AppExpert Default Policy Engine

CNS 205-5I: Citrix NetScaler 10.5 Essentials and Networking

Overview
After completing this module, you will be able to:
Identify the syntax and uses for default policy expressions.
Explain the policy binding evaluation process and determine appropriate bind points for policies
within the default policy engine.
Configure and invoke pattern sets with string matching in the default policy engine.
Extract and transform data from one type to another with typecasting in the default policy engine.

Understanding Packet-Processing Flow

Understanding Policies
The NetScaler system uses policies to evaluate specified conditions and to define
actions to be taken if conditions are met
The actions defined are specific to the feature for which the policy is created
The order and flow of policy evaluation depends on the feature set and policyexpression type

Expression Result Types

Boolean values HTTP.REQ.URL.CONTAINS()
Integer values HTTP.REQ.URL.LENGTH

Policy-Process-Evaluation-Flow

Default Policy Expression Syntax

HTTP
SYS
CLIENT
SERVER
SIP
TEXT
MYSQL/MSSQL
DNS

Default Policy Conversion

Features that support the conversion of classic expressions to default syntax
expressions:
Application Firewall policies
Authorization policies
Named expressions
Compression policies
Content-switching policies
SSL
User-defined, rule-based tokens/persistency (the rule parameter that is specified for a loadbalancing virtual server)

Actions
An action:
Is bound to or activated by policies
Cannot depend on results of other actions
Is applied at the end of the policy evaluation process
Is owned by individual NetScaler features

Understanding Bind Points

For a policy to be in effect, you must bind it to an entity
You can bind a classic policy either at the global level or at the virtual server
(content-switching or load-balancing virtual server) level
The default policy engine also allows you bind policies in this manner, but it offers
more flexibility on how policies are bound and evaluated

Understanding Policy Labels

The policy label command allows you to logically group policies and define the
order in which they are evaluated

Pattern Sets
A pattern set is an array of indexed patterns that you configure on the NetScaler
system
Pattern sets are used for string matching during advanced policy evaluation

Pattern Sets
You want to determine whether the URL suffix (target text) contains any of the
image file extensions. Without using pattern sets, you would have to define a
complex expression, as follows:
HTTP.REQ.URL.SUFFIX.CONTAINS("svg") HTTP.REQ.URL.SUFFIX.CONTAINS("bmp")
HTTP.REQ.URL.SUFFIX.HTTP.REQ.URL.SUFFIX.CONTAINS("gif")
HTTP.REQ.URL.SUFFIX.CONTAINS("tiff") HTTP.REQ.URL.SUFFIX. CONTAINS(jpg)

Pattern Sets
When a compound expression includes hundreds of sub expressions, the above
process isresource intensive. A better alternative is an expression that invokes a
pattern set.

How String Matching with a Pattern Set Works

During policy evaluation, the operator compares the string that is identified in the
packet with the patterns defined in the pattern set until a match is found
The operator returns either a Boolean value that indicates whether a matching
pattern was found.

Using a Pattern Set

WORK BETTER. LIVE BETTER.