The Cequence UAP provides both inline and passive integrations with existing NetScaler deployments. Your Cequence UAP deployment can include Bot Defense, API Sentinel, or both.
In inline integration, API traffic is routed through the Cequence UAP. This deployment scenario supports both Bot mitigation and API protection. Inline integration offers two options: Upstream and Hairpin.
In passive integration, request/response transaction information is captured and sent to the Cequence UAP using the NetScaler IDS Layer 3 Integration feature. Passive integration supports API discovery and risk analysis of APIs by Cequence API Sentinel. Detection, discovery, and risk events can optionally be logged to external SIEM and SOAR services.
This guide provides information to configure NetScaler to support Upstream and Hairpin for inline deployments. The Cequence Customer Success Team can assist with your Cequence UAP deployment to meet your security posture needs.
How Cequence Sensor integrates with NetScaler
The following diagram shows how the Cequence Sensor integrates with a NetScaler appliance.
These are the component interactions:
- A client sends an HTTP/HTTPS request to the NetScaler appliance.
- The appliance intercepts the traffic and sends the data to Cequence Sensor across different data centers or to a cloud. Data transmission uses an IP tunnel.
- The appliance decrypts the data if necessary and sends the decrypted data as plain text.
- Based on policy evaluation, the appliance applies a “MIRROR” type content inspection action.
- The action is configured with an IDS service or, for multiple Cequence Sensor integrations, load balancing service.
- The Cequence Sensor is configured as content inspection service type “Any” on the NetScaler appliance. The content inspection service is then associated to the “MIRROR” type’s content inspection profile and to the tunnel parameter that specifies the IP tunneled layer 3 interface used to forward data to the Cequence Sensor.
- Similarly, when the back-end server sends a response to NetScaler, the appliance replicates and forwards the data to the Cequence Sensor.
- When multiple Cequence Sensors are integrated with your NetScaler appliance, you can optionally use the load-balancing virtual server.
Software licensing
To deploy the IDS integration, provision your NetScaler appliance with one of the following licenses:
- ADC Premium
- ADC Advanced
Configuring Cequence Sensor integration
You can integrate an IDS device with NetScaler in two different ways.
Scenario 1: Integration with a single Sensor instance
At the command-line interface, perform the following steps.
- Enable content inspection.
- Add a content inspection profile of type MIRROR to the service representing Cequence Sensor.
- Add an IDS service of type “ANY”.
- Add a content inspection action of type “MIRROR”.
- Add a content inspection policy for IDS inspection.
- Bind the content inspection policy to an HTTP/SSL content switching or load balancing virtual service.
Enable Content Inspection
For the NetScaler appliance to send the content for inspection to the Cequence Sensor, enable the Content Inspection and load balancing features.
At the command prompt, type:
enable ns feature contentInspection LoadBalancing
Add Content Inspection profile of type “MIRROR”
The Content Inspection profile of type “MIRROR” defines a connection type to the Cequence Sensor. At the command prompt, type:
add contentInspection profile <name> -type MIRROR -ipTunnel <iptunnel_name>[BA1]
Example:
add contentInspection profile Sensor_profile1 -type MIRROR –ipTunnel ipsect-tunnel1
Add Cequence Sensor service
You must configure a service of type “ANY” for each Cequence Sensor that is integrated with the appliance. The service has the Cequence Sensor configuration details. The service represents the Cequence Sensor.
At the command prompt, type:
add service <Service_name> <IP> ANY <Port> - contentinspectionProfileName <Name> -healthMonitor OFF -usip ON –useproxyport OFF
Example:
add service Sensor_service 1.1.1.1 ANY 8080 -contentInspectionProfileName Sensor_profile1 -healthMonitor OFF
Add content inspection action of type MIRROR for Cequence Sensor service
After you enable the Content Inspection feature and then add the Cequence Sensor profile and service, you must add the Content Inspection action for handling the request. Based on the content inspection action, the appliance can drop, reset, block, or send data to the Cequence Sensor.
At the command prompt, type:
add ContentInspection action < action_name > -type MIRROR -serverName Service_name/Vserver_name>
Example:
add ContentInspection action Sensor_action -type MIRROR –serverName Sensor_service
Add content inspection policy for Cequence Sensor inspection
After you create a Content Inspection action, you must add Content Inspection policies to evaluate requests for inspection. The policy is based on a rule which consists of one or more expressions. The policy evaluates and selects the traffic for inspection based on the rule.
At the command prompt, type the following:
add contentInspection policy < policy_name > –rule <Rule> -action <action_name>
Example:
add contentInspection policy IDS_pol1 –rule true –action IDS_action
Bind content inspection policy to content switching or load balancing virtual service of type HTTP/SSL
To receive the web traffic, you must add a load balancing virtual server. At the command prompt, type:
add lb vserver <name> <vserver name>
Example:
add lb vserver HTTP_vserver HTTP 1.1.1.3 8080
Bind Content Inspection policy to content switching virtual server or load balancing virtual server of type HTTP/SSL
You must bind the load balancing virtual server or content switching virtual server of type HTTP/SSL to the Content Inspection policy.
At the command prompt, type the following:
bind lb vserver <vserver name> -policyName < policy_name > -priority < priority > -type <REQUEST>
Example:
bind lb vserver HTTP_vserver -policyName Sensor_pol1 -priority 100 -type REQUEST
Scenario 2: Load balancing multiple Cequence Sensors
If you are using two or more Cequence Sensors, you must load balance the Cequence Sensors using different content inspection services. In this case, the NetScaler appliance load balances the Cequence Sensors on top of sending a subset of traffic to each. For basic configuration steps, refer to scenario 1.
Following are the steps you must configure using the command line interface.
- Add content inspection profile 1 of type MIRROR for Cequence Sensor service 1
- Add content inspection profile 2 of type MIRROR for Cequence Sensor service 2
- Add Cequence Sensor service 1 of type ANY for Cequence Sensor 1
- Add Cequence Sensor service 2 of type ANY for Cequence Sensor 2
- Add load balancing virtual server of type ANY
- Bind Cequence Sensor service 1 to load balancing virtual server
- Bind I Cequence Sensor DS service 2 to load balancing virtual server
- Add content inspection action for the load balancing of Cequence Sensors.
- Add content inspection policy for inspection
- Add content switching or load balancing virtual server of type HTTP/SSL
- Bind content inspection policy to load balancing virtual server of type HTTP/SSL
Add content inspection profile1 of type MIRROR for Cequence Sensor service 1
Cequence Sensor configuration can be specified in an entity called the Content Inspection profile. The profile has a collection of Cequence Sensor settings. The Content Inspection profile1 is created for Cequence Sensor service 1.
At the command prompt, type:
add contentInspection profile <name> -type ANY – ipTunnel <iptunnel_name>
Example:
add contentInspection profile Sensor_profile1 -type MIRROR - ipTunnel ipsect_tunnel1
Add content inspection profile2 of type MIRROR for Cequence Sensor service 2
Cequence Sensor configuration can be specified in an entity called the Content Inspection profile. The profile has a collection of Cequence Sensor settings. The Content Inspection profile1 is created for Cequence Sensor service 2.
At the command prompt, type:
add contentInspection profile <name> -type ANY – ipTunnel <iptunnel_name>
Example:
add contentInspection profile Sensor_profile2 -type MIRROR - ipTunnel ipsect_tunnel2
Add Cequence Sensor service 1 of type ANY for Cequence Sensor 1
After you enable the Content Inspection feature and add the inline profile, you must add an inline service 1 for the inline Cequence Sensor 1 to be part of the load balancing setup. The service that you add, provides all the inline configuration details.
At the command prompt, type:
add service <Service_name_1> <Pvt_IP1> ANY <Port> -contentInspectionProfileName <IDS_Profile_1> –usip ON –useproxyport OFF
Example:
add service Sensor_service1 1.1.1.1 ANY 80 -contentInspectionProfileName Sensor_profile1 -usip ON -useproxyport OFF
Add Cequence Sensor service 2 of type ANY for Cequence Sensor 2
After you enable the Content Inspection feature and add the inline profile, you must add an inline service 2 for the inline Cequence Sensor 2 to be part of the load balancing setup. The service that you add, provides all the inline configuration details.
At the command prompt, type:
add service <Service_name_1> <Pvt_IP1> ANY <Port> -contentInspectionProfileName <IDS_Profile_1> –usip ON –useproxyport OFF
Example:
add service Sensor_service2 1.1.1.2 ANY 80 -contentInspectionProfileName Sensor_profile2 -usip ON -useproxyport OFF
Add load balancing virtual server
After you have added the inline profile and the services, you must add a load balancing virtual server for load balancing the services.
At the command prompt, type:
add lb vserver <vserver_name> ANY <Pvt_IP3> <port>
Example:
add lb vserver lb-Sensor_vserver ANY 1.1.1.2
Bind Cequence Sensor service 1 to load balancing virtual server
After you add the load balancing virtual server, now bind the load balancing virtual server to the first service.
At the command prompt, type:
bind lb vserver <Vserver_name> <Service_name_1>
Example:
bind lb vserver lb-Sensor_vserver Sensor_service1
Bind Cequence Sensor service 2 to load balancing virtual server
After you add the load balancing virtual server, now bind the load balancing virtual server to the second service.
At the command prompt, type:
bind lb vserver <Vserver_name> <Service_name_1>
Example:
bind lb vserver lb-Sensor_vserver Sensor_service2
Add content inspection action for the IDS service
After you enable the Content Inspection feature, you must add the Content Inspection action for handling the inline request information. Based on the action selected, the appliance drops, resets, blocks, or sends traffic to the Cequence Sensors.
At the command prompt, type:
add contentInspection action <name> -type <type> (-serverName <string> [-ifserverdown <ifserverdown>]
Example:
add ContentInspection action Sensor_action -type MIRROR –serverName lb-Sensor_vserver
Add content inspection action of type MIRROR for Cequence Sensor service
After you enable the Content Inspection feature and then add the Cequence Sensors profile and service, you must add the Content Inspection action for handling the request. Based on the content inspection action, the appliance can drop, reset, block, or send data to the Cequence Sensor.
At the command prompt, type:
add ContentInspection action < action_name > -type MIRROR -serverName Service_name/Vserver_name>
Example:
add ContentInspection action Sensor_action -type MIRROR –serverName lb-Sensor_vserver
Add content inspection policy for Cequence Sensor inspection
After you create a Content Inspection action, you must add Content Inspection policies to evaluate requests for inspection. The policy is based on a rule which consists of one or more expressions. The policy evaluates and selects the traffic for inspection based on the rule.
At the command prompt, type the following:
add contentInspection policy < policy_name > –rule <Rule> -action <action_name>
Example:
add contentInspection policy Sensor_pol1 –rule true –action Sensor_action
Bind content inspection policy to content switching or load balancing virtual service of type HTTP/SSL
To receive the web traffic, you must add a load balancing virtual server. At the command prompt, type:
add lb vserver <name> <vserver name>
Example:
add lb vserver HTTP_vserver HTTP 1.1.1.3 8080
Bind Content Inspection policy to content switching virtual server or load balancing virtual server of type HTTP/SSL
You must bind the load balancing virtual server or content switching virtual server of type HTTP/SSL to the Content Inspection policy.
At the command prompt, type the following:
bind lb vserver <vserver name> -policyName < policy_name > -priority < priority > -type <REQUEST>
Example:
bind lb vserver HTTP_vserver -policyName Sensor_pol1 -priority 100 -type REQUEST
Configure inline service integration using the NetScaler GUI
- Navigate to Security > Content Inspection > Content Inspection Profiles.
- In the Content Inspection Profile page, click Add.
- In the Create Content Inspection Profile page, set the following parameters.
- Profile Name. Name of the content inspection profile for Cequence Sensor.
- Type. Select the profile types as MIRROR.
- Connectivity. Layer 2 or Layer 3 interface.
- IP Tunnel. Select the network communication channel between the two networks.
- Click Create.
- Navigate to Traffic Management > Load Balancing > Services and click Add.
- In the Load Balancing Service page, enter the content inspection service details.
- In the Advanced Settings section, click Profiles.
- Go to the Profiles section and click the Pencil icon to add the content inspection profile.
- Click OK.
- Navigate to Load Balancing > Servers. Add a virtual server of type HTTP or SSL.
- After entering the server details, click OK and again OK.
- In the Advanced Settings section, click Policies.
- Go the Policies section and click the Pencil icon to configure the content inspection policy.
- On the Choose Policy page, select Content Inspection. Click Continue.
- In the Policy Binding section, click “+” to add a Content Inspection policy.
- In the Create CI Policy page, enter a name for the Inline content inspection policy.
- In the Action field, click the “+” sign to create an IDS content inspection action of type MIRROR.
- In the Create CI Action page, set the following parameters.
- Name. Name of the content inspection Inline policy.
- Type. Select the type as MIRROR.
- Server Name. Select the server/service name as Inline devices.
- If Server Down. Select an operation if the server goes down.
- Request Time-out. Select a time-out value. Default values can be used.
- Request Time-out Action. Select a time-out action. Default values can be used.
- Click Create.
- In the Create CI Policy page, enter other details.
- Click OK and Close.