Manuals / Citrix Systems / Computer Equipment / Network Router

Citrix Systems CITRIX NETSCALER 9.3 manual Parameters for configuring a command policy, policyname

Models: CITRIX NETSCALER 9.3

1 195

Download 195 pages 43.21 Kb

Page 30

To create a command policy by using the NetScaler command line

Chapter 1 Authentication and Authorization

To create a command policy by using the NetScaler command line

At the NetScaler command prompt, type the following commands to create a command policy and verify the configuration:

wadd system cmdPolicy <policyname> <action> <cmdspec>

wsh system cmdPolicy

Example

>add system cmdPolicy read_all ALLOW (^show\s+(! system)(!ns ns.conf)(!ns runningConfig).*) (^stat.*)

Done

>sh system cmdPolicy

1)Command policy: operator

2)Command policy: read-only

3)Command policy: network

4)Command policy: superuser

5)Command policy: allow_portaladmin

6)Command policy: read_all

Done

To modify or remove a command policy by using the NetScaler command line

wTo modify a command policy, type the set system cmdPolicy <PolicyName> command and the parameters to be changed, with their new values.

wTo remove a command policy, type rm system cmdPolicy <PolicyName>.

Note: The built-in command policies cannot be removed.

Parameters for configuring a command policy

policyname

A name for the command policy you are creating. The name can begin with a letter, number, or the underscore symbol, and can consist of from one to 31 letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at sign (@), equals (=), colon (:), and underscore (_) symbols. (Cannot be changed for existing policies.)

action

The action the policy applies when the command specification pattern matches. Possible values: ALLOW, DENY

cmdspec

Rule (expression) that the policy uses for pattern matching.

30

Image 30

Citrix Systems CITRIX NETSCALER 9.3 To create a command policy by using the NetScaler command line, policyname, action

