Netscaler (VPX) PATSET Limitations

Hi Gents, 


we would like to use patsets in combination with netscaler gateway for GEO IP Blocking. 


https://support.citrix.com/article/CTX131725 describes that there is a limitation of 10000 Entries in a patset. 


but we have round about 50000 IPs which we would have to block.


How is the best way to realize that?


Thanks in advice

You could use multiple patsets, though it's kind of a hacky approach (especially for as many items as you are wanting to store). When it comes to large sets like this, it is better to use a different storage system (e.g. a database) to manage the data. You could then use an HTTP callout to have the Netscaler talk to an external system that queries the DB. It'd be nice to have a way to have the Netscaler use an internal database or file rather than needing a dependency on an external system, but it's not currently a strong/focus point of the NS.


One thing to keep in mind is that if you have many entries in pat/datasets, the config that NS needs to sync takes longer in HA environments. And particularly the UI has problems doing saved vs running config compares (usually ends up with an error because the compare is so large).

A callout would be much more efficient for this number of entries than patternsets (or datasets).

Maintain the ip list you want on an external system, use the callout to control the comparison of ips against the list and retrieve if needed a response of geo or allow/deny (depending on what you want. And then implement an http callout to invoke. Your policy processing would be more efficient and your maintenance of the list will be easier than the pattern set for 50,000 entries.

