Introduction to Policies Expressions | Citrix Systems 9.2 manual

CHAPTER 1

Introduction to Policies and

Expressions

For many NetScaler features, policies control how the feature evaluates data, which ultimately determines what the feature does with the data. A policy uses a logical expression, also called a rule, to evaluate requests, responses, or other data, and applies one or more actions determined by the outcome of the evaluation. Or a policy can apply a profile, which defines a complex action.

Some NetScaler features use advanced policies, which provide greater capabilities than do the older, classic, policies. If you migrated to a newer release of the NetScaler software and have configured classic policies for features that now use advanced policies, you might have to manually migrate policies to the advanced-policy format.

In This Chapter

Advanced and Classic Policies

Advanced and Classic Expressions

About Migration from Classic to Advanced Policies and Expressions

Before You Proceed

Advanced and Classic Policies

Classic policies evaluate basic characteristics of traffic and other data. For example, classic policies can identify whether an HTTP request or response contains a particular type of header or URL.

Advanced policies can perform the same type of evaluations as classic policies. In addition, advanced policies enable you to analyze more data (for example, the body of an HTTP request) and to configure more operations in the policy rule (for example, transforming data in the body of a request into an HTTP header).

In addition to assigning a policy an action or profile, you bind the policy to a particular point in the processing associated with the NetScaler features. The bind point is one factor that determines when the policy will be evaluated.

Image 15

Citrix Systems 9.2 manual Introduction to Policies Expressions, Advanced and Classic Policies

