Citrix NetScaler AppFirewall: WAF Overview and Analysis

eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

Bottom line

NetScaler AppFireWall is a good choice for existing Citrix clients, or when high-performance WAF appliances are needed. However, it competes less well where application security is the highest-weighted requirement. Those evaluating it beyond a Citrix platform are urged to test it in their own environments.

Product Description

Citrix NetScaler AppFirewall is a WAF that analyzes all bi-directional traffic, including SSL-encrypted communication, to protect against security threats. It can perform deep-packet inspection of HTTP, HTTPS and XML and protect against the OWASP top 10. NetScaler AppFirewall threat protection includes SQL injection attacks, cross-site scripting attacks, cookie tampering, form validation and protection, HTTP and XML reply and request format validation, JSON payload inspection, signature and behavior-based protections, data loss prevention (DLP) support, DoS protection, authentication, authorization and auditing support and reporting, and policy tools that provide for easier PCI-DSS compliance verification. NetScaler SDX includes multitenant support that consolidates a high number of NetScaler instances on a single hardware appliance. NetScaler integrates with Thales and SafeNet hardware security modules (HSMs) and can decrypt SSL at scale.

See our complete list of Top Web Application Firewall Vendors


Security: Very good. NSS Labs scored it highest equal on security effectiveness and second in block rate at 99.07%.

Performance: Best in class. NSS Labs rated it highest with 149,000 connections per second and 184,400 transactions per second.

Value: Best in class. NSS Labs gave Citrix top place on overall TCO, costing $132,800 over three years, which worked out at $0.37 per CPS, far lower than others tested.

Implementation: Good. NetScaler Web App Security Service boasts less than 5 clicks from first time login to protection. The appliance version requires more work to install.

“Clients cite that documentation needs improvements,” Gartner said. “Clients would like a more intuitive way to deploy AppExpert Templates for known applications.”

User comments vary. An IT user in the retail industry said, “Easy to configure with wizard-based configuration assistance, visibility of the logs/violations.”

“Complex to implement. Legacy applications proved to be a challenge to integrate,” said a director of network engineering in the finance industry. “This company required 12 months to implement.”

Management: Very Good. User comments on management are largely good. One request is for better management of false positives.

Gartner said, “Some clients indicate that NetScaler AppFirewall has limitations in the areas of automatic policy learning, reporting dashboard and the ability to avoid false alerts (false positive rate).”

Support: Very good. “Clients highlight support availability and NetScaler performance as reasons to select AppFirewall,” Gartner said. “They give good scores to the vendor’s threat research team for its ability to release new signatures that can be automatically deployed.”

User comments are predominantly positive.

Cloud features: Good. The vendor released its cloud-based WAF service one year ago. Known as Citrix NetScaler Web App Security Services, it is based on AppFirewall.

Citrix WAF

Security Qualifications

ICSA, Common Criteria, FIPS-certified, PCI compliance.


NetScaler AppFirewall incorporates an adaptive learning engine that discovers aspects of application behavior that might be blocked by the positive security model even if the behavior is intended by the web application. It generates policy recommendations, which bring to security managers a clearer understanding of actual application behavior.


As a standalone hardware appliance, a cloud-based service, and as a feature built into larger Citrix product suites.


Pay-As-You-Grow pricing is on offer for the hosted web service. NSS Labs said its three-year TCO came out at $132,800 and its TCO per CPS was $0.37, the lowest among WAF products tested.

Get the Free Cybersecurity Newsletter

Strengthen your organization’s IT security defenses by keeping up to date on the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Drew Robb Avatar

Subscribe to Cybersecurity Insider

Strengthen your organization’s IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices.

Top Cybersecurity Companies

Top 10 Cybersecurity Companies

See full list

Get the Free Newsletter!

Subscribe to Cybersecurity Insider for top news, trends & analysis