Jump to content
Welcome to our new Citrix community!

Secret of NetScaler advanced policies???


Ken Z

Recommended Posts

Hi everyone

 

bumping my head against a brick wall here...

 

OK, after yars of using classic policies for my NetScaler, i decided to bite the bullet and try and convert all my classic policies to Advanced. I though I'd start with a simple one, my LDAP authentication policies. As per most people (I assume) this just contains "ns_true"...

running nspepi -e "ns_true" in a putty shell on the NetScaler returns "TRUE", so i replaced ns_true with TRUE and got "Invalid rule".

Tried with and without quotes

Tried creating a brand new policy

still said "Invalid rule"

 

OK, move onto Session policies...

ran nspipe -e "REQ.HTTP.HEADER User-Agent NOTCONTAINS CitrixReceiver"

this can back with "HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\").NOT"

So i edited my session policy, pasted that above in, clicked OK, and got the same Invalid rule

tried removing the "\" so it read "HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT" (without the quotes), still the same error

 

Next, tried nspepi -e "REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway EXISTS"

this came back with ""HTTP.REQ.HEADER(\"User-Agent\").CONTAINS(\"CitrixReceiver\") && HTTP.REQ.HEADER(\"X-Citrix-Gateway\").EXISTS"

guess what... Invalid rule.

 

Also tried upgrading my NetScaler so it's running the very latest firmware version, but no joy.

And yes, i selected the "Advanced Policy" radio button when editing the policies...

 

Also tried creating a new Advanced Policy using the Expression Editor, this time using CONTAINS as there isn't a NOTCONTAINS option, but this also generated an Invalid rule error.

 

so, what's the secret?

 

Regards

 

Ken Z

Link to comment
Share on other sites

If your existing policy was created with classic expressions, you can't just switch to advanced. You have to create a new policy using advanced.

 

So for a feature like authentication policies or session policies which can be classic or advanced, the same profiles can be used.

But create a new ldap policy authe_pol_ldap2  or session policy session_pol_demo2 with the advanced expression option and the advanced value and it will create.

 

Because classic and advanced policies bind to different bind points (and process differently), even on features that support both engines, once its created you can't switch engines, you need a new policy entity.

 

Some other syntax notes:

When working in the GUI, you don't need to quote your advanced expressions; just like you don't need quotes around the classic expressions.

In the CLI, you will need to quote them and then use escapes for interior quotes.

While the classic expressions have negative operators ==/!- and contains/notcontains. The advanced engine has positive operators only (eq(), contains(), etc...), but you can negate clauses using the NOT sign (!) or the .NOT operator.

 

Classic engine == vs contains.  Equals/== are full string matches and case-sensitive.  Contains is partial string match and case-insensitive.

Advanced engine:  all string comparison operators are case-sensitive by default (eq(), contains(), startwith(), endswith(), ...).  Use set_text_mode(ignorecase) to make string comparisons case insensitive and can be applied to any operator including equals (eq()).  Eq() "equals" is still a full string match; contains is partial string match, but you depending on whether you use the ignorecase operator depends on whether it is a case-sensitive or case-insensitive comparison. (Example below).

 

Here are a few examples:

Formatted for GUI:

classic

req.http.url == "/demo1"

req.http.header("user-agent") contains "mobile"

 

advanced examples:

http.req.url.eq("/demo1")

http.req.url.set_text_mode(ignorecase).eq("/demo1")

!http.req.url.eq("/demo1")  #not equals

http.req.url.eq("/demo1").not #not equals

 

http.req.header("user-agent").contains("mobile")

http.req.header("user-agent").set_text_mode(ignorecase).contains("mobile")

!http.req.header("user-agent").contains("mobile")

 

Formatted for CLI:

"http.req.header(\"user-agent\").contains(\"mobile\")

"http.req.header(\"user-agent\").set_text_mode(ignorecase).contains(\"mobile\")

#alternate quoting mechanism when adding in cli - use single quotes on the exterior pair; and then you don't have to escape double-quotes on the interior expressions

'http.req.header("user-agent").set_text_mode(ignorecase).contains("mobile")

 

 

  • Like 3
Link to comment
Share on other sites

  • 4 weeks later...

You can't change an existing policy from classic to advanced. You must create a new instance of the policy and make the new copy use advanced.  This will be a new policy instance with a new policy name. It can point to your existing ldap action/server or radius action/server in most cases. But once created the policy engine on that particular policy cannot be changed.

Classic engine: ns_true

Advanced engine: true

 

 

  • Like 2
Link to comment
Share on other sites

  • 7 months later...
On 5/3/2019 at 4:18 PM, Ken Zygmunt said:

Rhonda

 

thank you for a very thorough explanation. I'll try and get round to testing this this weekend.

 

Regards

 

Ken Z

 

 

Hello!!

 

I am actually having the same issue on a VPX with Citrix Receiver.

But I am not changing from classic to Advanced. I'm just making a new advanced Session Policy with the same Expression 

"HTTP.REQ.HEADER(“User-Agent”).CONTAINS(“CitrixReceiver”)"

 

But appears the "Expression syntax error"

I'm following the steps on "Create a session policy for Citrix Workspace app for Windows or Mac, and Mobile Devices on Citrix Gateway" from:

https://docs.citrix.com/en-us/citrix-gateway/12-1/vpn-user-config/how-session-policies-work/configure-gateway-session-policies-for-storefront.html

 

Do you have any advice??