Contents

Citrix NetScaler Citrix NetScaler Policy Configuration and Reference Guide Copyright and Trademark Notice Contents Chapter Converting Text to Hexadecimal Format Contents Citrix NetScaler Policy Configuration and Reference Guide Contents Vii Reducing Web Server Redirects Accommodating Browser Dependent ContentBlocking Access by Robots Blocking Access to Inline Images About This Guide Preface Citrix NetScaler Policy Configuration and Reference Guide New in This Release AudiencePreface Formatting Conventions Formatting ConventionsConvention Meaning Boldface Getting Service and Support Related DocumentationTo view the documentation To provide feedback from the Knowledge Center home Documentation Feedback Advanced and Classic Policies Introduction to Policies Expressions Basic Components of an Advanced or a Classic Policy Benefits of Using Advanced Policies DNS How Different NetScaler Features Use PoliciesNetScaler Feature, Policy Type, and Policy Usage Chapter Introduction to Policies and Expressions AAA Traffic Classic Authorization policies authorize usersAuthorization Associated cache server Functions Access ClassicAuthorization policies, however, can be About Actions and Profiles Authorization. Uses Allow Use of Actions and Profiles in Different NetScaler FeaturesFeature Use of an Action Use of a Profile Pre-Authentication. Uses Server About Policy Bindings About Evaluation Order of Policies Advanced and Classic Expressions Order of Evaluation Based on Traffic FlowAbout Advanced Expressions About Classic Expressions Chapter Before You Proceed Citrix NetScaler Policy Configuration and Reference Guide Configuring Advanced Policies Creating or Modifying an Advanced Policy Advanced-Policy ParametersArgument Specifies Following is an example of a Rewrite policy and action Policy Configuration Examples Feature-Specific Differences in Policy Bindings Feature-Specific Bindings for Advanced PoliciesBinding Advanced Policies Address of the incoming Policies Global default Responder function Policy labelNetScalers integrated Provide rules for modifying Bind Points and Order of Evaluation Advanced Policy Evaluation Across Features Chapter Configuring Advanced PoliciesEntries in a Policy Bank Evaluation Order Within a Policy Bank Format of Each Entry in a Policy BankOptional How Policy Evaluation Ends How Features Use Actions After Policy Evaluation Binding a Policy GloballyExample Details pane, click Feature Name policy manager Binding a Policy to a Virtual Server Displaying Policy Bindings Unbinding an Advanced Policy Unbind responder global policyName Creating a Policy Label Creating Policy Labels To create a policy label by using the configuration utility Attribute Description Configuring a Policy Label or Virtual Server Policy BankBinding a Policy to a Policy Label Entries in a Policy Bank Example Configuring a Policy Label Choices are Integrated Caching, Rewrite, or Responder Configure Virtual Server dialog box click the Policies tab Configuring a Policy Bank for a Virtual Server Chapter Configuring Advanced Policies At the NetScaler command prompt, for the Responder, type Configuring and Binding Policies with the Policy Manager Click Regenerate Priorities To remove unused policies by using the Policy Manager Citrix NetScaler Policy Configuration and Reference Guide Configuring Advanced Expressions Getting Started Basic Elements of an Advanced Expression Expression Characteristics Prefixes Http.res.header.myheader Operations Feature Types of Expression Prefix Used in the FeatureFeatures Content Switching Single-Element Expressions Basic Operations on Expression Prefixes Basic Operations for ExpressionsOperation Determines whether or not Configuring Advanced Expressions Getting Started Compound Advanced ExpressionsBasic Types of Operations String-Based Operations for Compound Advanced Expressions Booleans in Compound ExpressionsParentheses in Compound Expressions Compound Operations for Strings Logical operations on strings Arithmetic Operations for Compound Advanced Expressions Compound Operations for Numbers Result of applying the ~ operator is -11 a binary 1110011 Num % numExpression on the right Returns 12 binary Following example assumes that numeric.expression1 returns Binary 1100 and numeric.expression2 returns 10 binaryWhole expression evaluates to 8 binary Right-side number argument number of bits Integer Number value Following is an example Number .ADDInteger Value Following is an example Number .SUB Binary value of 10 is 1010, and the result of applying Number .LEInteger Integer argument Following is an example Number .LT Assumes that numeric.expression returns 12 binary Result of applying the Bitneg operator is -11 a binary1110011, 32 bits total with all ones to the left Expression as an argument rather than an integer Number.LSHIFT Bitxor operator to the entire expression is 6 binaryCaret performs a similar function to BITXOR, but takes Another expression as an