Creating a PE Policy using the GUI

Added by Catherine Hampton , last edited by Catherine Hampton on Nov 19, 2007  (view change)
Tags: 

This article describes how to create a NetScaler Classic (or PE) policy using the GUI and put it into effect.

Summary

The procedure below describes how to create a policy with PE expressions (a PE policy) using the Citrix NetScaler Configuration Utility (or GUI). The following types of policy support classic expressions only:

  • Access Gateway. You configure Access Gateway policies under the Access Gateway, Policies menu tree.
  • Application Firewall. You configure Application Firewall policies under the Application Firewall, Policies menu.
  • SSL. You configure SSL policies under the SSL, Policies menu.

You can also include classic expressions inside of a PI expression using the syntax {)SYS.EVAL_CLASSIC_EXPR(expr), with the classic expression as the argument {)expr.

To create a policy with PE expressions using the GUI:

  1. Log on to the configuration utility, using either the Java client or the Web Start client.
    If you need help logging on, see the Citrix NetScaler Getting Started Guide.
  2. In the Menu tree, open the appropriate Policies screen for the type of policy you want to create.
    • To create an Access Gateway policy, expand the Access Gateway menu, expand the Policies menu, as shown below.

      Then, click the entry for the type of Access Gateway policy you want to create.
    • To create an Application Firewall policy, expand the Application Firewall menu and click Policies, as shown below.
    • To create an SSL policy, expand the SSL menu and click Policies, as shown below.

      The Policies page may be blank if you have not yet created the first policy of this type, or may contain a list of one or more policies.
  3. In the lower left-hand corner of the data area, click the Add... button.
    The Create Policy dialog box for your type of policy is displayed. The screenshot below shows the Create Application Firewall Policy dialog box. The other Create Policy dialog boxes are similar.
  4. In the Policy Name* text box, type a name for your new policy.
    The name can begin with a letter or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen, period, pound (#), space, and underscore symbols. You should choose a name that will make it easy for others to tell what type of content this policy was created to detect.
  5. Click the down arrow to the right of the Action list box, and click name of an action or, in the case of and Access Gateway or Application Firewall policy, profile to associate with this policy.
    For Access Gateway and Application Firewall policies, the action is predetermined: matches are sent to the Access Gateway or Application Firewall, as appropriate, for processing. A profile is a set of configuration options that tell the Access Gateway or Application Firewall how it should process the connection.
    If you have not yet created the appropriate profile, you can click the New... button and create a new profile. See the Citrix Access Gateway Guide or Citrix Application Firewall Guide, as appropriate, for information and instructions on creating a profile.
  6. Construct an expression that describes the type of web connections you want this policy to match.
    Depending on the type of policy you wish to create, you can choose an expression from the Named Expressions list boxes, or you can create a new expression using the Add Expression dialog box. Named expressions are predefined expressions that perform common tasks. For more information, see "Creating Named Expressions". For a list of all the default named expressions and a definition of each, see the "Named Expressions Reference".
    The subprocedure below describes how to create your own new expression.
    1. Click the Add... button to display the Add Expression dialog box, shown below.
    2. Click the down arrow to the right of the Flow Types list box and choose the flow type you want for your policy expression.
      For Access Gateway or SSL policy expressions, you have two choices: REQ and RES. The first tells the Application Switch to apply this policy to incoming connections, or requests. The second tells the Application Switch to apply this policy to outgoing connections, or responses.
      For Application Firewall policies, you should leave the expression type set to General Expression, and the flow type set to REQ. The Application Firewall treats each request and response as a single paired entity, so all Application Firewall policies begin with REQ.
    3. Click the down arrow to the right of the Protocol list box and choose the protocol you want for your policy expression.
      Your choices are:
      • HTTP. Tells the Application Switch to look at HTTP requests, requests sent to a web server. In classic expressions, HTTP includes HTTPS requests, as well.
      • SSL. Tells the Application Switch to look at SSL data associated with the current connection.
      • TCP. Tells the Application Switch to look at the TCP data associated with the current connection.
      • IP. Tells the Application Switch to look at the IPs associated with the current connection.
    4. Click the down arrow to the right of the Qualifier list box, and choose a qualifier for your policy.
      The qualifier tells the Application Switch what part of the protocol it should look at. The list of qualifiers that appears depends on which protocol you selected in the previous step. Below is a description of the qualifier choices for the HTTP protocol. For a complete list of protocols and qualifiers, see the PE Expressions Reference.
      There are several qualifier choices that appear for the HTTP protocol. They are:
      • METHOD. To filter HTTP requests that use a particular HTTP method, choose METHOD as your qualifier.
      • URL. To filter HTTP requests to a specific web page, choose URL as your qualifier.
      • URLQUERY. To filter HTTP requests that contain a particular query string, choose URLQUERY as your qualifier.
      • VERSION. To filter HTTP requests to a particular host, choose VERSION as your qualifier.
      • HEADER. To filter based on a particular HTTP header, choose HEADER as your qualifier.
      • URLLEN. To filter based on the length of the URL, choose URLLEN as your qualifier.
      • URLQUERY. To filter based on the query portion of the URL, choose URLQUERY as your qualifier.
      • URLQUERYLEN. To filter based on the length of the query portion of the URL only, choose URLQUERYLEN as your qualifier.
        After you make this choice, the dialog box display refreshes again, displaying the list boxes and text boxes appropriate to the choice you made. The screen shot below shows this dialog box after you have chosen the URL qualifier.
    5. Choose the operator for your policy expression.
      The choices presented by the Operator drop-down list depend upon which Qualifier you picked. For the complete list of possible choices you might be offered, see the PE Expression Reference. Some common choices are:
      • {)==. Matches the following text string exactly, or is exactly equal to the following number.
      • {)!=. Does not match the following text string.
      • {)>. Is greater than the following number.
      • {)<. Is less than the following number.
      • {)>=. Is greater than or equal to the following number.
      • {)<=. Is less than or equal to the following number.
      • {)CONTAINS. Contains the following text string.
      • {)CONTENTS. The contents of the designated header, URL, or URL query.
      • {)EXISTS. The specified header or query exists.
      • {)NOTCONTAINS. Does not contain the following text string.
      • {)NOTEXISTS. The specified header or query does not exist.
    6. If the Value* text box is displayed, type the appropriate string or number.
      • If you are testing a string, type the string into the Value* text box.
      • If you are testing a number, type the number into the Value* text box.
    7. If you chose HEADER as the Protocol, type the name of the header you want in the Header Name* text box.
    8. Click the OK button to add your expression to the Expression list.
    9. Repeat steps b through f to create any additional expressions you want for your profile.
    10. Click the Close button to close the Add Expression dialog box and return to the Create Policy dialog box.
  7. Click the Create button to create your new policy.
    Your new policy is created and appears in the Policies page list.
  8. Repeat steps 3 through 9 to create any additional policies you want.
  9. Click the Close button to close the Create Policy dialog box and return to the Policies screen for the type of policy you were creating.
  10. Click the Global Bindings... button to display the Bind/Unbind Firewall Policy(s) to Global dialog box.
    The Bind/Unbind Firewall Policy(s) to Global dialog box is shown below. Other Bind/Unbind Policy(s) to Global dialog boxes are similar.

