NetScaler Application Firewall is the fastest WAF on the market today. But we can do better. As a core component of the NetScaler Platinum edition, the Application Firewall module complements the load balancer driving the largest web sites in the world. The Platinum edition also includes Integrated Caching (IC), a memory-based cache for frequently accessed web objects. NetScaler 9.2 nCore expanded the memory available for the Integrated Caching module up to  24G on the MPX21500. Enabling both modules at the same time gives a significant boost to Application Firewall performance.

Test results

We tested the performance of the two modules on an MPX12500 using a benchmark test workload used in the previous performance paper. All content in this app is static and hence fully cacheable. A 100% cache hit ratio is not true of modern day dynamic web apps. This is a best case scenario. These result can be scaled appropriately by multiplying the observed cache hit ratio, i.e, if your cache hit ratio is 60%, then you would get a 0.6 times the bump in performance noted above (give or take).

MPX12500 (NS9.2 nCore Build 46.9)

Basic profile
Caching = OFF
Caching = ON
Req/s 79487 107484 35%
Mbps 3845 5102 33%

Advanced Profile
Caching = OFF
Caching = ON
Req/s 14868 81935 450%
Mbps 717 4141 477%

Application Firewall has two default starting points for security configuration, perhaps inappropriately named – Basic and Advanced. Basic protections include mostly request side checks like XSS, SQL Injection etc, while Advanced protections create and maintain an user session and parse HTML responses as they stream through the device. This is more CPU and memory intensive while providing the advanced features like Form field protection and CSRF defense.

To see a detailed report on the test workload and methodology, check the Application Firewall Performance report. The test workload was identical though the NetScaler version tested was different.

Results are not typical!

Before you rush off to try this out on your NetScaler, do note that

  • The tested workload was static and contained mostly cacheable content. A modern dynamic web application would have a far less cache hit ratio.
  • Turning the Integrated Caching module on with the Application Firewall is recommended only for NetScaler systems with at least 4G RAM. This includes all the MPX series appliances and some of the older NS series appliances (like the NS12000). While all feature modules are supported on all platforms,
    the performance and capabilities of each platform vary. Specifically, try this on the NS7000 only for low traffic applications (<50mbps).

What is happening inside?

NetScaler is composed of many feature modules that are applied on incoming traffic based on license and configured policy. In this model, the Application Firewall module sits in front of the cache module and inspects incoming requests before they hit the cache. So the request side checks (Basic mode) get a modest boost in performance as we save on the backend server round trip. We preferred this design over putting the firewall behind the cache as it is more secure.

For features that need response parsing, the firewall module stores extra meta data (form signatures, URLs etc) along with the page contents in the cache module itself. So when the cache serves a page hit, it also includes the meta data that can be used by the firewall to enforce the security policy and update the user session with the extracted page information.

Notes on the configuration

  • The Caching feature was simply turned on with default caching policies. Better results might be obtained by using the AppExpert Policy Engine to tune the cache policy.
  • Integrated Caching is available along with the Application Firewall in the NetScaler Platinum Edition license.

More Information