Jump to content
Welcome to our new Citrix community!

Stateful ACLs

Gregor Blaj

Recommended Posts



I'm doing a bit of testing with ACLs. With the following ACL in place I would expect the Netscaler not to be able to ping outbound hosts, as return traffic to the NS IP should be blocked.

add ns acl Deny_Mgmt DENY -destIP = -priority 100 -logstate ENABLED -stateful NO

But this isn't the case, return ICMP traffic is not blocked. I then figured the default (not visible) outbound ACL must be stateful (hence allowing return traffic), so I created another non-stateful ACL specifically allowing outbound ICMP from the NS IP.

add ns acl Allow_ICMP -srcIP = -protocol ICMP -priority 110 -logstate ENABLED -stateful NO

I can see hits on the Allow_ICMP ACL but return ICMP traffic is still allowed. Why would this be? What is allowing the return traffic?


Thanks for any input.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...