IPreputation on Netscalers/ADC

IPreputation is a nice feature to have in case you are interested to add more security to your websites. It is a collection of IPs put in categories like web attacks, botnets, spam, etc., that you can use to block access. You can find on the internet multiple companies that offer these types of services. And in the case of the Netscalers, they use the WebRoot(BrightCloud) offering.
https://www.brightcloud.com/
https://citrixready.citrix.com/content/dam/ready/partners/we/webroot/brightcloud-ip-reputation-service/webroot-brightcloud-ip-reputation-solution-overview-citrix-us-brochures.pdf

If you want to manually check an ip against this service you can use: https://www.brightcloud.com/tools/url-ip-lookup.php

The WebRoot categories are Windows Exploits, Web Attacks, Phishing, Botnets, Denial of Service, Scanners, Proxies, Reputation, Spam Sources, and Mobile Threats.

To be able to use this feature you will need:

  • a valid license (Platinum)
  • resolve DNS name api.bcss.brightcloud.com from the Netscaler
  • access from Netscaler (NSIP) to api.bcss.brightcloud.com on port 443
  • enable Reputation feature

To resolve the DNS name api.bcss.brightcloud.com , you need to have some DNS server configured on the Netscaler and make sure the Netscaler can resolve that name. In my case it could not so I’ve added a SNIP address from the same subnet as the NSIP and it started to work.
Also, the NSIP needs access on port 443 to whatever ip the name resolves to. As that name points to AWS, the ip changes, so giving access per IP is not ok.
It is a good (must) practice to have a firewall between NSIP and Internet.
And of course, the Reputation feature needs to be enabled.
If everything is ok the Reputation DB will be downloaded after 5 min. It will also update automatically every 5 min.

You can see this in the logs: /var/log/iprep.log
Also you should see the local DB file here: /var/nslog/iprep/iprep.db

Using the Reputation feature is pretty easy. In this article, I’ve used them in responder policies. You can also use them in application firewall policies if you want. I’ve applied the policies to global (applies to all vips) and on REQ_OVERRIDE. This way they are processed before all responder policies, even before VIP responder policies. But in this case, this is what we want. If a bad IP tries to connect to our sites it will be dropped, no need to check anything else.
The order in which the responder policies are processed is this: REQ_OVERRIDE , responder policies that are binded on the VIP, REQ_DEFAULT. These 3 bind points make the bank of the responder policies. The first matched responder policy is executed. So only one responder policy per request gets executed. That’s why I’ve binded it to REQ_OVERRIDE.

I’ve also created a dataset called Whitelist and used it in all policies, in case some ip’s get in the Webroot database but you want to allow them.


For logging purposes, I’ve created an audit message for each category I’ve used. For this, to work you need to configure Syslog actions and policies pointing to your Syslog servers and the level of logging.

Below you have the Reputation policies(these were tested on ver 11.1):

add policy dataset Whitelist ipv4
bind policy dataset Whitelist aa.bb.cc.dd 


add logt messageaction log_web_attacks INFORMATIONAL "\"alertType=NS ipReputation Category Web_attacks Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" +  HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE"
add logt messageaction log_botnets INFORMATIONAL "\"alertType=NS ipReputation Category Botnets Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE"
add logt messageaction log_scanners INFORMATIONAL "\"alertType=NS ipReputation Category Scanners  Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER +  HTTP.REQ.URL.HTTP_URL_SAFE"
add logt messageaction log_dos INFORMATIONAL "\"alertType=NS ipReputation Category Dos Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER +  HTTP.REQ.URL.HTTP_URL_SAFE"
add logt messageaction log_cloud INFORMATIONAL "\"alertType=NS ipReputation Category Cloud Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE"
add logt messageaction log_network INFORMATIONAL "\"alertType=NS ipReputation Category Network Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE"
add logt messageaction log_reputation INFORMATIONAL "\"alertType=NS ipReputation Category Reputation Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE"
add logt messageaction log_spam INFORMATIONAL "\"alertType=NS ipReputation Category Spam Log - clientIP=\" + CLIENT.IP.SRC +\" VIP=\" + CLIENT.IP.DST + \" Requested : \" + HTTP.REQ.HOSTNAME.SERVER + HTTP.REQ.URL.HTTP_URL_SAFE"


add responder policy pol_web_attacks "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(WEB_ATTACKS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_web_attacks
add responder policy pol_botnets "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(BOTNETS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_botnets
add responder policy pol_scanners "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(SCANNERS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_scanners
add responder policy pol_dos "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(DOS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_dos
add responder policy pol_cloud "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(CLOUD_PROVIDERS) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_cloud
add responder policy pol_network "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(NETWORK) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_network
add responder policy pol_reputation "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(REPUTATION) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_reputation
add responder policy pol_spam "CLIENT.IP.SRC.IPREP_THREAT_CATEGORY(SPAM_SOURCES) && CLIENT.IP.SRC.TYPECAST_TEXT_T.CONTAINS_ANY(\"Whitelist\").NOT" DROP -logAction log_spam


bind responder global pol_web_attacks 10 END -type REQ_OVERRIDE
bind responder global pol_botnets 20 END -type REQ_OVERRIDE
bind responder global pol_scanners 30 END -type REQ_OVERRIDE
bind responder global pol_dos 40 END -type REQ_OVERRIDE
bind responder global pol_cloud 50 END -type REQ_OVERRIDE
bind responder global pol_network 60 END -type REQ_OVERRIDE
bind responder global pol_reputation 70 END -type REQ_OVERRIDE
bind responder global pol_spam 80 END -type REQ_OVERRIDE

Documentation :
https://docs.citrix.com/en-us/netscaler/12/reputation/ip-reputation.html

About the author

Mihai is a Senior Network Engineer with more than 15 years of experience