argument rather than an integer Parameters Number.RSHIFTDouble .ADDi Value represented by double Value represented by double is greater than the argument Double .GEiValue represented by double is greater than or equal to Double .GTi Classic Expressions in Advanced Expressions Configuring Advanced Expressions in a Policy Following is an example of configuring a caching policy HTTP.REQ.BODY1000.BETWEENthis,that Click Advanced Expressions Configuring Named Advanced Expressions Chapter Citrix NetScaler Policy Configuration and Reference Guide Advanced Expressions Evaluating Text About Operations on Text About Text Expressions Compounding and Precedence in Text Expressions Categories of Text ExpressionsChapter Advanced Expressions Evaluating Text Guidelines for Text Expressions Prefix Description Expression Prefixes for TextExpression Prefixes for Text in Http Requests and Responses Http Expression Prefixes that Return Text Address. For information on expressions for IP Returns the domain name part of the host name. ForMyhost.com8080, the domain is myhost.com Returns incorrect results if the host name has an IP URL LISTT,.COUNT LISTT,. IGNOREEMPTYELEMENTS.COUNT HTTP.REQ.USER.EXTERNALGROUPS HTTP.REQ.USER.GROUPS HTTP.REQ.USER.INTERNALGROUPS Returns a list of internal groups to which the userFor example, the following expression returns a User belongs Group Integer argument Default value of 80 or 443 for Https connectionsReturns the Http version listed in the request Returns a portion of the Http response body. Expression Prefixes for VPNs and Clientless VPN and Clientless VPN Description Expression VPN and Clientless VPN Expression Prefixes that Return Text Extracts a slash- / separated list from the path By default, is not considered an empty elementWhen evaluating this header Evaluates the server portion of the host name This method ignores the empty elements in a Extracts a name-value list, using the =Evaluates the protocol in the URL Delimiters from the query string in a URL Hostname Evaluating this header Ignores empty elements in a list. For example, ifList delimiter is a comma , the following list Has an empty element following a=10 As another example, consider the following http Ignores empty elements in a name-value list. ForExample, the following list contains an empty Element after a=10 Evaluates the server part of the host name Results in Boolean True if the host nameIs case insensitive Following expression returns True Consider the following header This method ignores the empty elements in a listFor example, if the delimiter in a list is , Entry a=10 Evaluating the same header Example, the following list uses a semicolonPreceding example, the element following =11 is not considered an empty element Returns a Boolean True value if the target contains Operations on TextBasic Operations on Text Basic Operations on Text Basic Text Operation Description Operations for Calculating the Length of a StringOperations for Controlling Case Sensitivity Operations on Case Sensitivity of Text Case Operation Description Complex Operations on TextOperations on the Length of a String Operations on Strings Based on a Character Count Object of 0 length Operations on a Portion of a StringBasic Operations on a Portion of a String Character Count Operation Description Matches ending string Returns a Boolean True value if the length of the textObject is greater than or equal to the sum starting string Matches starting string, and if the suffix of the target Operation Description Converting Text to a Hash Value Raises an Undef if text is not in B64-encoded format Operator DescriptionBase64 encoding algorithm Applying the Base64 decoding algorithm. The operation Converting Text to Hexadecimal Format Citrix NetScaler Policy Configuration and Reference Guide Advanced Expressions Working with Dates, Times, and Numbers Format of Dates and Times in an Expression Expressions for the NetScaler System Time Dates and Times in a Rewrite Action NetScaler Time Description Operation Expressions that Return NetScaler System Dates and Times Advanced Expressions Working with Dates, Times, and Numbers False depending on the current timezone Scheduled reboot, and returns an integerIs equal to the time argument Sys.time.leGMT 2006 True in this example Time2 Expressions for SSL Certificate Dates True SSL Certificate Operation Description This example are in parentheses For example, if the current time is GMT 2005 May10h 15m 30s, and it is the first Sunday of the month You can specify the following evaluation results for Equal to the time argument Closest boot time is in the past, the integer isExtracts the last hour that the certificate is valid Returns a Boolean True if the time precedes or is To give the weekday in the time value System time and the specified time and returns anIf it is in the future, the integer is positive Extracts the last weekday that the certificate is valid LOCAL, and time2 must be bigger