This article describes how to identify the session policy applied to the user after authentication.

There are multiple session policies configured in a NetScaler appliance. These policies are bound at user, group, and VIP level. The following screen shot lists the available policies:

Instructions

To identify the session policy applied to the user after authentication, complete the following procedure:

1. Open a PuTTY/SSH connection to the NetScaler appliance, as shown in the following screen shot:

   

2. Open the command line interface of the appliance and switch to the shell prompt, as shown in the following screen shot:

   

3. Run the following command:

   
   nsconmsg -d current -g pol_hits 

   

   "pol_hits" above can be used when the classic expression syntax is used in the policy

   When advanced or default expressions are used in the policy, use "pcb_hits" or "pcp_hits" as below

   

4. Request a user to log on to the NetScaler Gateway web page. You can then view the policy hits, as shown in the following screen shot:

   

The last policy listed is the one that is applied to that user after authentication. In this example, the main_policy is applied.

Note:

Above command does not display the policy hits on a per user basis, but the all the policy hits in the system instead. This command is useful when less number of users are connecting to the NetScaler Gateway virtual server or when troubleshooting to narrow down the policy hits during change window while accessing the NetScaler Gateway virtual server.

https://support.citrix.com/s/article/CTX138840-citrix-adc-commands-to-find-the-policy-hits-for-citrix-gateway-session-policies?language=en_US