Convert policy expressions using the NSPEPI tool
Note:
You can download the NSPEPI and preconfig check tool from the public GitHub. For more information, see the GitHub NSPEPI page and README page for detailed instructions to download, install, and use the tools. We recommend customers to use the tools available in GitHub for the most complete and up-to-date version.
Classic policy-based features and functionalities are deprecated from NetScaler 12.0 build 56.20 onwards. As an alternative, NetScaler recommends you to use the Advanced policy infrastructure for the features supported by the NSPEPI tool. For the list of supported features, see Commands or features handled by the nspepi conversion tool. The features that are not supported by the NSPEPI tool continue to support classic policies. For the list of unsupported features, see NSPEPI tool unsupported features.
The nspepi
tool can perform the following tasks:
- Convert Classic policy expressions to Advanced policy expressions.
- Convert certain Classic policies and their entity bindings to Advanced policies and bindings.
- Convert a few more deprecated features to their corresponding non-deprecated features.
- Convert classic filter commands to advanced filter commands.
Note:
After the
nspepi
tool successfully converts the ns.conf config file, the tool displays the converted file as a new file with a prefix, “new_”. If the converted config file has errors or warnings, you must manually fix them as part of the conversion process. Once converted, you must test the file in the test environment and then use it to replace the actual ns.conf config file. After testing, you must reboot the appliance for the newly converted or fixed ns.conf config file.
Features that only support Classic policies or expressions are deprecated and they can be replaced by the corresponding non-deprecated features.
Note:
Information pertaining to the older version of the
nspepi
tool is available in a PDF format. For more information, see Classic policy conversion using nspepi tool before 12.1-51.16 PDF.
Conversion warnings and error files
Before you use the tool for your conversion, there are a few warnings to keep in mind:
- All warnings and errors are output to the console. There is a warning file created where the configuration files are stored.
- The warnings and error file has the same name as the input file but with a prefix “warn_” added to the file name. During expression conversion (when using -e), the warnings show up in the current directory with a name “warn_expr”.
Note:
This file is in a standard log file format, with date/time stamp and log level. Previous instances of the file are kept with suffixes like “.1”, “.2”, and so forth as the tool is run multiple times. At most 10 instances will be kept.
Converted file format
When converting a configuration file (using “-f”), the converted file is put into the same directory as where the input configuration file exists with the same name but a prefix “new_”.
Commands or features handled by the nspepi conversion tool
Following are the commands handled during the auto conversion process.
- The following Classic policies and their expressions are converted to Advanced policies and expressions. The conversion includes entity bindings and global bindings.
- add appfw policy
- add cmp policy
- add cr policy
- add cs policy
- add ssl policy
- add filter action
- add filter policy
- filter policy binding to load balancing, content switching, cache redirection, and global.
- The rule parameter configured in “add lb virtual server” is converted from Classic expression to Advanced expression.
- The SPDY parameter configured in the “add ns httpProfile” or the “set ns httpProfile” command is changed to “-http2 ENABLED”.
- Named expressions (“add policy expression” commands). Each Classic named policy expression is converted to its corresponding Advanced named expression with “nspepi_adv_” set as the prefix. In addition, usage of named expressions for the converted Classic expressions is changed to the corresponding Advanced named expressions. In addition, every named expression has two named expressions, where one is Classic and the other one is Advanced (as shown below).
- Handling built-in classic policy bindings in CMP and CR.
- Patclass feature is converted to Pat set feature.
- “-pattern” parameter in the “add rewrite action” command is converted to use “-search” parameter.
- Q and S prefixes of advanced expressions are converted to equivalent non-deprecated advanced expressions. These expressions can be seen in any command where advanced expressions are allowed.
For example:
add policy expression classic_expr ns_true
Converts to:
add policy expression classic_expr ns_true
add policy expression nspepi_adv_classic_expr TRUE
<!--NeedCopy-->
- The policyType parameter configured in the “set cmp parameter” command is removed. By default, the policy type is “Advanced”.
Convert classic filter commands to advanced filter commands
The nspepi
tool can convert commands based on classic filter actions such as add, bind and so forth to advanced filter commands.
However, the nspepi
tool does not support the following filter commands.