 

Thanks a lot.

Regards, Arturo.

Link to comment
Share on other sites

If you are in CLI, the internal quotes need to be escaped as literals. Too ways to enter this:

"HTTP.REQ.HEADER(\“User-Agent\”).CONTAINS(\“CitrixReceiver\”)"

OR

'HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")'

 

If you enter the expression in the GUI, use the build expression tool to construct the expression OR the interactive linline editor. The external quotes are NOT needed when entering the expression in the expression field and would be this:

HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")

 

If you are still having issues, use the GUI and the expression builder tool to correct your syntax and share if still a problem.

 

 

Link to comment
Share on other sites

  • 6 months later...

And also the "!" which can negate statements or whole clauses:

!HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver")

 

Both methods work, and the exclamation point can also be used for negating compound phrases:

!(http.req.header("user-agent").contains("mobile") && http.req.url.path.contains("/somepath"))

!(A && B)

!A || !B

 

 

 

 

Link to comment
Share on other sites

  • 2 years later...

Struggling to convert this policy to an advanced one:

 

REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER X-Citrix-Gateway EXISTS || REQ.HTTP.HEADER Referer NOTEXISTS

 

so far the closest ive got is 

 

HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") || HTTP.REQ.HEADER ("X-Citrix-Gateway") EXISTS || HTTP.REQ.HEADER Referer NOTEXISTS

 

 

Link to comment
Share on other sites

  • 1 month later...
On 8/7/2020 at 7:17 AM, Carl Stalhood1709151912 said:

HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver").NOT

good day! what about for REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS. 
its returning an expression error if i use HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && HTTP.REQ.HEADER("X-Citrix-Gateway").NOTEXISTS as the advanced syntax.

image.thumb.png.11e668594adccc2e97c9b9360b07a069.png

 

 

Link to comment
Share on other sites

16 minutes ago, John Lester Lobrino1709163811 said:

good day! what about for REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver && REQ.HTTP.HEADER X-Citrix-Gateway NOTEXISTS. 
its returning an expression error if i use HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && HTTP.REQ.HEADER("X-Citrix-Gateway").NOTEXISTS as the advanced syntax.

image.thumb.png.11e668594adccc2e97c9b9360b07a069.png

 

 

its HTTP.REQ.HEADER("User-Agent").CONTAINS("CitrixReceiver") && HTTP.REQ.HEADER("X-Citrix-Gateway").EXISTS.NOT. it worked.

Link to comment
Share on other sites

  • 2 weeks later...
On 7/28/2023 at 10:59 PM, Rhonda Rowland1709152125 said:

John - yeah, you saw it was the notexists that was the problem.

thank you ma'am. actually i have another one. for this classic policies below

 

add vpn sessionPolicy quarantine "REQ.HTTP.HEADER User-Agent NOTCONTAINS Macintosh && REQ.HTTP.HEADER User-Agent NOTCONTAINS Safari && REQ.HTTP.HEADER User-Agent NOTCONTAINS Linux && (EXT_Rule_Valid_AV || EXT_WinSEC_AV)" Quarantine-profile

add vpn sessionPolicy scan-policy "REQ.HTTP.HEADER User-Agent NOTCONTAINS Macintosh && REQ.HTTP.HEADER User-Agent NOTCONTAINS Safari && REQ.HTTP.HEADER User-Agent NOTCONTAINS Linux && (EXT_Rule_Valid_AV || EXT_WinSEC_AV)" scan_profile 

add vpn sessionPolicy test_quarantine "REQ.HTTP.HEADER User-Agent NOTCONTAINS Macintosh && REQ.HTTP.HEADER User-Agent NOTCONTAINS Safari && REQ.HTTP.HEADER User-Agent NOTCONTAINS Linux &&  (EXT_Rule_Valid_AV || EXT_WinSEC_AV )" test_Quarantine-profile

 

how do we convert the bold syntaxes to advanced. we tried below syntax but to no avail

add vpn sessionPolicy Adv_quarantine HTTP.REQ.HEADER("User-Agent").CONTAINS("Macintosh").NOT&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Safari").NOT&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Linux").NOT&&(EXT_Rule_Valid_AV || EXT_WinSEC_AV) Quarantine-profile
add vpn sessionPolicy Adv_scan-policy HTTP.REQ.HEADER("User-Agent").CONTAINS("Macintosh").NOT&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Safari").NOT&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Linux").NOT&&(EXT_Rule_Valid_AV || EXT_WinSEC_AV) scan_profile
add vpn sessionPolicy Adv_test_quarantine HTTP.REQ.HEADER("User-Agent").CONTAINS("Macintosh").NOT&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Safari").NOT&&HTTP.REQ.HEADER("User-Agent").CONTAINS("Linux").NOT&&(EXT_Rule_Valid_AV || EXT_WinSEC_AV) test_Quarantine-profile

 

image.png

image.png

advanced basic.JPG

Link to comment
Share on other sites

  • 2 months later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...