Contents

Citrix NetScaler Administration Guide Citrix NetScalerCopyright and Trademark Notice All rights reserved Last Updated March Document code May 21 2012 Page Contents 1 Authentication and AuthorizationPreface Contents 2 SNMPCitrix NetScaler Administration Guide Enabling Unconditional SNMP Trap Loggingviii Contents3 Audit Logging Citrix NetScaler Administration Guide 4 Web Server LoggingContents Installing and Configuring the Client System for Web Server Logging. . . . . . . . . . . . . . . . . . . . . 96 Installing NSWL Client on a Solaris Operating System. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .97 To install the NSWL client package on a Solaris operating system. . . . . . . . . . . . . . 97 To uninstall the NSWL client package on a Solaris operating systemConfiguring TCP Window Scaling xi Citrix NetScaler Administration Guide5 Advanced Configurations Contents Citrix NetScaler Administration Guide Specifying the MSS Value in a TCP Profilexiii 6 Web InterfaceContents Enabling AppFlow for Virtual Servers179 xiv 7 AppFlowCitrix NetScaler Administration Guide 8 Reporting ToolContents In This Preface PrefaceFormatting Conventions for NetScaler Documentation Table 1. Formatting ConventionsTo view the documentation Documentation Available on the NetScaler AppliancePreface ConventionGetting Service and Support NetScaler Documentation FeedbackTo provide feedback at the Knowledge Center home page Preface Resetting the Default Administrator nsroot Password Authentication and AuthorizationConfiguring Users and Groups Configuring Command Policies Example of a User Scenario Configuring External User AuthenticationTo create a user account by using the NetScaler command line Configuring Users and GroupsConfiguring User Accounts w show system user Exampletimeout CLI Idle Session Timeout Secs Parameters for configuring a user accountpassword Password userName User NameTo create a user group by using the NetScaler command line Configuring User GroupsTo configure a user account by using the configuration utility Password Confirm Password CLI Prompt CLI Idle Session Timeout SecsTo unbind a user from a group by using the NetScaler command line To modify or remove a user group by using the NetScaler command lineTo bind a user to a group by using the NetScaler command line w show system group groupName Examplew show system group groupName Parameters for configuring a user groupTo configure a user group by using the configuration utility groupName Group NameConfiguring Command Policies Built-in Command PoliciesCLI Prompt CLI Idle Session Timeout Secs except show runningconfig, show Creating Custom Command PoliciesTable 1-1. Built-in Command Policies runningconfig, and sh gslbMatches these commands Table 1-2. Examples of Regular Expressions for Command PoliciesCommand specification Table 1-3. Expressions Used in the Built-in Command Policiesw sh system cmdPolicy Example To create a command policy by using the NetScaler command lineParameters for configuring a command policy policynameBinding Command Policies to Users and Groups To configure a command policy by using the configuration utilityw sh system user userName Example Parameters for binding a command policy to a userTo bind command policies to a user by using the configuration utility w sh system user userNameParameters for binding a command policy to a group Resetting the Default Administrator nsroot Password To reset the nsroot passwordExample of a User Scenario fsck /dev/ad0s1a mount /dev/ad0s1a /flashTable 1-4. Sample Values for Creating Entities Configuration stepsmodifyall with action as Allow and the command spec \S+\s+?!system FieldConfiguring External User Authentication Configuring LDAP Authentication User attribute Table 1-5. User Attribute Fields for LDAP ServersLDAP server Case sensitive?LDAP server To configure LDAP authentication by using the configuration utility4. In Authentication Type, select LDAP. Next to Server, click New Bind DNDetermining attributes in the LDAP directory Choosing RADIUS authentication protocols Configuring RADIUS AuthenticationTo configure RADIUS authentication by using the configuration utility 4. In Authentication Type, select RADIUSConfiguring IP address extraction To configure IP address extraction by using the configuration utility4. Under Details, in Group Vendor Identifier, type the value Configuring TACACS+ Authentication Configuring NT4 Authentication4. In Authentication Type, select TACACS Binding the Authentication Policies to the System Global Entity To configure NT4 authentication by using the configuration utilityChapter 1 Authentication and Authorization 2. On the Policies tab, click Global BindingsConfiguring SNMP Alarms for Rate Limiting Configuring the NetScaler to Generate SNMPv1 and SNMPv2 TrapsConfiguring the NetScaler for SNMP v1 and v2 Queries Configuring the NetScaler for SNMPv3 QueriesConfiguring the NetScaler to Generate SNMPv1 and SNMPv2 Traps Importing MIB Files to the SNMP Manager and Trap ListenerTo import the MIB files to the SNMP manager and trap listener To enable or disable an SNMP alarm by using the configuration utility Enabling or Disabling an SNMP AlarmTo enable or disable an SNMP alarm by using the command line w enable snmp alarm alarm name w sh snmp alarm alarm nameParameters for configuring SNMP alarms Configuring AlarmsTo configure an SNMP alarm by using the command line w sh snmp alarm alarm NameConfiguring Traps To configure SNMP alarms by using the configuration utilityTo add an SNMP trap by using the NetScaler command line w show snmp trap Parameters for configuring SNMP trapsTo configure SNMP Traps by using the configuration utility trapClassDestination IP Address*-trapDestination Destination Port-destPort w set snmp option -snmpTrapLogging ENABLED DISABLEDEnabling Unconditional SNMP Trap Logging Source IP Address-srcIP Minimum Severity-severityParameters for unconditional SNMP trap logging Configuring the NetScaler for SNMP v1 and v2 QueriesSpecifying an SNMP Manager SnmpTrapLogging SNMP Trap LoggingTo add an SNMP manager by using the NetScaler command line w show snmp managerw show snmp manager Parameters for configuring an SNMP manager IPAddressw show snmp manager domainResolveRetry To add an SNMP manager by using the configuration utilitynetmask IP Address*-IPAddressSpecifying an SNMP Community To specify an SNMP community by using the NetScaler command lineParameters for configuring an SNMP community string w sh snmp communityTo remove an SNMP community string by using the configuration utility Configuring SNMP Alarms for Rate LimitingConfiguring an SNMP Alarm for Throughput or PPS Community String*-communityNamew show snmp alarm PF-RL-RATE-THRESHOLD thresholdValue Parameters for configuring an SNMP alarm for throughput or PPSw show snmp alarm PF-RL-PPS-THRESHOLD normalValueConfiguring SNMP Alarm for Dropped Packets state Configuring the NetScaler for SNMPv3 QueriesParameters for configuring an SNMP alarm for dropped packets severitySetting the Engine ID Parameters for setting the engine ID Configuring a ViewTo set the engine ID by using the NetScaler command line To set the engine ID by using configuration utilityTo configure an SNMP view by using the configuration utility Configuring a GroupParameters for configuring an SNMP view To add an SNMP group by using the NetScaler command lineTo configure an SNMP group by using the configuration utility Configuring a UserParameters for configuring an SNMP group To configure a user by using the NetScaler command lineName*-name Group Name*-group Authentication Type-authType Parameters for configuring an SNMP userTo configure an SNMP user by using the configuration utility Authentication Password-authPasswd Privacy Type-privTypeCitrix NetScaler Administration Guide A required parameter 4. Click Create or OK, and then click CloseChapter 2 SNMP Default Settings for the Log Properties Configuring the NetScaler Appliance for Audit LoggingInstalling and Configuring the NSLOG Server Running the NSLOG Server Sample Configuration File audit.confChapter 3 Audit Logging To configure a SYSLOG server action by using the command line Configuring the NetScaler Appliance for Audit LoggingConfiguring Audit Servers w show audit syslogAction namew show audit nslogAction name To configure an NSLOG server action by using the command lineParameters for configuring auditing servers serverIPdateFormat ERRORLog levels defined logFacilityTo configure a SYSLOG policy by using the command line Configuring Audit PoliciesTo configure an auditing server action User Configurable Log Messages-userDefinedAuditlogw add audit syslogPolicy name rule action To configure an NSLOG policy by using the command lineParameters for configuring audit policies w show audit syslogPolicy nameParameters for binding the audit policies globally To configure an audit server policyBinding the Audit Policies Globally Name* name Server* actionTo create an audit message action by using the NetScaler command line Configuring Policy-Based LoggingConfiguring an Audit Message Action To globally bind the audit policyExample Parameters for configuring an audit message actionbypassSafetyCheck stringBuilderExprInstalling and Configuring the NSLOG Server Binding Audit Message Action to a PolicyName*-name Log Level*-logLevel Table 3-1. Supported Platforms for the NSLOG Server Installing NSLOG Server on the Linux Operating SystemTo install the NSLOG server package on a Linux operating system Operating systemInstalling NSLOG Server on the FreeBSD Operating System To uninstall the NSLOG server package on a Linux operating systemTo uninstall the NSLOG server package on a FreeBSD operating system Installing NSLOG Server Files on the Windows Operating SystemTo install the NSLOG server package on a FreeBSD operating system pkgadd audserverbsd-release number-build number.tgz ExampleTo install NSLOG server on a Windows operating system Citrix NetScaler Administration GuideAudit server commands NSLOG Server Command OptionsTo uninstall the NSLOG server on a Windows operating system audserver -removeAudit server commands Adding the NetScaler Appliance IP Addresses on the NSLOG ServerTo add the IP addresses of the NetScaler appliance audserver -removeRunning the NSLOG Server Verifying the NSLOG Server Configuration FileTo stop audit server logging that starts as a service in Windows To start audit server loggingCustomizing Logging on the NSLOG Server Creating FiltersTo create a filter Specifying Log Properties ExampleExample Example Default Settings for the Log PropertiesExample ExampleSample Configuration File audit.conf ExampleExample Sample Configuration File Arguments for Defining a Custom Log Format Configuring the NetScaler Appliance for Web Server LoggingInstalling and Configuring the Client System for Web Server Logging Web Server LoggingEnabling or Disabling Web Server Logging Configuring the NetScaler Appliance for Web Server Loggingw enable ns feature WL w disable ns feature WL w sh ns feature Web LoggingParameter for modifying the buffer size Modifying the Default Buffer SizeTo modify the buffer size by using the NetScaler command line w sh weblogparam ExampleTable 4-1. Supported Platforms for the NSWL Client Installing and Configuring the Client System for Web Server LoggingTo modify the buffer size by using the configuration utility VersionHardware requirements Installing NSWL Client on a Solaris Operating SystemTo install the NSWL client package on a Solaris operating system cp pathtocd/Utilities/weblog/Solaris/NSweblog.tar /tmpTo install the NSWL client package on a Linux operating system Installing NSWL Client on a Linux Operating SystemTo uninstall the NSWL client package on a Solaris operating system cd /tmpTo view the installed Web server logging files Installing NSWL Client on a FreeBSD Operating SystemTo uninstall the NSWL client package on a Linux operating system To install the NSWL client package on a FreeBSD operating systemTo install the NSWL client package on a Mac OS operating system Installing NSWL Client on a Mac OS Operating SystemTo uninstall the NSWL client package on a FreeBSD operating system pkgdelete NSweblogTo install the NSWL client on a Windows system Installing NSWL Client on a Windows Operating SystemTo uninstall the NSWL client package on a Mac OS operating system pkgdelete NSweblogTo install the NSWL client package on an AIX operating system Installing NSWL Client on an AIX Operating SystemTo uninstall the NSWL client on a Windows system To uninstall the NSWL client package on an AIX operating systemNSWL command NSWL Client Command OptionsTable 4-3. NSWL Command Options To view the installed Web server logging filesnswl -addns -f directorypath \log.conf Adding the IP Addresses of the NetScaler ApplianceTo add the NSIP address of the NetScaler appliance NSWL commandRunning the NSWL Client Verifying the NSWL Configuration FileTo verify the configuration in the NSWL configuration file Customizing Logging on the NSWL Client SystemCreating Filters Table 4-4. Parameters for Creating a FilterParameter SpecifiesSpecifying Log Properties To create a filter for a virtual serverTo create a filter, enter the following command in the log.conf file To create a filterChapter 4 Web Server Logging ExampleExample Example Understanding the NCSA and W3C Log FormatsNCSA Common Log Format ExampleArgument W3C Extended Log FormatTable 4-5. NCSA Common Log Format SpecifiesTable 4-6. Directive Descriptions EntriesDirectives DirectiveTable 