- add filter action
<action Name>
FORWARD<service name>
- add filter action
<action name>
ADD prebody - add filter action
<action name>
ADD postbody
Note:
- If there are existing rewrite or responder features in ns.conf and their policies are bound globally with the
GOTO
expression asEND
orUSER_INVOCATION_RESULT
and the bind type isREQ_X
orRES_X
then the tool converts bind filter commands partially and comments out. An error is displayed for the manual conversion.- If there are existing rewrite or responder features and their policies are bound to virtual servers(for example, load balancing, content switching or cache redirect) of type HTTPS with
GOTO - END
orUSER_INVOCATION_RESULT
, the tool converts bind filter commands partially and then comments out. Warning is displayed for the manual conversion.
Example
Following is a sample input:
add lb vserver v1 http 1.1.1.1 80 -persistenceType NONE -cltTimeout 9000
add cs vserver csv1 HTTP 1.1.1.2 80 -cltTimeout 180 -persistenceType NONE
add cr vserver crv1 HTTP 1.1.1.3 80 -cacheType FORWARD
add service svc1 1.1.1.4 http 80
add filter action fact_add add 'header:value'
add filter action fact_variable add 'H1:%%HTTP.TRANSID%%'
add filter action fact_prebody add prebody
add filter action fact_error_act1 ERRORCODE 200 "<HTML>Good URL</HTML>"
add filter action fact_forward_act1 FORWARD svc1
add filter policy fpol_add_res -rule ns_true -resAction fact_add
add filter policy fpol_error_res -rule ns_true -resAction fact_error_act1
add filter policy fpol_error_req -rule ns_true -reqAction fact_error_act1
add filter policy fpol_add_req -rule ns_true -reqAction fact_add
add filter policy fpol_variable_req -rule ns_true -reqAction fact_variable
add filter policy fpol_variable_res -rule ns_true -resAction fact_variable
add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody
add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody
add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1
bind lb vserver v1 -policyName fpol_add_res
bind lb vserver v1 -policyName fpol_add_req
bind lb vserver v1 -policyName fpol_error_res
bind lb vserver v1 -policyName fpol_error_req
bind lb vserver v1 -policyName fpol_variable_res
bind lb vserver v1 -policyName fpol_variable_req
bind lb vserver v1 -policyName fpol_forward_req
bind cs vserver csv1 -policyName fpol_add_req
bind cs vserver csv1 -policyName fpol_add_res
bind cs vserver csv1 -policyName fpol_error_res
bind cs vserver csv1 -policyName fpol_error_req
bind cr vserver crv1 -policyName fpol_add_req
bind cr vserver crv1 -policyName fpol_add_res
bind cr vserver crv1 -policyName fpol_error_res
bind cr vserver crv1 -policyName fpol_error_req
bind cr vserver crv1 -policyName fpol_forward_req
bind filter global fpol_add_req
bind filter global fpol_add_res
bind filter global fpol_error_req
bind filter global fpol_error_res
bind filter global fpol_variable_req
bind filter global fpol_variable_res
bind filter global fpol_variable_res -state DISABLED
bind filter global fpol_prebody_req
bind filter global fpol_forward_req
<!--NeedCopy-->
After conversion, warnings or error messages are displayed for manual effort.
ERROR - Line(7): Conversion of HTMLInjection feature related command [add filter action fact_prebody add prebody] is not supported in this tool.
ERROR - Line(9): Conversion of FORWARD action type related command [add filter action fact_forward_act1 FORWARD svc1] not supported in this tool
ERROR - Line(16): Conversion of HTMLInjection feature reated command [add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody]not supported in this tool.
ERROR - Line(17): Conversion of HTMLInjection feature reated command [add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody]not supported in this tool.
ERROR - Line(18): Conversion of FORWARD action type related command [add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1]not supported in this tool.
ERROR - Line(25): Conversion of FORWARD action type related command [bind lb vserver v1 -policyName fpol_forward_req]not supported in this tool.
ERROR - Line(34): Conversion of FORWARD action type related command [bind cr vserver crv1 -policyName fpol_forward_req]not supported in this tool.
WARNING - Line(41): Following bind command is commented out because state is disabled. If state is disabled, then command is not in use. Since state parameter is not supported with the advanced configuration, so if we convert this config then functionality will change. If command is required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config': bind filter global fpol_variable_res -state DISABLED
ERROR - Line(42): Conversion of HTMLInjection feature related command [bind filter global fpol_prebody_req]not supported in this tool.
