The Signature Auto Update functionality in Application Firewall allows the user to get the latest signatures to protect against the new vulnerabilities, thereby providing better protection without the need for ongoing manual intervention to get the latest updates.

The signatures are auto updated on an hourly basis thereby eliminating the need to constantly check for the availability of the most recent update. If you enable Signature Auto Update, then the NetScaler appliance connects to the server hosting the signatures to check if a newer version is available.

Customizable Location

The latest Application Firewall signatures are hosted on Amazon which is configured as the default Signature URL to check for latest update.

However, the user has an option to download these signature mapping files to their internal server. User can then configure a different Signature URL path to download the signature mapping files from a local server. For the auto update feature to work, you might need to configure the DNS server to access the external site.

Updating the Signatures

All the user defined signature objects which are created using the appfw default signature object have a version greater than zero. If you enable Signature Auto Update, then all the signatures are updated automatically.

If the user has imported signatures with external format such as Cenzic or Qualys, then the signatures are imported with the version as zero. Similarly, if the user has created a signature object using the blank template, then it is created as a zero version signature. These signatures are not automatically updated, because the user might not be interested in the overhead of managing the default signatures that is not used.

However, Application Firewall also allows the user the flexibility to select these signatures and manually update them to add the default signature rules to the existing rules. After the signatures are manually updated, the version changes and then the signatures will also get auto updated along with the other signatures.

Configuring Signature Auto Update Feature

To configure Signature Auto Update feature, run the following commands from the command line interface:
set appfw settings SignatureAutoUpdate on
set appfw settings SignatureUrl https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml

To configure Signature Auto Update feature from the Configuration Utility, complete the following procedure:

1. Expand the Security node.

2. Expand the Application Firewall node.

3. Select the Signatures node.

4. Select Auto Update Settings from Action.

5. Enable the Signatures Auto Update option.

6. You can specify a customized path for Signature Update URL, if required. Click Reset to reset to the default s3.amazonaws.com server.

7. Click OK.

   

Updating the Signatures Manually

To manually update a zero version signature or any other user defined signature, you must first get the latest update for the default signatures and then use this for updating the target user defined signature.

Run the following commands from the command line interface to update a signature file:
update appfw signatures "*Default Signatures"
update appfw signatures cenzic –mergedefault

Note: “*Default Signatures” is case sensitive. Cenzic in the preceding command is the name of the signature file that is updated.

Importing Default Signatures Without Internet Access

It is recommended to configure a proxy server to point to Amazon Web Services (AWS) server to get the latest update. However, if the NetScaler appliance does not have an internet connection to the external sites, then the user can store the updated signature files on a local server. The appliance can then download the signatures from the local server. In this scenario, the user must constantly check the Amazon site to get the latest updates. You can download and verify the signature file against the corresponding sha1 file which were created by using the Citrix public key to protect against tampering.

To copy the Signatures files to a local server, complete the following procedure:

1. To mirror the hosted web server, create a local directory such as <MySignatures> on a local server.

2. Open the AWS site.

3. Copy the SignaturesMapping.xml file to the <MySignatures> folder.
   If you open the SignaturesMapping.xml file, you can see all the xml files for signatures and their corresponding sha1 files for different supported versions. One such pair is highlighted in the following screen shot:

   

4. Create a sub-directory <sigs> in the <MySignatures> folder.

5. Copy all pairs of the *.xml files listed in the <file> tags,  *.xml.sha1 files listed in the corresponding <sha1> tags and *.xml.digest files listed in the corresponding <digest> tags of the SignaturesMapping.xml file to the <sigs> folder. The following are few sample files that is copied to the <sigs> folder:
   https://s3.amazonaws.com/NSAppFwSignatures/sigs/sig-r13.1b0v101s8.xml
   https://s3.amazonaws.com/NSAppFwSignatures/sigs/sig-r13.1b0v101s8.xml.sha1

   https://s3.amazonaws.com/NSAppFwSignatures/sigs/sig-r13.1b0v101s8.xml.digest

   Note: You can give any name to the <MySignatures> folder and it can be in any location but the sub-directory <sigs> must be a sub-directory in the <MySignatures> folder where the mapping file is copied. In addition, ensure that as shown in the SignaturesMapping.xml, the sub-directory name <sigs> must have the exact name and is case sensitive. All Signature files and their corresponding sha1 files should be copied under this <sigs> directory.

After mirroring the contents from the hosted Amazon web server to the local server, change the path to the new local web server to set it as the SignatureUrl for auto update. For example, run the following command from the command line interface of the appliance:
>set appfw settings SignatureUrl https://myserver.example.net/MySignatures/SignaturesMapping.xml

The update operation can take several minutes, depending on the number of signatures to be updated. Allow sufficient time for the update operation to complete.

1. Please add the URL 'https://myserver.example.net' to  ‘/netscaler/ns_gui/admin_ui/php/application/controllers/common/utils.php’ so that Content Security Policy (CSP) security will not bock the URL access. Please note that these settings won't persist in case of an upgrade. The user has to add it again after the upgrade.
        $configuration_view_connect_src = "connect-src 'self' https://app.pendo.io https://s3.amazonaws.com https://myserver.example.net;";
2. User need to configure the webserver 'https://myserver.example.net' such that it will respond following CORS headers for https://myserver.example.net/MySignatures/SignaturesMapping.xml
        Access-Control-Allow-Methods: GET
        Access-Control-Allow-Origin: *
        Access-Control-Max-Age: 3000
 

Guidelines When Updating Signatures

Following guidelines are used when updating signatures: