ADC CLI Commands

filter-policy

The following operations can be performed on “filter-policy”:

set show add rm

set filter policy

Modifies a filter policy.

Synopsis

set filter policy [-rule ] [-reqAction | -resAction ]

Arguments

name Name of the filter policy to be modified.

rule Citrix ADC classic expression specifying the type of connections that match this policy.

reqAction Name of the action to be performed on requests that match the policy. Cannot be specified if the rule includes condition to be evaluated for responses.

resAction The action to be performed on the response. The string value can be a filter action created filter action or a built-in action.

Example

Example 1: A filter policy to allow access of URL /foo/secure.asp only from 65.186.55.0 network can be created using below command: add filter policy url_filter -rule “URL == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0” -reqAction RESET This policy is activated using: bind filter global url_filter

Later, to allow access of this url from second network 65.202.35.0 too, above filter policy can be changed by issuing below command: set filter policy url_filter -rule “URL == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP != 65.202.35.0 -netmask 255.255.255.0”

Changed filter policy can be viewed by using following command: show filter policy url_filter Name: url_filter Rule: (URL == /foo/secure.asp && (SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP != 65.202.35.0 -netmask 255.255.255.0)) Request action: RESET Response action: Hits: 0 Done

show filter policy

Displays information about the filter policies.

Synopsis

show filter policy []

Arguments

name Name of the filter policy to be displayed. If a name is not provided, information about all the filter policies is shown.

Output

rule Citrix ADC classic expression specifying the type of connections that match this policy.

reqAction The name of the action to be performed on the request.

resAction The action to be performed on the response.

hits boundTo The entity name to which policy is bound

activePolicy priority bindPolicyType policyType devno count stateflag

Example

show filter policy 1) Name: nimda_filter Rule: (URL CONTAINS root.exe || URL CONTAINS cmd.exe) Request action: RESET Response action: Hits: 0 2) Name: ip_filter Rule: (src_ips && URL == /admin/account.asp) Request action: RESET Response action: Hits: 0 Done

Individual filter policy can also be viewed by giving filter policy name as argument: show filter policy ip_filter Name: ip_filter Rule: (src_ips && URL == /admin/account.asp) Request action: RESET Response action: Hits: 0 Done

add filter policy

Creates a content filtering policy.

Synopsis

add filter policy -rule (-reqAction | -resAction )

Arguments

name Name for the filtering action. Must begin with a letter, number, or the underscore character (_). Other characters allowed, after the first character, are the hyphen (-), period (.) pound (#), space ( ), at (@), equals (=), and colon (:) characters. Choose a name that helps identify the type of action. The name cannot be updated after the policy is created.

CLI Users: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my policy” or ‘my policy’).

rule Citrix ADC classic expression specifying the type of connections that match this policy.

reqAction Name of the action to be performed on requests that match the policy. Cannot be specified if the rule includes condition to be evaluated for responses.

resAction The action to be performed on the response. The string value can be a filter action created filter action or a built-in action.

Example

Example 1: add policy expression e1 “sourceip == 66.33.22.0 -netmask 255.255.255.0” add policy expression e2 “URL == /admin/account.asp” add filter policy ip_filter -rule “e1 && e2” -reqAction RESET After creating above filter policy, it can be activated by binding it globally: bind filter global ip_filter

With the configured ip_filter (name of the filter policy), the Citrix ADC system sends a TCP reset to all HTTP requests for the /admin/account.asp URL from 66.33.22.0 Class C network. This action is applied at the HTTP request time.

Example 2: To silently drop (without sending FIN) all the HTTP requests in which the URL has root.exe or cmd.exe, below filter policy can be configured: add filter policy nimda_filter -rule “URL contains root.exe || URL contains cmd.exe” -reqAction DROP bind filter global nimda_filter

Example 3: add filter policy url_filter -rule “url == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP != 65.202.35.0 -netmask 255.255.255.0” -reqaction RESET bind filter global url_filter

With the above configured filter policy named url_filter, the Citrix ADC system sends RESET to all HTTP requests for the URL /foo/secure.asp from all the networks except from 65.186.55.0 and 65.202.35.0 Class C networks. This action is applied at the HTTP request time.

Note: In above examples, the RESET and DROP are built-in actions in the Citrix ADC system.

“show filter action” and “show filter policy” CLI commands show the configured filter actions and policies in Citrix ADC system respectively. “show filter global” command shows all the globallyactive filter policies.

rm filter policy

Removes a filter policy.

Synopsis

rm filter policy

Arguments

name Name of the filter policy to be removed.

Example

rm filter policy filter_policy_name The “show filter policy” command shows all filter policies that are currently defined.

filter-policy