than time1 Returns a Boolean True if the time value is betweenTime1, time2 arguments. Both the time1, time2 Arguments must be fully specified Returns a Boolean True if the time occurs after Returns a Boolean True if the time is greater thanAfter or equal to the time argument Results are in parentheses NetScaler system time and the specified time as an Extracts the last minute that the certificate is validReturns the current month as an integer from Returns the number of seconds between the current Element of time from time2, it is assumed to have Extracts the last second that the certificate is validReturns the current second as an integer from 0 to 6 Saturday Prefixes That Evaluate Http Date Headers Expressions for Http Request and Response Dates 111 Citrix NetScaler Policy Configuration and Reference Guide Advanced Expressions Parsing HTTP, TCP, and UDP Data About Evaluating the Payload Body About Evaluating Http and TCP Payload 115 Expressions for Http Headers Prefixes for Http Headers Prefixes That Extract Http HeadersHttp Header Prefix Description Advanced Expressions Parsing HTTP, TCP, and UDP Data For example, the following is a cookie with Returns the value of Path field of the cookieAs a slash- / separated list. Multiple First instance is returned ABC PATH=/a/b/c PORT= 80 Returns the value of Port field of the cookieOperate as a comma-separated list From Set-Cookie Customer = DOMAIN=.xyz.com Returns the value of the Domain fieldFirst cookie with the specified name. For Example, the following expression returns a From the cookie Set-Cookie Customer Named cookie as a , separated list. For Header type exists Operations for Http HeadersOperations That Evaluate Http Headers Returns the value of Version field of the nth Does not concatenate the different values Any instance of the header valueFollowing is an example of request with two headers Following returns a Boolean True Following extracts the string def from the last STR stringInstance to the first Following is an example of a request Instance number argument cannot exceed Or a response. This operation returns the header thatOccurs instance number of places before the final Used in bidirectional policies Cannot exceed Prefixes for Cache-Control HeadersOperations for Cache-Control Headers Prefixes That Extract Cache-Control Headers Operations That Evaluate Cache-Control Headers 127Http Header Operation Description Has the value No-Transform Has the value Min-FreshHas the value Max-Stale Has the value Must-Revalidate Expressions for Extracting Segments of URLs URL Prefix Description Expressions for Numeric Http Payload Data Other Than DatesPrefixes That Extract URLs Prefixes That Evaluate Http Request or Response Length Operations That Evaluate Html and XML Encoding Returns the response status codeHtml or XML Operation Description Read-only operation Where xx is a hex-based representationSpecifies how to treat the plus character +. Converts unsafe URL characters to %xx values Where WW and XX represent two distinct With the character Y where XXX representsWhere the colon is the Ascii equivalent Decoded to http//, where the colon is Expressions for TCP, UDP, and Vlan Data Prefixes that Extract TCP and UDP DataGET Operation Description NS. This is a name server record that includes a Enables locating the domain name that isMX mail exchanger. This DNS record describes Domain and the priority for each server XPath and Json Expression Prefixes that Return Text XPath and Json Expressions Json file and returns a Boolean True if Or a string. Node-sets are converted toXPath string conversion routine File Book creator person Namename , titletitle File and returns the corresponding string For example, consider the following JsonThat are enclosed by /Book a node-set First 1000 bytes of the body of the Json Text.XPATHWITH Bytes of the bodyMARKUPxp%/Book/creator% Citrix NetScaler Policy Configuration and Reference Guide About SSL and Certificate Expressions Advanced Expressions Parsing SSL Certificates SSL cryptographic cipher is exportable Prefixes for Text-Based SSL and Certificate DataReturns the SSL client certificate in the current SSL transaction Prefixes for Numeric Data in SSL Certificates Expressions for SSL CertificatesAdvanced Expressions Parsing SSL Certificates Returns the Distinguished Name DN Issuer in the certificate as a name-value list. AnBased on the preceding Issuer definition Returns a Boolean True if the client has an SSL = is the delimiter for the name and the value Returns the Issuer Distinguished NameAn Authority Key Identifier extension Certificate as a name-value list. An equals sign False IGNOREEMPTYELEMENTS.COUNT CLIENT.SSL.CLIENTCERT.ISSUER Citrix NetScaler Policy Configuration and Reference Guide Expressions for IP Addresses and IP Subnets Operations on IPV4 Addresses Prefixes for IPV4 Addresses and IP SubnetsOperations for IPV4 Addresses Prefixes That Evaluate IP and MAC Addresses Qual1.qual2.qual3.qual4.qual5.qual6 