How to Create Subnet Based ACL Using Named Expressions on NetScaler 10.1 and Later

Description

This article contains information about creating an IP or subnet based Access Control List (ACL) for a virtual server (VServer) of a NetScaler appliance by using named expressions and filter protection features.

Background

At times, you might want to restrict access to specific Virtual IP (VIP) addresses to certain subnets or individual host IP addresses. This article contains procedure to configure this by using the filtering mechanism of the NetScaler appliance. It is also possible to configure this requirement by using the Network ACL function. However, the procedure in this article provides the flexibility to bind the protection to various VServers, as required, without the need to configure new destination addresses.

In this article, the following subnets are used as a sample to configure the access control:

10.1.1.0/24
10.3.0.0/16
10.1.2.5/32

Note: You can use multiple subnets in a named expression. However, the named expression has a limit of 1499 characters, which you can use to configure approximately 20 subnets for a named expression. If you need to configure a large number of subnets, then you need to create multiple named expressions of maximum 20 subnets each.

You can use the filter policy to block the subnets that do not match the allow list. Therefore, you can create a named expression to look for the source addresses that do not match the allowed subnets.

Instructions

To create a subnet based ACL by using the named expressions on NetScaler, complete the following procedure:

Log on to the NetScaler appliance.
In the navigation pane, expand the AppExpert node.
Expand Expressions node.
On the Classic Expressions page, click Add.
Type the required name in the Expression Name field, as shown in the following screenshot:
Click Expression Editor as shown in the following screenshot:
Fill in appropriate details and click on DONE.
To add new expressions, select the Operator tab and select || operator.
Follow the preceding steps to add more subnets:
Click Create.
Click Close.
You can also create a policy expression from the command line interface of the appliance. To create a policy expression from the command line interface, run a command similar to the following command:
add policy expression Block_Subnet_2 "REQ.IP.SOURCEIP != 10.1.1.0 -netmask 255.255.255.0 || REQ.IP.SOURCEIP != 10.3.0.0 -netmask 255.255.0.0 || REQ.IP.SOURCEIP != 10.1.2.5 -netmask 255.255.255.255” –description “Block_Subnet_2”
To combine the two named expression created so far into a single filtering policy, expand the Protection Features node under Security in the Navigation panel.
Click Filter.
On the Filters Policies and Actions page, click Add.
In the Filter Name field, type the appropriate name for the filter.
Select Action as Request Action.
From the Request Action list, select DROP or RESET, as required.
From the Saved Policy Expressions list, select previously created expressions.
Use the Operators tab to add multiple saved expressions.
Alternately, to create a policy from the command line interface of the appliance, run a command similar to the following command:
add filter policy Block_Subnet –reqAction RESET rule " Block_Subnet_1 || Block_Subnet_2"
Click OK
Click Close.
Bind the policy to the required VServer.

Issue/Introduction

This article contains information about creating an IP or subnet based Access Control List (ACL) for a virtual server (VServer) of a NetScaler appliance by using named expressions and filter protection features.

Additional Information

CTX122538 - How to Create Subnet Based ACL Using Named Expressions on NetScaler 10.0 and 9.x

Welcome to "KB Articles"