Jump to content
Welcome to our new Citrix community!

Block IP with Responder Policy not working


Recommended Posts

Hello,
I need help with a responder policy.

 

To block access of certain IP addresses to our NetScaler Gateway we have created a dataset "dataset_blocked_ips" which contains a list of IPs.

The dataset is used in the following responder policy, which is bound to the NetScaler Gateway VIP (Action = DROP and GOTO Expression = END).

 

Expression:
(CLIENT.IP.SRC.TYPECAST_TEXT_T.EQUALS_ANY("dataset_blocked_ips")) || HTTP.REQ.IS_VALID.NOT || exp_blocked_subnets

 

exp_blocked_subnets:
CLIENT.IP.SRC.IN_SUBNET(1.2.3.4/24) || CLIENT.IP.SRC.IN_SUBNET(5.6.7.8/21)

 

See also https://support.citrix.com/article/CTX222249

 

If I add my own IP to the dataset and call the gateway URL, the policy hit counter rises and I cannot access the Gateway URL - works as designed.

 

However, we are now increasingly registering automated login attempts that cannot be blocked with the policy, even if the attacker's IP is added to the dataset. For whatever reason, the responder policy does not seem to be working and the hit counter is not increasing.

 

Does anyone have any ideas as to why this might be? We are currently blocking such attacks directly on the firewall, but I would like to understand why the policy sometimes works and sometimes not.

 

Many thanks in advance.

Link to comment
Share on other sites

  • 1 month later...

In the hope that it might help someone else -  the problem described above could be solved as follows.

 

The blocking of IP addresses for a NetScaler Gateway with the help of responder policies only works during authentication if the policy is also bound to the vServer as AAA_REQUEST type.

 

For example:
add responder policy ResponderPolicyName "CLIENT.IP.SRC.EQ(<Client_IPAddress>).NOT" DROP
bind vpn vserver VserverName -policy ResponderPolicyName -priority 10 -gotoPriorityExpression END -type AAA_REQUEST

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...