About IPv6 Expressions Returns the IPv6 address in the source field of the IP Expression Prefixes for IPv6 AddressesIPv6 Expression Prefixes that Return Text IP header Operations for IPV6 Prefixes Operations That Evaluate IPv6 AddressesIPv6 Operation Description Prefixes That Evaluate MAC Addresses Expressions for MAC AddressesPrefixes for MAC Addresses Operations for MAC Addresses Expressions for Numeric Client and Server Data Prefixes That Evaluate Numeric Client and Server Data155 Citrix NetScaler Policy Configuration and Reference Guide Matching Text With Strings in a Set To patternsetname Operators That Use a Pattern SetMatching Operators Description Patternsetname Setname Name Configuring a Pattern Set 161 At a NetScaler command prompt, type Add policy patset myPatSet 163 Matching Text With a Pattern Basic Characteristics of Regular Expressions Operations for Regular Expressions165 Expression does not match any text in the target Selects text that precedes the string that matchesRegular expression argument. If the regular From text/plain Settextmodeignorecase Regular Expression Operation Description From the last to the first Insensitive, multi-line match, where the dotText following the string that matches Header value. The header instances are matched Transforming Text and Numbers into Different Data Types FirstFollowing example selects NS-CACHE-9.0 Typecasting Operations Delimiter If the current text mode is Ignorecase and you specifyAre ignored As the delimiter, an uppercase P is not treated as a For example, the following policy matches Http requests Hostname path? query, and the text mode is set toUrlencoded by default Treats a numeric string like an IP address Following Http response header Following policy extracts a numeric portion of a queryString, adds 4 to the number, and inserts an Http header For example, this policy would extract 4444 from HTTP.REQ.SETCOOKIE HTTP.REQ.COOKIE.TYPECASTHTTPHEADERHTTP.REQ.COOKIE.TYPECASTHTTPHEADERT MyHeader to InHeader Converts the designated text to a multi-line Http headerThat you specify in a name argument For example, the following expression converts Betweengmt 2004, GMT 2006 True EQLocal 2005 May True or FALSE, depending on Time value argument tEqgmt 2005 True Eqgmt 2005 Dec False Gtgmt 8h True Gtgmt 2004 TrueGtgmt 2005 Jan True GTLocal 2005 May True or FALSE, depending on Legmt 8h False Legmt 2006 TrueLegmt 2005 Dec True LELocal 2005 May True or FALSE, depending on Value as an integer that ranges from 1 January to Most recent reboot or the number of seconds to the nextTime is in the future scheduled reboot time, the integer is Value as an integer that ranges from 0 to Time1 and time2 Extracts the year from the current system time and returns Transforms the double-precision number represented byDouble to an integer Advanced Policies Controlling Rate of Traffic About Policies that Monitor the Traffic RateExpressions for Controlling the Traffic Rate Configuring Policies That Control the Traffic Rate Chapter About Http Callout Policies About Calling Out to an External Application 187 Following is an example of a response Configuring an Http Callout Policy Elements in an Http Callout PolicyParameter Specifies URL stem expression urlStemExpr Attribute-based Http Method httpMethodServer mutually Expression that derives the value. Examples Must manually validate the request Example, if you configure a return type of text, the resultExpression to 8191 characters NetScaler does not check the validity of this request. You 191 Examples To modify a callout policy using the NetScaler command line 193 To delete a callout policy using the NetScaler command lineTo view a callout policy using the NetScaler command line Invoking an Http Callout Policy If the return type is NUM, the following expression is valid 195 Citrix NetScaler Policy Configuration and Reference Guide Where Classic Policies Are Used Configuring Classic Policies Expressions Http Auditing of user access Configuring Classic Policies and Expressions Click Policies Viewing Classic Policies 201 Configuring a Classic Policy To create a classic policy using the NetScaler command line At the command line, type 203 Configuring a Classic Expression REQ.IP.SOURCEIP == 200.0.0.0 -netmask 205 Flow Type.protocol.qualifier.operator.value.header Name 207 Binding a Classic Policy Configure Virtual Server dialog box, click the Policies tab 209 Creating Named Classic Expressions Citrix NetScaler Policy Configuration and Reference Guide Expressions Reference Advanced ExpressionsExpression Prefix Descriptions Citrix NetScaler Policy Configuration and Reference Guide Appendix a Expressions Reference Operates on the Vlan through which the current Expression Prefixes for Text in Http Ignores spaces in the data. See the table Http Appendix a Expressions Reference 217 Obtains the Expires field of the cookie as a date Appendix a Expressions Reference 219 SERVER.INTERFACE.ID.EQLA/1 