Configured a Content Filtering policy on a NetScaler appliance. The policy was configured to terminate the traffic received from the 10.103.49.85 IP address. The policy was bound to five virtual servers on the NetScaler appliance.

When a client from the 10.103.49.85 IP address accessed one of the virtual servers, the web pages accessed were displayed and the traffic was not terminated. Additionally, the hit counter of the Content Filtering policy was not incremented when the virtual servers was accessed from the 10.103.49.85 IP address. However, when the client from the 10.103.49.85 IP address accessed other virtual servers, the hit counter of the policy was incremented, traffic was terminated, and the web pages were not displayed.

When analyzing the NetScaler configuration file, the following configuration entries were observed for the Content Filtering policy and the virtual servers on which the issue was observed:

add filter policy drop_IP -rule "REQ.IP.SOURCEIP == 10.103.49.85" -reqAction DROP add lb vserver VIP_TCP TCP 10.217.147.28 80 -persistenceType NONE -cltTimeout 9000

For a TCP virtual server, it is recommended to use Access Control Lists (ACLs) to terminate the traffic from a specific IP address.

The following is a sample configuration recommended for this scenario:

add ns acl dropp DENY -srcIP = 10.103.49.85 -srcPort = 80 -destIP = 10.168.106.112 -destPort = 80 -protocol TCP -priority 10 -kernelstate SFNOTAPPLIED61

Problem Cause

It was observed that the Content Filtering policy was applied to the TCP virtual server instead of an HTTP virtual server. However, Content Filtering being an application layer function, the policy should be applied to an HTTP virtual server.

Note: When you bind a Content Filtering policy to a TCP virtual server from either the GUI or the command line interface of the appliance, the appliance does not display any error message.

Starting from NetScaler software release 9.1, the appliance supports Responder policies for virtual server of TCP type. Therefore, you can use either the ACL or the Responder policy to terminate the traffic from a specific IP address. The following is a sample responder policy to terminate traffic from a specific IP address:

add responder policy Responder_Drop "CLIENT.IP.SRC.EQ(10.103.49.85)" DROP

Additionally, you can use any of the following types of policies for an HTTP virtual server to terminate the traffic from a specific IP address: