Creating a PE Policy using the CLI

Added by Catherine Hampton , last edited by Catherine Hampton on Mar 05, 2008  (view change)
Tags: 

This article describes how to create a policy with NetScaler Classic (or PE) expressions using the Citrix NetScaler Command Line Interface (or CLI) and put it into effect.

Summary

The procedure below describes how to create a policy that uses PE expressions at the CLI.

To create a policy with PE expressions at the CLI:

  1. Run the SSH client of your choice, connect to the NSIP of your Application Switch, and log on to the NetScaler CLI.
    If you need instructions, see the Citrix NetScaler Getting Started Guide.
  2. Enter the following command to create the policy:
         > add <policytype> policy <name> <rule> <action>
    • For <policytype>, substitute the type of policy you are creating. For Access Gateway policies, you substitute accessgw. For Application Firewall policies, you substitute appfw. For SSL policies, you substitute ssl.
    • For <name>, substitute a name for the policy. The name can begin with a letter or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen, period, pound (#), space, and underscore symbols. You should choose a name that will make it easy for others to tell what type of content this policy was created to detect.
    • For <rule>, substitute a PE expression that defines the connections you want to match using this policy. This expression can take many forms, but all follow this syntax:
           "<flow type>.<protocol>.<qualifier>.<operator>*[.<value>][.<header name>]"*
      NOTE: When you type a policy at the CLI, you must enclose all PE expressions in double quotes.
      For each of the designated elements, you substitute the appropriate value. The following list describes each element and provides the right values or explains how to determine what they are:
  1. #* #** Flow type. Whether the policy filters requests or responses.
    The flow type can be either REQ or RES for Access Gateway or SSL policies. For Application Firewall policies, it is always REQ, because the Application Firewall filters each request and its associated response as a unit.
      • Protocol. The protocol of the connections that this policy will filter. This can be HTTP, SSL, TCP, or IP.
      • Qualifier. The aspect of the protocol that the policy should consider. The list of valid qualifiers varies depending on which protocol you chose. For a list of all valid qualifiers for each Protocol, and a description of each, see the PE Expressions Reference.
      • Operator. The symbol that describes the condition you want the Application Firewall to test. For a list of all valid operators and a description of each, see the PE Expressions Reference.
      • Value. The text or number that the expression is comparing to the current connection to determine whether it matches the policy or not. For example, if you are testing the URL header to see if it contains the subdomain shopping.example.com, you type the string shopping.example.com. If you are testing the length of the URL header to see if it is greater than 1024 characters, you type the number 1024.
      • Header Name. If you chose HEADER as your Qualifier, you must also include the name of the header that contains the attribute or string you want the Application Switch to use for the test.
    • For <action>, substitute the name of the action you want to associate with this policy. For Access Gateway and Application Firewall policies, you substitute the appropriate profile instead of an action.
  2. At the prompt, type save ns config to save your configuration.
  3. Enter the appropriate show policy command to verify your configuration.
    • For Application Firewall policies, this is show appfw policy <name>.
    • For Access Gateway policies, it is show accessgw policy <name>.
    • For SSL policies, it is show ssl policy <name>.
      In each case, for <name>, you substitute the name of the policy you created.
      If the policy is correct, you can proceed to globally bind it. If it is not, repeat steps 2 and 3 to recreate your policy in the form you want.
  4. Enter the following command to globally bind the policy.
    > bind <policytype> global <policy> <priority#* For <policytype>, substitute the type of policy you are creating. For Application Firewall policies, you substitute appfw. For Access Gateway policies, you substitute accessgw. For SSL policies, you substitute ssl.
    • For <policy>, substitute the name of the policy you just created.
    • For <priority>, substitute a positive integer that represents the priority you want to assign to that policy.
      In the NetScaler OS, policy priorities work in reverse order---the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy assigned an order of 1000. All features except the Rewrite feature on the Application Switch implement only the first policy that a connection matches, not any additional policies that it might also match.
      You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the order you want, by setting priorities with intervals of 50 (or, better, 100) between each policy when you globally bind your policies. If you do this, you can add additional policies at any time without having to reassign the priority of an existing policy. You simply look at the priorities assigned to the preceding and following policies, and assign a new policy a priority between that of those two numbers.
  5. Enter save ns config to save your configuration.
    Your policy is now globally bound and has been put into effect.

More Information

  • Add to Bookmarks