-
-
Advanced Policy Expressions: Working with Dates, Times, and Numbers
-
Advanced Policy Expressions: Parsing HTTP, TCP, and UDP Data
-
Advanced Policy Expressions: IP and MAC Addresses, Throughput, VLAN IDs
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
NSPEPI tool unsupported features
This topic provides information about the features that are not supported by the NSPEPI tool.
Commands or features not handled by the nspepi conversion tool
The following are some commands that are not handled as part of the auto conversion process.
- Client security expressions are not handled.
- Authentication
- Authorization
- VPN
- Syslog
- Nslog
- File based Classic expressions are not handled.
Note:
For some features like Patclass/filter, the command syntax is changed. If there are command policies, then command policies might need to be changed depending on customer requirement.
To convert classic policies to advanced policies for the following features, reach out to NetScaler customer support:
- Sure Connect (SC)
- Priority Queuing (PQ)
- HTTP Denial of Service (HDOS)
- HTML Injection
Binding Priorities
Advanced policies do not allow arbitrary interleaving by priority between global and non-global and between different binding types. If you rely on such interleaving of Classic policy priorities, you need to adjust the priorities to conform to the Advanced policy rules and to get the desired behavior. Priorities in Advanced policies are local to a bind point. A bind point is a unique combination of protocol, feature, direction, and entity (entities are specific virtual servers, users, groups, services, and either global override or global default). Policy priorities are not followed across bind points.
For a given protocol, feature, and direction, the following is the order of evaluation of Advanced policies:
- Global override.
- Authentication, authorization, and auditing user(Current).
- Authentication, authorization, and auditing groups (that the user is a member of) in order of weight. The ordering is undefined if two or more groups have the same weight.
- LB virtual server that either the request was received on or that was selected by CS.
- Content switching virtual server, cache redirection virtual server that the request was received on.
- Service selected by load balancing.
- Global default.
For authorization policy evaluation, the order is:
- Systems override.
- Load balancing virtual server that either the request was received on or that was selected by CS.
- Content switching virtual server that the request was received on.
- System default.
Within each bind point, the policies are evaluated in order of priority from lowest numbered to highest numbered. Policies are only evaluated for the protocol used and the direction that the message was received from.
Warning
The following scenarios show the warnings in the nspepi
tool:
- If the rule expression of load balancing virtual server is a boolean expression, the equivalent advanced expression results in boolean value in string format. This results in functionality change when the rule is used for
persistenceType
orlbMethod
. To avoid the functionality change, the command is modified by removing thekeywords rule
andpersistenceType
. - If the state field of the binding command is DISABLED. If the state is disabled, then command is not in use. The state parameter is not supported with the advanced configuration. So, if we convert this configuration then the functionality changes. If the command is required, take a backup because comments will not be saved in
ns.conf
after triggeringsave ns config
.
Warning in CMP feature conversion:
- If a global cmp parameter policy type is set to CLASSIC and advanced policies are bound to global. Without conversion, bounded advanced policies will not be evaluated because the global policy type is set to CLASSIC. After conversion, the policy type would be converted to ADVANCED. So, if we do not comment out the existing global advanced bindings, then these bindings are evaluated and can change the functionality.
- If the global cmp parameter policy type is set to ADVANCED and classic policies are bound to global. Without conversion, these global classic bindings would not be evaluated because global policy type is ADVANCED. So, to preserve the functionality, we comment out the converted configuration, otherwise converted advanced policies are evaluated and can change the functionality.
Note:
All classic policy bindings with -state option disabled are commented out. The -state option is not available for Advanced policy bindings.
Limitations of NSPEPI tool
The following scenarios cause errors in the nspepi
tool:
- If there is an issue when converting an expression
- If a named policy expression uses the -clientSecurityMessage parameter because this parameter is not supported in the Advanced policy expression
- If load balancing virtual server rule expression is a complex expression and has multiple CONTENT based expressions
- Errors in CMP feature conversion occur in the following scenarios:
- Both classic and advanced policies are bound to global
- Classic policies are bound at global and CMP parameter is advanced
- Advanced policies are bound at global and CMP parameter is classic
- Classic policies are bound to a virtual server and advanced policies are bound to a global server
- Advanced policies are bound to a virtual server and classic policies are bound to a global server
- Classic policies are bound to a virtual server and both classic and advanced policies are bound to a global server
- Advanced policies are bound to a virtual server and both classic and advanced policies are bound to a global server
- Errors in converting filter feature policy occur in the following scenarios:
- If action is of type FORWARD
- If action is part of HTMLInjection feature, mainly following commands:
-
add filter action <action name> ADD prebody
-add filter action <action name> ADD postbody
- If there are existing rewrite or responder policy bindings with
gotoPriorityExpression END
orUSE_INNVOCATION
, then fitler policy bindings cannot be converted.
- When both classic and advanced SSL policies are bound, classic SSL bindings cannot be converted.
- If the classic named expression has the same name as the callout entity name
- If the classic expression name is invalid for the advanced expression
- If the converted expression length is more than 1499 characters
- If the classic expression has client security or file-based expressions
Classic policy bindings that require manual reprioritization
Here are some types of Classic policy bindings that require manual reprioritization to accomplish your needs. All these are for a given feature and the direction.
- Classic priorities that increase in priority number opposite to the direction of the above entity type lists. For example, a content switching virtual server binding lower than a load balancing virtual server binding.
- Classic priorities that interleave authentication, authorization, and auditing groups. One part of one group is before some other group and yet another part is after part of that other group.
- Classic priorities that increase in number other than the order of weights of authentication, authorization, and auditing groups.
- Classic global priorities that are less than some non-global priority and the same global priorities are greater than some other non-global priority (in other words, any segment of priorities that are a non-global, followed by one or more globals, followed by a non-global).
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.