Jump to content


AppFW Best Practices?

Started by Carl Waldron , 05 February 2015 - 11:01 PM
2 replies to this topic

Carl Waldron Members

Carl Waldron
  • 2 posts

Posted 05 February 2015 - 11:01 PM

Hi all,


I have noticed a distinct lack of discussion regarding the plethora of options within the App Firewall protections.  Does anyone have any recommended or "best" practices they would care to share?  I have reviewed the document Citrix has available (CTX121173) and most of the information is generic or extremely dated at this point.  I realize there is no perfect set of rules that would apply to every single web site/application.  To get things started here are some things I implement nearly all the time:


  1. A redirect error page with a generic "if you think you have received this message in error" message along with a mailto link.  Most clients like this, but some prefer to give potential adversaries zero additional help.
  2. Enforcement of URL closure with the "validate referrer header if present" option selected.
  3. Cookie Consistency Check with the "transform" and "flags to add" options.
  4. Buffer Overflow with the boundaries set a little higher than the maximums observed during the learning phase.

I would love to hear what others are doing with this underutilized and very cool piece of Netscaler technology!



Mark Brilman Members

Mark Brilman
  • 169 posts

Posted 17 July 2017 - 06:31 AM



Thanks for asking this question and sharing your best practices so far. I'm starting an AppFW project and am qurious if people have anything to add regarding this question.


What are the best practices? Any implementation tips & tricks, do's and don'ts? What is the best approach implementing AppFW?


Kind regards,



Carl Stalhood CTP Member

Carl Stalhood
  • 12,283 posts

Posted 17 July 2017 - 12:56 PM

There was a firewall session at Synergy 2017 - http://live.citrixsynergy.com/2017/player/ondemandplayer.php?presentation_id=98c4a0441d874d46b18355f7504237fe1d