ERROR - Line(43): Conversion of FORWARD action type related command [bind filter global fpol_forward_req]not supported in this tool.
<!--NeedCopy-->
Following is a sample output. All converted commands are commented.
add lb vserver v1 http 1.1.1.1 80 -persistenceType NONE -cltTimeout 9000
add cs vserver csv1 HTTP 1.1.1.2 80 -cltTimeout 180 -persistenceType NONE
add cr vserver crv1 HTTP 1.1.1.3 80 -cacheType FORWARD
add service svc1 1.1.1.4 http 80
add rewrite action fact_add insert_http_header header "\"value\""
add filter action fact_prebody add prebody # Error in conversion in using nspepi tool, for details see the warn_abc.conf
add responder action fact_error_act1 respondwith "HTTP.REQ.VERSION.APPEND(\" 200 OK\\r\\nConnection: close\\r\\nContent-Length: 21\\r\\n\\r\\n<HTML>Good URL</HTML>\")"
add rewrite action nspepi_adv_fact_error_act1 replace_http_res "HTTP.REQ.VERSION.APPEND(\" 200 OK\\r\\nConnection: close\\r\\nContent-Length: 21\\r\\n\\r\\n<HTML>Good URL</HTML>\")"
add filter action fact_forward_act1 FORWARD svc1 # Error in conversion in using nspepi tool, for details see the warn_abc.conf
add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody # Error in conversion in using nspepi tool, for details see the warn_abc.conf
add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody # Error in conversion in using nspepi tool, for details see the warn_abc.conf
add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1 # Error in conversion in using nspepi tool, for details see the warn_abc.conf
bind lb vserver v1 -policyName fpol_forward_req # Error in conversion in using nspepi tool, for details see the warn_abc.conf
bind cr vserver crv1 -policyName fpol_forward_req # Error in conversion in using nspepi tool, for details see the warn_abc.conf
#bind filter global fpol_variable_res -state DISABLED
bind filter global fpol_prebody_req # Error in conversion in using nspepi tool, for details see the warn_abc.conf
bind filter global fpol_forward_req # Error in conversion in using nspepi tool, for details see the warn_abc.conf
add rewrite action nspepi_adv_fact_variable insert_http_header H1 HTTP.RES.TXID
add rewrite action fact_variable insert_http_header H1 HTTP.REQ.TXID
add rewrite policy fpol_add_res TRUE fact_add
add rewrite policy fpol_error_res TRUE nspepi_adv_fact_error_act1
add responder policy fpol_error_req TRUE fact_error_act1
add rewrite policy fpol_add_req TRUE fact_add
add rewrite policy fpol_variable_req TRUE fact_variable
add rewrite policy fpol_variable_res TRUE nspepi_adv_fact_variable
bind rewrite global fpol_add_req 100 NEXT -type REQ_DEFAULT
bind rewrite global fpol_variable_req 200 NEXT -type REQ_DEFAULT
bind rewrite global fpol_add_res 100 NEXT -type RES_DEFAULT
bind rewrite global fpol_error_res 200 NEXT -type RES_DEFAULT
bind rewrite global fpol_variable_res 300 NEXT -type RES_DEFAULT
bind responder global fpol_error_req 100 END -type REQ_DEFAULT
bind lb vserver v1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_variable_res -type RESPONSE -priority 300 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_variable_req -type REQUEST -priority 200 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END
bind cs vserver csv1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END
bind cr vserver crv1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END
<!--NeedCopy-->
Convert classic filter commands to advanced feature commands if existing rewrite or responder policy bindings have goto expression END or USE_INNVOCATION
In this conversion, if a rewrite policy bound to one or more virtual servers and if the server has END or USE_INVOCATION_RESULT, the tool comments out the commands.
