Jump to content
Welcome to our new Citrix community!

Custom database IP addresses


Ross Bender

Recommended Posts

We have a use case where we want to write some rewrite and responder policies based on the client IP address. Up until now we have been using an ipv4 type dataset, and have a separate process that automatically adds/removes entries to the dataset. We are finding some performance issues with the size of the datasets and support has been less than helpful.

 

Is there a way to do the same type of policy expressions with a different method in the Netscaler? I see there is a way to add a custom IP address database, but I don't see a way to access it from a policy.

 

Or is there another approach that I could use that would accomplish the same?

Link to comment
Share on other sites

Hi Ross,
you can use Custom Location Entries (AppExpert\Location\Custom Entries). We use them to restrict the access to SMTP Services.

 

It is possible to add only one IP or an IP range:
add location 192.168.0.1 192.168.0.1 "*.*.*.*.Frankfurt.One"
add location 192.168.0.1 192.168.0.10 "*.*.*.*.Frankfurt.Range"
add location 192.168.1.1 192.168.1.1 "*.*.*.*.Berlin.One"
add location 192.168.1.1 192.168.1.10 "*.*.*.*.Berlin.Range"


Think about a good naming concept for your locations, because you can combine them in different ways.

 

Only one IP from Frankfurt:
CLIENT.IP.SRC.MATCHES_LOCATION("*.*.*.*.Frankfurt.One")

 

Only IP Range from Frankfurt:
CLIENT.IP.SRC.MATCHES_LOCATION("*.*.*.*.Frankfurt.Range")

 

All IPs from Frankfurt:
CLIENT.IP.SRC.MATCHES_LOCATION("*.*.*.*.Frankfurt.*")


Only one IP from Frankfurt and Berlin:
CLIENT.IP.SRC.MATCHES_LOCATION("*.*.*.*.*.One")

 

Only IP Range from Frankfurt and Berlin:
CLIENT.IP.SRC.MATCHES_LOCATION("*.*.*.*.*.Range")

 

All IPs from Frankfurt and Berlin:
CLIENT.IP.SRC.MATCHES_LOCATION("*.*.*.*.*.*")

 

I hope it was possible for me to show you the strength of Custom Location Entries. Maybe it helps you to solve your Problem.

 

Best regards,
Jens

Link to comment
Share on other sites

Or I would use a callout to handle the fetching of the ips to use and then let the rewrite/respodner policies write based on the return result of the callout, which can be load balanced to meet capacity.  Then your external system manages the ip list.  

Also, depending on how your matching your value to the result, stringmaps with or without the callout may be more efficient.

 

If you can share some details of your current policies work and what your expression triggers/actions are based on, we might be able to come up with some improvements.

Link to comment
Share on other sites

Thanks @Jens Dellner, very helpful. Is there any side effects of using fictitious location names like that? As long as they aren't referenced in any other policies or GSLB config, the fictitious names don't cause any issues, correct?

 

Also, regarding lat/long for a static entry: is this used anywhere? If it is populated, how is it used?

 

I considered using HTTP callout as well, but the goal is to have this config reside in the Netscalers at this point and not reach out to an external source. Also, we would see a penalty for invoking callout regularly.

 

The use case is handling IP addresses for clients that are performing malicious behavior. We are getting the IPs from an external source and we are using the Netscaler API to programmatically add/remove them based on threshold.

Link to comment
Share on other sites

Give me an example of your policy expression/action you want to do.

Are you just using the IP dataset to see if users are on a whitelist/blacklist or do you have 200 individual client IPs that need unique rewrite/responder actions applied based on this ip.    So, depending on what your policies trigger on and whether the actions are hardcoded or dynamically parsed and unique per ip, would depend on whether I need separate policy/action pairs or a string map or contentswitching to streamline what is happening...or whether a callout would work alongside these features to be more efficient.

 

How many IPs (and policy/actions) are you needing to evaluate?  A couple hundred or a couple thousand?  (just to get a sense of the complexity involved)

You know your scenario and I don't; so you may already be dealing with the best design for it.  But there might be away to do it that wouldn't require your datasets. 

 

If you want to explore you post here or even send me a message and we'll see. Good luck in either case.

And if the ip map/location database works, that's useful too.

 

But I would say that sense we do use callouts for ip blacklisting and the callout server can be scaled out for capacity and redundancy, then if we couple it with the right policies might be more efficient than really large data sets (or multiple sets).  (If your dataset is just a list of IPs that you need to compare if your users are coming from before taking a hard coded action than  this is very similar to the blacklist callout scenario and might be able to be used.)

Link to comment
Share on other sites

Hi Ross,

an IP can only be used with one Location Name. So maybe there could be a side effect when you need this IPs also for GSLB. We don´t know your real Scenario. NetScaler offers several ways to solve a Problem. IP Datasets and HTTP Callout are good choices too.

 

You don´t need to set lat/long for your entry. Think this is only used to show the location of the request on a Geo Map.

 

Best regards,

Jens

Link to comment
Share on other sites

Thanks both Rhonda and Jens. Here is more detail on what we are doing.

 

We have an external process that detects malicious application activity. When this happens, we are posting web hook of the client IP address to an internal app that then uses the Netscaler API to add the IP (previously as a Dataset, now trying as a custom location entry).

 

We then created the following policy and bound it to our virtual server:

add responder action FraudResponse respondwith q{"HTTP/1.1 401 Unauthorized\r\n ..."}
add responder policy IsFraudRequest "HTTP.REQ.URL.PATH.STARTSWITH(\"/myapp\") && CLIENT.IP.SRC.MATCHES_LOCATION(\"*.*.*.*.Fraud.*\")" FraudResponse

This way the client is not able to continue performing malicious activity and it is blocked at the Netscaler. Lastly, we have another external process that periodically queries the Netscaler API and removes IPs after some period.

 

We've seen the need to store thousands of IPs at one time. Since they're all individual clients, we aren't able to use ranges to accomplish the blocks.

 

I've been hesitant to use an HTTP callout as the application that is being protected is very performance sensitive, and I want to avoid a dependency on new systems for the application traffic. That is why it's nice to store this somewhere in the Netscaler. It'd be ideal if we could use an IP database file, as some of the performance issues we faced with Datasets were related to HA synchronization taking a long time.

 

The one other thing I'd mention is that I briefly looked to see if I could accomplish something similar with action analytics, but I'm not really sure if it can be done (not very familiar with the feature). One other reason I shied away from this was that it seemed like the action analytics were a black box, where we wouldn't be able to query IPs that are currently being blocked.

 

I'd love to hear feedback and/or other approaches. Thanks!

Link to comment
Share on other sites

Ross,

This is a perfect scenario for using a callout because the external database can easily hold hundreds/thousands of IPs with minimal impact to the NetScaler.  Whether you query a flat text file or use an actual database, is handled by the external agent...but a database will give you some evaluation benefits with ordering IPs and indexing.  You no longer need the apis updating data sets on the fly  on the NS and can instead make those run to update the external application. You can minimize delays to the NS via a callout invocation by scaling out if needed.

 

You already have an issue with your dataset management that you are having trouble resolving.  So why not try the callout to see if it solves the existing problem without creating a new performance issue?  Short of making your external agent only write a maximum number of entries to each dataset and increment the datasets it creates. You still have a very large config file and syncrhonization issues in the ha pair while doing this. You also now have to have more complicated policies dealing with additional dataset comparisons.

 

You can easily use both a blacklist/whitelist approach if needed or combine with IPReputation as well.

You can also make the callout just pass results back-and-forth in a simple request header/query parameter and response header with no response body content.  

 

I think its worth giving it a shot; if it doesn't work you are no worse off. But if it does, you solve your dataset issue without the performance delay you expect.

 

If you need a callout example and file to retrieve the ip address let me know. 

https://docs.citrix.com/en-us/netscaler/12/appexpert/http-callout/use-case-filtering-clients-ip-blacklist.html

 

 

 

 

 

Link to comment
Share on other sites

  • 2 years later...

hello all , I have a request similar with creator of this threat. I need to have a whitelist that will updated in daily base from this https://docs.oracle.com/en-us/iaas/tools/public_ip_ranges.json api. So then i will use responder to allow the traffic to a Lb only for this whitelist. I think to add Data set but i dont know how to auto update the white list from the above oracle api url. Any help?

 

thank you.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...