Jump to content
Welcome to our new Citrix community!

Block internal IPs from running scan against ADC/SDX

Recommended Posts

Without knowing the IPs to block, how would I setup a PBR/AppFW/Allow list or mechanism to block other teams/individuals from scanning my ADCs/SDXs.

Two reasons:


1. Security

2. Communication

3. Sanity


Once they get dropped and communicate with me, then we can talk about adding the IPs and purpose for the connection.

I get the IPs from ADM as ADM reports on failed logins but I have no idea what they are in advance.



Link to comment
Share on other sites

What type of scan are you referring to, so we can tell what traffic you want to all vs. deny.  And are these vservers internal only, external only, or both as it may change the logic.


You can use a callout to whitelist allowed IPs and block the rest from an internal subnet.  In addition to any external blacklisting you want to do (which I did not incorporate below).

But situation is a little vague to give you an exact expression recommendation, if the below isn't good enough.


In general, though build a list of allowed IPs via an HTTP callout (hc_whitelist).

Then create a responder policy to DROP or Redirect traffic to a given "error page".

To have the responder policy drop any traffic not on the allowed/whitelist, use an expression like:  !sys.http_callout(hc_whitelist)

would result in all TRUE expressions (traffic not on approved whitelist to be blocked).


If you want to block ONLY traffic that originates from an INTERNAL subnet that is also NOT on the whitelist, then the expression would be:

client.ip.src.in_subnet("<int subnet/mask>") && !sys.http_callout(hc_whitelist)


If IP is internal AND not on whitelist:  T && !(F) == True:: responder, blocks traffic.

If IP is internal AND on whitelist:  T && !(T) == FALSE:: responder, does not hit; traffic allowed.

If IP is external AND <whitelist or not>:  F && !(*) == FALSE:: responder, does not hit; traffic allowed.


If you need to you can also invoke this in AppFw, instead of Responder.

Now, depending on what you want to do for externally originating traffic, a different expression might be needed. This is just to help you get started or revise your requirements.

The subnet can be switching to patternset or dataset for multiple subnets (and or incorporate this into the callout decision.)


HTTP Callout blacklist/whitelist example:







Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...