4-7. Prefix Descriptions FieldsIdentifiers PrefixTable 4-9. W3C Extended Log Format Identifiers Requires a Prefix Table 4-8. W3C Extended Log Format Identifiers No Prefix RequiredIdentifier Table 4-10. W3C Extended Log File Format Allows Log FieldsField Creating a Custom Log Format by Using the NSWL LibraryCreating a Custom Log Format DescriptionTo create the custom log format by using the NSWL Library Creating a Custom Log Format ManuallyExample Sample Configuration File Creating Apache Log FormatsCitrix NetScaler Administration Guide Argument Arguments for Defining a Custom Log FormatTable 4-11. Custom Log Format SpecifiesArgument b d g h H Foobari j J l m M Foobaro p qSpecifies Argument r s t formatt T u U v V V6Specifies Argument Time Format DefinitionTable 4-12. Time Format Definition SpecifiesChapter 4 Web Server Logging ArgumentSpecifies Citrix NetScaler Administration Guide Chapter 4 Web Server Logging Configuring TCP Window Scaling Configuring Selective Acknowledgment Advanced ConfigurationsConfiguring Clock Synchronization Viewing the System Date and Time Clearing the Configuration Viewing the HTTP Band StatisticsConfiguring Clock Synchronization To add an NTP server by using the NetScaler command linew show ntp server Example To configure an NTP server by using the configuration utility To modify or remove NTP servers by using the NetScaler command lineParameters for configuring an NTP server serverNameConfiguring Clock Synchronization Manually w enable ntp sync w disable ntp syncStarting or Stopping the NTP Daemon show ns config Example To view the system date and time by using the NetScaler command lineusr/sbin/ntpd -c /nsconfig/ntp.conf -l /var/log/ntpd.log Viewing the System Date and TimeConfiguring TCP Window Scaling To view the system date and time by using the configuration utilitySystem Time Tue Feb 165044 w show ns tcpParam Example To configure window scaling by using the NetScaler command lineParameters for configuring window scaling WSValENABLED Configuring Selective AcknowledgmentTo configure window scaling by using the configuration utility SACK statusClearing the Configuration To enable SACK by using the Configuration UtilityTo clear a configuration by using the NetScaler command line Viewing the HTTP Band Statistics Parameters for clearing a configurationTo clear a configuration by using the configuration utility levelTo modify the band range by using the NetScaler command line To add an HTTP profile by using the NetScaler command line Configuring HTTP ProfilesTo modify the band range by using the configuration utility Table 5-1. Built-in HTTP Profilesname Name ENABLED DISABLED w sh ns httpProfile ExampleParameters for adding an HTTP profile maxReusePool Max Connection in reusepoolTable 5-2. Built-in TCP Profiles Configuring TCP ProfilesTo add an HTTP profile by using the configuration utility Built-in profileTo add a TCP profile by using the NetScaler command line Built-in profileDescription w sh ns tcpProfile Example delayedAck TCP Delayed ACK Time-out msecParameters for creating a TCP profile WS Window ScalingpktPerRetx Maximum Packets per Retransmission To add a TCP profile by using the configuration utilityInitial Congestion Window Size TCP Delayed ACK Time-out msec minRTO Minimum RTO in millisecw set ns tcpProfile name -bufferSize positiveinteger Specifying a TCP Buffer SizeUse Nagles Algorithm Immediate ACK on Receiving Packet with PUSH w show ns tcpProfile nameExample w set ns tcpProfile nstcpdefaultprofile -bufferSize positiveintegerw show ns tcpProfile nstcpdefaultprofile 12000Parameters for setting the TCP buffer size in a TCP profile bufferSizename Specifying the MSS Value in a TCP Profile Parameters for specifying the MSS value in a TCP profileLearn MSS for VServer Configuring the NetScaler to Learn the MSS Value from Bound Servicesw set ns tcpParam -learnVsvrMSS ENABLEDDISABLED w show ns tcpParam ENABLEDlearnVsvrMSS Chapter 5 Advanced Configurations Web Interface How Web Interface Works Prerequisites Installing the Web InterfaceConfiguring the Web Interface ChapterHow Web Interface Works PrerequisitesFigure 6-1. A Basic Web Interface Session Installing the Web Interface ExampleWeb Interface tar file path Configuring the Web InterfaceParameters for installing the Web interface and JRE tar files JRE tar file pathDirect Mode Parameters for configuring Web interface sitesKiosk Mode Site TypeAccess Gateway URL Gateway Direct ModeAuthentication Point PortXML Service Port Configuring