This article describes the policy evaluation process for the Citrix NetScaler Access Gateway, Application Firewall, and Application Switch.
Summary
You need to understand how policies are evaluated to write policies that will do what you want them to do. This article describes the policy evaluation process.
When the Application Switch receives traffic to or from any server it manages, it consults the appropriate list of globally-bound policies to determine how it should handle that traffic. Each policy on the list contains one or more expressions that together define the criteria that a connection must meet to match the policy. Each policy is evaluated in order of priority, starting with the lowest number and proceeding through to the highest, until all policies have been evaluated.
As the figures below indicate, evaluation of a policy can produce, not two, but three possible outcomes. The policy can evaluate as TRUE, which means that the connection matches that policy. In this case, the Application Switch performs the associated action. It can evaluate as FALSE, which means that the connection did not match the policy. In this case, the Application Switch proceeds to evaluate the next policy, or if there is no next policy, performs the default action.
Finally, it can evaluate as UNDEFINED, which means that there is an error in the policy expression itself. In this case, the Application Switch stops evaluating policies, and performs the UNDEFACTION, the action it is configured to perform when a policy expression is found to contain errors.
For all types of policy except Rewrite policies, when a connection matches a policy, the Application Switch ceases to evaluate any further policies, and performs the action associated with that policy. A chart of the general policy evaluation process flow is shown below. Click the picture to download a .WMF (Windows Metafile) version of this chart.
For Rewrite policies, the action associated with the policy is added to the list of actions to be performed, then policy evaluation continues until terminated or all policies have been evaluated. A chart of the rewrite policy evaluation process flow is shown below. Click the picture to download a .WMF (Windows Metafile) version of this chart.
More Information
