW) to check where WAF is blocking your Flow.

Here’s my latest list of relexation rules for different WAF integrated Profiles, depending on different NetScaler feature implementations with a short description of the issue:

###Relexation rules for configuring Whitelist for WAF for Auth / VPN / Portal settings on integrated WAF on NetScaler

###WAF blocking Negotiate (Kerberos) SSO Auth Policy for AAA nFactor Flows (See more Details on my separate Blog https://www.julianjakob.com/netscaler-negotiate-sso-and-waf/
bind appfw profile ns-aaa-default-appfw-profile -restValidation "POST:/nf/auth/doNegotiate.do“


###WAF blocking Logoff of the AOVPN User-Tunnel from Secure Access Client when User is shutting down the Notebook (Session will continue to run, which can result in other issues)
bind appfw profile ns-aaa-default-appfw-profile -restValidation "GET:/cgi/logout"


###WAF blocking AOVPN Secure Access Client to connect Machine and User-Tunnel (Configured nFactor Auth with EPA for Machine-Cert Check, followed by Negotiate Kerberos SSO Auth-Policy)
bind appfw profile ns-aaa-default-appfw-profile -restValidation "POST:/nf/auth/webview/done"
bind appfw profile ns-vpn-default-appfw-profile -restValidation "POST:/nf/auth/doEPA.do"
bind appfw profile ns-vpn-default-appfw-profile -restValidation "POST:/p/u/setClient.do"
bind appfw profile ns-vpn-default-appfw-profile -restValidation "POST:/cgi/tlogin"

Summary

Please help to further improve the integrated WAF with sharing Feedback and Findings.

Post Views: 190

One comment

Koen Warson says:

November 17, 2025 at 2:15 PM

We see the same issues on 13.1 including Pré-authentication EPA scans.
It seems the POST of the /pluginResults from the EPA Plugin got blocked also.

Nice findings…

Cheers,

Koen
https://www.blubyte.eu/blog

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

NetScaler – Common WAF blocks for own Products

Introduction

Solution

Summary

One comment

Leave a Reply Cancel reply