Performance issues when enabling AppFirewall

The following are the performance issues when AppFirewall is enabled:

  • A very tempting expression when configuring AppFirewall policies, is the expression true. This is useful during troubleshooting, since it provides a guaranteed way for AppFirewall to trigger. However, if used for actual production, depending on how much traffic and how comprehensive the protection policies, this can easily result in a significant performance hit. A better practice is to create policies that match the profile of requests, such as: HTTP.REQ.HOSTNAME.EQ("example.com").
  • Similarly, Regex, which is a particular favorite of administrators coming from the scripting world, is very tempting to use and is sometimes absolutely necessary to achieve a certain level of flexibility. However, Regex too when applied to too many requests has a performance impact. Where possible, use literal matches and the fastmatch option we talked about in the Signatures section.
  • A final performance issue is that of scanning large files. To be able to protect effectively, AppFirewall needs to look at each file and request it in its entirety, and not as individual packets that only contain part of the information. This is not a problem for most HTTP requests and responses, which are generally in the range of kilobytes. File uploads, however, can get much larger. They have the potential to cause AppFirewall to hang. To avoid such situations, the maximum size that AppFirewall will accept is set to 20000000 bytes (~20 MB) by default. The downside of this setting is that AppFirewall will throw an error when the size exceeds this limit. You can, of course, increase this limit but will need to carefully weigh out the performance impact.
  • NetScaler 11.0 now allows requests to be streamed instead of accumulating all of the request. A certain amount is still accumulated, but only as much as necessary at the time to be able to run its checks. AppFirewall streaming can be enabled on a profile using the following command:
    > set AppFirewall profile web20 -streaming ON
    

Ruling out AppFirewall as a potential cause

There will be occasions where, having confirmed AppFirewall as the source of a problem, you want to bypass it for a subset of users or URLs.

The easiest way to do this is to bind the APPFIREWALL_BYPASS profile to an appropriately chosen policy. The following is an example that does this for traffic to OWA:

add AppFirewall policy bypass_AppFirewall_for_owa "http.REQ.URL.PATH.CONTAINS("/owa/")" APPFIREWALL_BYPASS
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.145.51.233