-
AppExpert Applications and Templates
-
Configure application authentication, authorization, and auditing
-
-
Advanced Policy Expressions: Working with Dates, Times, and Numbers
-
Advanced Policy Expressions: Parsing HTTP, TCP, and UDP Data
-
Advanced Policy Expressions: IP and MAC Addresses, Throughput, VLAN IDs
-
Configuring Classic Policies and Expressions
-
Configuring a Classic Expression
-
-
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Configure a classic expression
Classic expressions consist of the following expression elements, listed in hierarchical order:
- Flow Type. Specifies whether the connection is incoming or outgoing. The flow type is REQ for incoming connections and RES for outgoing connections.
- Protocol. Specifies the protocol, the choices for which are HTTP, SSL, TCP, and IP.
- Qualifier. The protocol attribute, which depends on the selected protocol.
- Operator. The type of test you want to perform on the connection data. Your choice of operator depends upon the connection information you are testing. If the connection information you are testing is text, you use text operators. If it is a number, you use standard numeric operators.
- Value. The string or number against which the connection data element—defined by the flow type, protocol, and qualifier—is tested. The value can be either a literal or an expression. The literal or expression must match the data type of the connection data element.
In a policy, classic expressions can be combined to create more complex expressions using Boolean and comparative operators.
Expression elements are parsed from left to right. The leftmost element is either REQ or RES and designates a request or a response, respectively. Successive terms define a specific connection type and a specific attribute for that connection type. Each term is separated from any preceding or following term by a period. Arguments appear in parentheses and follow the expression element to which they are passed.
The following classic expression fragment returns the client source IP for an incoming connection.
REQ.IP.SOURCEIP
The example identifies an IP address in a request. The expression element SOURCEIP designates the source IP address. This expression fragment may not be useful by itself. You can use an additional expression element, an operator, to determine whether the returned value meets specific criteria. The following expression tests whether the client IP is in the subnet 200.0.0.0/8 and returns a Boolean TRUE or FALSE:
REQ.IP.SOURCEIP == 200.0.0.0 -netmask 255.0.0.0
Create a classic policy expression by using the CLI
At the command prompt, type the following commands to set the parameters and verify the configuration:
- set appfw policy \<name\> -rule \<expression\> -action \<action\>
- show appfw policy \<name\>
<!--NeedCopy-->
Example
> set appfw policy GenericApplicationSSL_ 'HTTP.REQ.METHOD.EQ("get")' APPFW_DROP
Done
> show appfw policy GenericApplicationSSL_
Name: GenericApplicationSSL_ Rule: HTTP.REQ.METHOD.EQ("get")
Profile: APPFW_DROP Hits: 0
Undef Hits: 0
Policy is bound to following entities
1) REQ VSERVER app_u_GenericApplicationSSLPortalPages PRIORITY : 100
Done
<!--NeedCopy-->
Add an expression for a classic policy by using the GUI
This procedure documents the Add Expression dialog box. Depending on the feature for which you are configuring a policy, the route by which you arrive at this dialog box may be different.
- Perform steps 1-4 in “To create a policy with classic expressions by using the GUI”.
- In the Add Expression dialog box, in Expression Type, click the type of expression you want to create.
- Under Flow Type, click the down arrow and choose a flow type.
The flow type is typically REQ or RES. The REQ option specifies that the policy applies to all incoming connections or requests. The RES option applies the policy to all outgoing connections or responses.
For Application Firewall policies, you should leave the expression type set to General Expression, and the flow type set to REQ. The Application Firewall treats each request and response as a single paired entity, so all Application Firewall policies begin with REQ.
-
Under Protocol, click the down arrow and choose the protocol you want for your policy expression. Your choices are:
- HTTP. Evaluates HTTP requests that are sent to a Web server. For classic expressions, HTTP includes HTTPS requests.
- SSL. Evaluates SSL data associated with the current connection.
- TCP. Evaluates the TCP data associated with the current connection.
- IP. Evaluates the IP addresses associated with the current connection.
-
Under Qualifier, click the down arrow and choose a qualifier for your policy. The qualifier defines the type of data to be evaluated. The list of qualifiers that appears depends on which protocol you selected in step 4. The following choices appear for the HTTP protocol:
- METHOD. Filters HTTP requests that use a particular HTTP method.
- URL. Filters HTTP requests for a specific Web page.
- URLQUERY. Filters HTTP requests that contain a particular query string.
- VERSION. Filters HTTP requests on the basis of the specified HTTP protocol version.
- HEADER. Filters on the basis of a particular HTTP header.
- URLLEN. Filters on the basis of the length of the URL.
- URLQUERY. Filters on the basis of the query portion of the URL.
- URLQUERYLEN. Filters on the basis of the length of the query portion of the URL only.
-
Under Operator, click the down arrow and choose the operator for your policy expression. Some common operators are:
Operator | Description |
---|---|
== | Matches the specified value exactly or is exactly equal to the specified value. |
!= | Does not match the specified value. |
> | Is greater than the specified value. |
< | Is less than the specified value. |
>= | Is greater than or equal to the specified value. |
<= | Is less than or equal to the specified value. |
CONTAINS | Contains the specified value. |
CONTENTS | Returns the contents of the designated header, URL, or URL query. |
EXISTS | The specified header or query exists. |
NOTCONTAINS | Does not contain the specified value. |
NOTEXISTS | The specified header or query does not exist. |
-
If a Value text box appears, type a string or numeric value, as appropriate. For example, chose REQ as the Flow Type, HTTP as the Protocol, and HEADER as the qualifier, and then type the value of the header string in the Value field and the header type for which you want to match the string in the Header Name text box.
-
Click OK.
-
To create a compound expression, click Add. Note that the type of compounding that is done depends on the following choices in the Create Policy dialog box:
- Match Any Expression. The expressions are in a logical OR relationship.
- Match All Expressions. The expressions are in a logical AND relationship.
- Tabular Expressions. Click the AND, OR, and parentheses buttons to control evaluation.
- Advanced Free-Form. Enter the expressions components directly into the Expression field, and click the AND, OR, and parentheses buttons to control evaluation.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.