Appendix a Expressions Reference 221 Ignores spaces in the data. For an example, see VPNs, on Appendix a Expressions Reference 223 Classic Expressions OperatorsExpression Element Definition Appendix a Expressions Reference 225 General Expressions REQ.SSL.CLIENT.CERT REQ.SSL.CLIENT.CERT.ISSUERREQ.HTTP.URLQUERYLEN REQ.SSL Appendix a Expressions Reference 227 Client Security Expressions Expression ElementActual Expression Definition Network-Based Expressions Appendix a Expressions Reference 229Expression Definition Date Date/Time ExpressionsFile System Expressions Time Appendix a Expressions Reference 231 Built-In Named Expressions General Always returns a value of False Appendix a Expressions Reference 233 Nsfarclient Nsmsexcel Nsmsie Nsmsppt NsmswordNstrue Nsurlpathbin Built-InNamed Expressions Anti-Virus Built-InNamed Expressions Personal FirewallAppendix a Expressions Reference 235 Built-InNamed Expressions Client Security Expression Definition Norton Internet SecurityAny version of Norton Internet Security Summary Examples of Advanced Expressions and Policies Examples of Advanced ExpressionsExpression Type Sample Expressions Extension Content-Type headerLook for a particular file type in an Http request based on the file Purpose Example Examples of Advanced Expressions and Policies Modify a URL to redirect To https// in all URLsThis policy uses Responder functionality Limit the number Check the client IPThrough unchanged Remove old headers from Request and insert anNS-Client header Header action so that Request, insert anNS-Client header, Then modify the insert Citrix NetScaler Policy Configuration and Reference Guide Redirecting an External URL to an Internal URL Tutorial Examples of Advanced Policies for Rewrite Bind the policy globally 247 Redirecting a QueryRedirecting Http to Https Appendix C Removing Unwanted Headers Reducing Web Server Redirects Masking the Server Header249 Add rewrite policy polmask-server true actmask-server Tutorial Examples of Classic Policies Citrix NetScaler Policy Configuration and Reference Guide Appendix D Tutorial Examples of Classic Policies 253 REQ.HTTP.HEADER URL Contains string Appendix D Tutorial Examples of Classic Policies 255 Application Firewall Policy to Protect Scripted Web Pages DNS Policy to Drop Packets from Specific IPs Add dns policy polddosdrop SSL Policy to Require Valid Client Certificates Citrix NetScaler Policy Configuration and Reference Guide Migration of Apache modrewrite Rules to Advanced Policies Converting Host Name Variations to Canonical Host Names Apache modrewrite solution for converting a URLNetScaler solution for converting a URL Converting URL Variations into Canonical URLs Appendix E Apache modrewrite solution for moving the document rootNetScaler solution for moving the document root Moving a Document Root Working with Structured Home Directories Moving Home Directories to a New Web Server Redirecting Invalid URLs to Other Web Servers Apache modrewrite solution for structured home directoriesNetScaler solution for structured home directories NetScaler solution for redirection if a URL is wrong method Rewriting a URL Based on Time NetScaler solution for rewriting a URL based on the time Redirecting to a New File Name Invisible to the User Redirecting to New File Name User-Visible URL265 Apache modrewrite solution for browser-specific settings Accommodating Browser Dependent Content 267 Blocking Access by Robots Blocking Access to Inline Images NetScaler solution for blocking access to an inline imageCreating Extensionless Links NetScaler policy for adding a .php extension to all requests 269 Redirecting a Working URI to a New Format Apache modrewrite solution Ensuring That a Secure Server Is Used for Selected Pages NetScaler solutionNetScaler solution using regular expressions NetScaler solution using pattern sets Bind patset pat1 page4 Bind patset pat1 page5 Number.TYPECASTIPADDRESSAT New Advanced Expression Operators in This ReleaseOperators for Extracting and Evaluating Numeric Data New Operators for Extracting and Evaluating Numeric Data Operators for Extracting and Evaluating Text New Operators for Evaluating TextOperators Operation Operators for Client and ipv6 Expression Prefixes Operators for Extracting and Evaluating Http DataOperators for the Client and ipv6 Expression Prefixes New Operators for Extracting and Evaluating Http data Operators for Evaluating Groups to Which a User Belongs XPath and Json Operators for Evaluating XML and Json DataOperators for Evaluating Groups to Which a User Belongs XPath and Json Operators for Evaluating XML and Json Text Index Introduction to 224 migration to advanced RES.VLANID Index 279 CLIENT.ETHER.DSTMAC HTTP.RES.SETCOOKIE2.COOKIEname, i Index Omain 82 VPN.CLIENTLESSHOSTURL.HOSTNAME.E Authkeyid Citrix NetScaler Policy Configuration and Reference Guide Index Useinvocationresult VPN 65 Character 57 ? character Citrix NetScaler Policy Configuration and Reference Guide