a Web Interface Site for LAN Users Using HTTPXML Service Addresses TransportFigure 6-2. A Web Interface Site Configured for LAN Users Using HTTP Site Type Published Resource Type Kiosk ModeXML Service Addresses XML Service Port Transport Load Balance Virtual Server Protocol select HTTPS IP Address PortExample ExampleExample ExampleConfiguring a Web Interface Site for LAN Users Using HTTPS Figure 6-3. A Web Interface Site Configured for LAN Users Using HTTPSSite Type Published Resource Type Kiosk Mode Chapter 6 Web InterfaceVirtual Server Protocol select HTTPS IP Address Port Example XML Service Addresses XML Service Port Transport Load BalanceExample ExampleExample ExampleExample ExampleConfiguring a Web Interface Site for Remote Users Using AGEE ExampleExample Site Type Published Resource Type Kiosk Mode Session Reliability Use two STA Servers Authentication Point Access Gateway URL Add DNS EntryTrust SSL Certificate STA Server URL STA Server URL XML Service Addresses XML Service Port Transport Load BalanceChapter 6 Web Interface ExampleExample Chapter How AppFlow Works Configuring the AppFlow FeatureAppFlow TopicsHow AppFlow Works Figure 7-1. NetScaler Flow SequencetransactionID Flow RecordsTemplates connectionIDhttpRequestURL Configuring the AppFlow FeaturehttpRequestSize httpUserAgentTo specify a collector by using the NetScaler command line Enabling or Disabling the AppFlow FeatureTo enable the AppFlow feature by using the configuration utility w enable ns feature appflow w disable ns feature appflowTo specify a collector by using the configuration utility Configuring an AppFlow ActionTo remove a collector by using the NetScaler command line To configure an AppFlow action by using the NetScaler command lineCollectors collecter-1 Hits Action Reference Count Parameters for configuring an AppFlow actionDone show appflow action 1 Name apfl-act-collector-1 2 Name apfl-act-collector-2-and-3 Collectors collector-2, collecter-3To configure an AppFlow policy by using the NetScaler command line Configuring an AppFlow PolicyTo configure an AppFlow action by using the configuration utility w show appflow policy namerule Parameters for configuring an AppFlow policyname actionHTTP To configure an AppFlow policy by using the configuration utilityTo add an expression by using the Add Expression dialog box commentBinding an AppFlow Policy CLIENTw show appflow global gotoPriorityExpression To globally bind an AppFlow policy by using the configuration utilityParameters for binding an AppFlow policy invoke Invoke flag labelTypeEnabling AppFlow for Virtual Servers To enable AppFlow for a virtual server by using theNetScaler command line 6. Click Apply ChangesTo enable AppFlow for a service by using the NetScaler command line Enabling AppFlow for a ServiceSetting the AppFlow Parameters To enable AppFlow for a service by using the configuration utilitytemplateRefresh AppFlow Parametersw show appflowParam appnameRefreshhttpReferer To set the AppFlow parameters by using the configuration utilityhttpCookie httpMethodStopping and Starting the Data Collection Utility Using the Reporting ToolReporting Tool ChapterTo invoke the Reporting tool Using the Reporting ToolFigure 8-1. Report Toolbar Figure 8-2. Chart Toolbar Working with ReportsTo display a built-in report Using Built-in ReportsCreating and Deleting Reports To create a custom reportTable 8-1. Time Intervals Modifying the Time IntervalTo delete a custom report Time intervalTo modify the time interval Setting the Data Source and Time ZoneExporting and Importing Custom Reports To set the data source and time zoneModifying a Chart Working with ChartsAdding a Chart To add a chart to a reportViewing a Chart To change the graph type of a chartTo refocus a chart with detailed data To customize the axes of a chart To scroll through time in a chartTo change the background color and text color of a chart To view numeric data for a graphExporting Chart Data to Excel To change the color and graph type of a data setCitrix NetScaler Administration Guide To export chart data to Excel Deleting a ChartTo delete a chart ExamplesLimit Table 8-2. Limits on Entity Numbers Retrieved by nscollectEntity name Stopping and Starting the Data Collection Utilitynetscaler/nscollect stop To stop nscollectTo start nscollect on the local system Entity namenetscaler/nscollect start netscaler/nscollect start -U 10.102.29.170nsrootnsroot -ds defaultTo start nscollect on the remote system Citrix NetScaler Administration Guide