Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Issue 1113, 1147 ,1162 Still results in non working citrixadc_appfwsignatures #1214

Open
kaiAsmOne opened this issue Oct 12, 2024 · 2 comments
Open

[Bug]: Issue 1113, 1147 ,1162 Still results in non working citrixadc_appfwsignatures #1214

kaiAsmOne opened this issue Oct 12, 2024 · 2 comments
Labels
bug

Comments

@kaiAsmOne
Copy link

kaiAsmOne commented Oct 12, 2024
edited
Loading

Terraform Core Version

1.5.7

citrixadc Provider Version

1.40.1

Operating system

macOS

Affected Resource(s)

citrixadc_appfwsignatures

Equivalent NetScaler CLI Command

N/A

Expected Behavior

I am trying to modify the signature behaviour for an existing signature object in an already existing signature file ( as in GUI: Security / Citrix Web Application Firewall / Signatures/ modifying already existing waf_sig_app.company.com).

Netscaler have to provide the following functionallity if not the Signatures in WAF Engine is useless when

1: You cannot on an entire Signature category ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))

2: You cannot on a individual Signature / Rules to ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))

2: You cannot set a list of Signature Entries / Rules to ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))

I have written terraform module for citrixadc_appfwsignatures as follows:

resource "citrixadc_appfwsignatures" "app_waf_signatures" {
name = "waf_sig_${var.waf_profilename}"
merge = var.waf_signature_merge == "" ? null : var.waf_signature_merge
overwrite = var.waf_signature_overwrite == "" ? null : var.waf_signature_overwrite
src = var.waf_signature_location == "" ? null : var.waf_signature_location
preservedefactions = var.waf_signature_preservedefaction == "" ? null : var.waf_signature_preservedefaction
autoenablenewsignatures = var.waf_signature_autoenablenewsignatures == "" ? null : var.waf_signature_autoenablenewsignatures
ruleid = var.waf_signature_ruleid == "" ? null : var.waf_signature_ruleid
category = var.waf_signature_category == "" ? null : var.waf_signature_category
enabled = var.waf_signature_enabled == "" ? null : var.waf_signature_enabled
action = var.waf_signature_action == "" ? null : var.waf_signature_action

}

I call this module from my Netscaler as follows:

module "netscaler-adc-waf-signatures-myapp_company_com" {
source = "../modules/CitrixADC-Appfw-Signatures"
waf_profilename = var.myapp_company_com_applicationname
waf_signature_merge = true
waf_signature_overwrite = true
waf_signature_location = "local:waf_sig_${var.myapp_company_com_applicationname}"
waf_signature_action = ["log", "stats"]
waf_signature_enabled = "ON"
waf_signature_ruleid = ["998418", "998419","998420","998420","998421","998422","998423","998424","998425","998426"]
depends_on = [module.netscaler-adc-waf-myapp_company_com , module.app_myapp_company_com]
}

Actual Behavior

│ Error: [ERROR] nitro-go: Failed to apply action on resource of type appfwsignatures, action=Import err=failed: 599 Netscaler specific error ({ "errorcode": 3197, "message": "Importing the resource failed", "severity": "ERROR" })

│ with module.netscaler-adc-waf-signatures-myapp_company_com.citrixadc_appfwsignatures.app_waf_signatures,
│ on ../modules/CitrixADC-Appfw-Signatures/main.tf line 2, in resource "citrixadc_appfwsignatures" "app_waf_signatures":
│ 2: resource "citrixadc_appfwsignatures" "app_waf_signatures" {

Relevant Error/Panic Output Snippet

From ns.log logfile on the Netscaler

Oct 12 13:40:17 <local0.warn> 139.98.19.10  2024/10/12:11:40:17 GMT myadc-ext01 0-PPE-1 : default APPFW Message 0 0 :  "Failed to update information: '/var/tmp/_updates/waf_sig_myapp.company.com1728733217.8931', 'waf_sig_myapp.company.com'


### Terraform Configuration Files

variables.tf but not relevant for this issue

### Steps to Reproduce

Please observe data in Expected Behavior

### Debug Output

N/A

### Panic Output

N/A

### Important Factoids

_No response_

### References

_No response_
@kaiAsmOne kaiAsmOne added the bug label Oct 12, 2024
@kaiAsmOne
Copy link
Author

kaiAsmOne commented Oct 13, 2024
edited
Loading

I have been trying to reverse engineer how Netscaler handles signatures.

To me there seems to be a discrepancy between the Nitro API Documentation and actual features

Nitro documentation indicates the abillity to enable / disable individual signatures based on Category and Signature ID

Documentation:

https://developer-docs.netscaler.com/en-us/adc-nitro-api/13-1/configuration/appfw/appfwsignatures
vs the actual features available on how to manage WAF Signatures.

My claim on this discrepancy is confirmed by two approaches.

1: Capture Network Traffic when modifying signatures using Netscaler Diag Capture traffic
2: The yaml file found locally on Netscaler /var/netscaler/nitro/nitro-oas/config/appfw/appfwsignatures.yaml

To my understanding there are only to viable approaches to handle signatures:

1: /nitro/v1/config/appfwsignatures?action=update

This only supports fetching new signatures from the https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml

2: /nitro/v1/config/appfwsignatures?action=Import

This only supports importing a new signature file. If you packet capture the result of a simple task as enable/disable a single signature rule the HTTP data shows that the entire signature file is edited at clientside and a new signtature file is then uploaded to the Netscler

The result of these limitations is that managing signatures on a Netscaler means you will have to locally on your own machine or on your DevOps Agent / runner-image within a pipeline edit the Signature .xml file and upload it to the Netscler after editing the XML file manually using awk or similar tools.

This approach does not align very well with a dynamic DevOps Architecture.

Please tell me i am wrong and show me how you can using terraform.
Alternative two show me how this can be done using REST API ( i have been trying with postman) direcly to the Netscaler.

Using
1: Nitro Documentatiion on appfwsignatures
2: Terraforms citrixadc_appfwsignatures
3: Packet Captures

All indicates the NiTRO API Documentation and Terraform Documentation for citrixadc_appfwsignatures are not really achievable

@kaiAsmOne
Copy link
Author

As per my understanding of investigating the Nitro API yaml files on the Netscaler i assume the feature requests will
take time to implement.

in order to survive beeing heavily invested in several large Netscaler cluster in a Hybrid (Cloud and onPrem ) Environment
i have started creating workarounds on how to work my way around the current limitations of the NITRO API (to my understanding)

If other people are stuggeling managing signatures i have created some scripts i currently run locally on my macOS
until i am ready to put them into my DevOps Pipeline.

This might be helpful https://github.com/kaiAsmOne/Netscaler/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@kaiAsmOne