I recently encountered a problem where I had a Citrix NetScaler that, for security reasons, had no internet connection. It was located in the second DMZ and was intended to act as a second-hop server. A relatively large number of load balancers had been set up, along with the corresponding WAFs.
A Citrix Knowledge Base article explains exactly how to configure NetScaler itself so that it loads the signatures from another server; the question was, how do you get the signatures onto that server? I wrote a Perl script for this.
# (C) Johannes Norz 2026
#download the signature drfinition file
my ($filename) = "SignaturesMapping.xml";
download_file ("https://s3.amazonaws.com/NSAppFwSignatures/" . $filename, $filename) or die "Download fehlgeschlagen";
use XML::LibXML;
my $parser = XML::LibXML->new();
my $doc = $parser->parse_file($filename);
chdir "sigs";
for my $node ($doc->findnodes('//sig_file')) {
my $name = $node->findvalue('./file');
$name =~ s{^sigs/}{};
download_file ("https://s3.amazonaws.com/NSAppFwSignatures/sigs/$name", $name) or die "Download of $file failed";
my $sha1 = $node->findvalue('./sha1');
$sha1 =~ s{^sigs/}{};
download_file ("https://s3.amazonaws.com/NSAppFwSignatures/sigs/$sha1", $sha1) or die "Download of $sha1 failed";
my $digest = $node->findvalue('./digest');
$digest =~ s{^sigs/}{};
download_file ("https://s3.amazonaws.com/NSAppFwSignatures/sigs/$digest", $digest) or die "Download of $digest failed";
}
#-----------------------------
sub download_file {
use LWP::UserAgent ();
my ($url, $filename) = @_;
my $ua = LWP::UserAgent->new(
timeout => 30,
agent => 'PerlDownloader/1.0',
);
my $response = $ua-> get($url,':content_file' => $filename);
if ($response->is_success) {
return 1;
}
warn "error downloading: " . $response->status_line . "\n";
return 0;
}
