The Citrix NetScaler Application Delivery Controller provides a Web Application Firewall that can be used to protect against various attack vectors including the OWASP Top 10.
Configuring the AppFw is no mean feat. Getting the protections configured correctly requires many rounds of application vulnerability testing using proper tools (i.e. IBM AppScan, OWASP ZAP, BURP Suite), determining which AppFW protection feature to enable in Learn Mode, and actually ensuring your application still works once the protections are in place.
For our application the initial configuration required at least 40 hours and configuration tweaking really does not stop once you think you've "got it" because applications change, attacks change, platforms change.
By the time your "done" getting your AppFW profile completed and your application passes the tests the LAST thing you want to ever do is to have to recreate the hundreds of rules you just created and tested!
Backup? No problem! Exporting the AppFW is simple enough and so is importing it if that is all you want to do. Very easy to create one in a test environment then move it into production or even help you keep the profiles in synch between multiple NetScalers.
But...what if you want to make a copy of all that hard work you did and apply it for some new tweaking? Yeah, that's not so obvious so I thought I would post how to do it so it would be easy for others!
1. Export your original AppFW profile.
2. Extract the showcmds.txt file and the var folder.
3. Replace the original AppFW profile name on each rule in the showcmds.txt file with the new profile name you want use. This file is just a list of all the rules you created during configuration. Save the file when done.
4. Create a tar file containing the showcmds.txt file and the var folder. Use the new AppFW profile name to be the name of the tar file.
5. Import the tar file back into the NetScaler AppFW.
BTW: I used Keka to create the tar file.
I used The Google and found zero posts on how to do this. Unlike the XPages folk, the NetScaler peeps don't appear to be nearly as productive in the Blogging O' Tips business! (Or maybe nobody else needed to do this. Ever. Or there is some super easy way that I just don't know about! Nah.)