The following blog article is a result of experience gained in the field.  The CTX138858 article which features the signature auto update feature of application firewall.  This process is pretty seamless and straight forward if the NetScalers have access to the internet, but can become problematic if they do not have internet access.  The article outlines the process of how to manually download the required files and orchestrate them in  a manner that the NetScaler expects for consumption.  This blog article features a script that I wrote in order to automate this process.

This same URL can be used to configure on the NetScaler for the auto-update settings for the Application Firewall signatures. Subsequently, the powershell script can be used in conjunction with the scheduled tasks feature of the Windows OS and can be configured to run as frequently as desired.

Below Is The Script In It’s Entirety


$AppFirewallSignaturesURL =
“https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml”
$SignatureFileLocation = “C:\Signatures\SignaturesMapping.xml”
$SignatureURLRoot = “https://s3.amazonaws.com/NSAppFwSignatures/”
$DownloadLocation = “C:\Signatures\” $WebClient = New-Object
System.Net.WebClient
$WebClient.DownloadFileAsync($AppFirewallSignaturesURL,
$SignatureFileLocation) Start-Sleep -s 5 $GetMainSignatureXMLFile =
Get-Content $SignatureFileLocation foreach ($line in
$GetMainSignatureXMLFile) { if ($line -match “”) { $BeginTag
= $line.Replace(“”, ” “) $EndTag = $BeginTag.Replace(“”,
” “) $XMLFileName = $EndTag.Replace(“sigs/”, ” “) $WebClient = New-
Object System.Net.WebClient
$WebClient.DownloadFileAsync($SignatureURLRoot +
$EndTag.Trim(),$DownloadLocation + $XMLFileName.Trim()) } if ($line
-match “”) { $BeginTagSha = $line.Replace(“”, ” “)
$EndTagSha = $BeginTagSha.Replace(“”, ” “)
$ShaFileName = $EndTagSha.Replace(“sigs/”, ” “) $WebClient = New-Object
System.Net.WebClient $WebClient.DownloadFileAsync($SignatureURLRoot +
$EndTagSha.Trim(),$DownloadLocation + $ShaFileName.Trim()) } }

The second part of this process, is to setup a web server in the environment, that the NetScaler has network access to. Then the NetScaler will be able to acquire the signatures from this web server. First, navigate to IIS manager from the same machine that holds the signatures. Right-click on “Default Web Site” and select “Add Virtual Directory”.

Short-Cut Menu

Short-Cut Menu

Then, navigate to the directory where the Signatures Mapping file is located, also provide an “Alias” name. In this example, I gave it the name of the same directory containing the signatures:

Virtual Directory

Virtual Directory

Once created, right-click the virtual directory which was just created and select, “Convert to Application”:

Add to Application

Add to Application

As can be seen below, the icon will change to reflect the change:

Application

Application

The “sigs” subdirectory, which is required, is also there as a sub-virtual directory:

Sub-Directory

Sub-Directory

At this point, you can navigate to the site by using the FQDN or IP address of this web server, with the same URL used to access the signatures from the Amazon web-site:

Signature URL

This same URL can be used to configure on the NetScaler for the auto-update settings for the Application Firewall signatures. Subsequently, the powershell script can be used in conjunction with the scheduled tasks feature of the Windows OS and can be configured to run as frequently as desired.