    The Bind/Unbind Policy(s) to Global dialog boxes display all policies of their type that have been created on your Application Switch. Policies that have not been globally bound appear in the Available column to the left. Policies that have been globally bound appear in the Configured column to the right.
  11. In the Available list, click the entry for the first policy you just created.
  12. Click the Add > button to transfer that policy from the Available list to the Configured list.
    This globally binds the policy globally and puts it into effect.
  13. Double-click the Priority column to edit the priority, and replace the default setting of zero (0) with an integer that represents the priority of this policy.
    In the NetScaler OS, policy priorities work in reverse order---the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first, then the policy assigned a priority of 100, and finally the policy assigned an order of 1000. All features except the Rewrite feature on the Application Switch implement only the first policy that a connection matches, not any additional policies that it might also match. The Rewrite policy can implement multiple policies, but implements them in order of priority. So policy priority is important to get the results you intended.
    You can leave yourself plenty of room to add other policies in any order, and still set them to evaluate in the order you want, by setting priorities with intervals of 50 (or, better, 100) between each policy when you globally bind your policies. If you do this, you can add additional policies at any time without having to reassign the priority of an existing policy. You simply look at the priorities assigned to the preceding and following policies, and assign a new policy a priority between that of those two numbers.
  14. If you want to globally bind your policy, but temporarily keep it inactive, uncheck the checkbox in the State column.
    When you globally bind a policy, by default it is enabled and goes immediately into effect. In some cases, you might want to have a policy reviewed before you put it into effect, but want to be able to enable it quickly. Setting its State to unchecked, or DISABLED, allows you to do this.
  15. Repeat steps 11 through 14 for each policy you created to globally bind all of them.
  16. Click the OK button to save your changes.
    The Bind/Unbind Firewall Policy(s) to Global dialog box closes, and you return to the Policies page. In the Policies list in the data area, the Globally Bound? column now reads "Yes" for each policy you globally bound. Your policies have been put into effect.

More Information

  • Add to Bookmarks