Example
Following is a sample input command:
add lb vserver v1_tcp TCP
add lb vserver v1_http HTTP
add lb vserver v2_http HTTP
add cs vserver csv1_tcp TCP 1.1.1.1 12345
add cs vserver csv1_http HTTP 2.2.2.1 80
add cs vserver csv2_http HTTP 2.2.2.5 180
add cr vserver crv1_tcp TCP 1.1.1.2 2345
add cs vserver crv2_http HTTP 2.2.2.2 90
add filter policy fpol1 -rule ns_true -resAction reset
add filter policy fpol2 -rule ns_true -reqAction reset
add rewrite policy pol1 true NOREWRITE
add rewrite policylabel pl http_res
bind rewrite policylabel pl pol1 1
bind rewrite global NOPOLICY 1 USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel pl
add responder policy pol2 true NOOP
add responder policylabel pl -policylabeltype HTTP
bind responder policylabel pl pol2 1
bind responder global NOPOLICY 1 USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel pl
bind lb vserver v1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind cs vserver csv1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind lb vserver v1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cs vserver csv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cr vserver crv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind lb vserver v1_http -policyName fpol1
bind cs vserver csv1_http -policyName fpol1
bind lb vserver v2_http -policyName fpol2
bind cs vserver csv2_http -policyName fpol2
bind cr vserver crv2_http -policyName fpol2
bind filter global fpol1 -priority 100
bind filter global fpol2 -priority 100
<!--NeedCopy-->
Following is a sample output command:
add lb vserver v1_tcp TCP
add lb vserver v1_http HTTP
add lb vserver v2_http HTTP
add cs vserver csv1_tcp TCP 1.1.1.1 12345
add cs vserver csv1_http HTTP 2.2.2.1 80
add cs vserver csv2_http HTTP 2.2.2.5 180
add cr vserver crv1_tcp TCP 1.1.1.2 2345
add cs vserver crv2_http HTTP 2.2.2.2 90
add rewrite policy pol1 true NOREWRITE
add rewrite policylabel pl http_res
bind rewrite policylabel pl pol1 1
add responder policy pol2 true NOOP
add responder policylabel pl -policylabeltype HTTP
bind responder policylabel pl pol2 1
bind lb vserver v1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind cs vserver csv1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind lb vserver v1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cs vserver csv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cr vserver crv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
add rewrite policy fpol1 TRUE RESET
add responder policy fpol2 TRUE RESET
#bind lb vserver v2_http -policyName fpol2 -type REQUEST
#bind cs vserver csv2_http -policyName fpol2 -type REQUEST
#bind cr vserver crv2_http -policyName fpol2 -type REQUEST
#bind responder global fpol2 100 -type REQ_DEFAULT
bind rewrite global NOPOLICY 1 USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel pl
bind rewrite global fpol1 100 NEXT -type RES_DEFAULT
bind responder global NOPOLICY 1 USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel pl
bind lb vserver v1_http -policyName fpol1 -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind cs vserver csv1_http -policyName fpol1 -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
<!--NeedCopy-->
Running the nspepi tool
This tool is run from the shell, which can be accessed by typing the “shell” command in the NetScaler CLI. To convert classic policies to advanced policies, use the “-f”, “-e”, or “-a” option. The “-d” option is intended for Citrix support personnel to analyze the data for troubleshooting purposes. Run the following command to view all the available options:
root@ns# ./nspepi --help
usage: nspepi [-h] (-e <classic policy expression> | -f <path to ns config file>)[-d] [-a] [-v] [-V]
Convert classic policy expressions to advanced policy expressions and deprecated commands to non-deprecated
commands.
optional arguments:
-h, --help show this help message and exit
-e <classic policy expression>, --expression <classic policy expression>
convert classic policy expression to advanced policy
expression (maximum length of 8191 allowed)
-f <path to ns config file>, --infile <path to ns config file>
convert netscaler config file
-a, --all Convert Syslog classic policies
-d, --debug log debug output
-v, --verbose show verbose output
-V, --version show program's version number and exit
<!--NeedCopy-->
Usage Examples:
nspepi -e "req.tcp.destport == 80"
nspepi -f /nsconfig/ns.conf
Following are few examples of running the nspepi
tool by using the CLI
Example output for –e parameter:
root@ns# nspepi -e "req.http.header foo == \"bar\""
"HTTP.REQ.HEADER(\"foo\").EQ(\"bar\")"
<!--NeedCopy-->
Example output for -f parameter:
root@ns# cat sample.conf
add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
add cr policy cr_pol1 -rule ns_true
bind cr vserver cr_vs -policyName cr_pol1
<!--NeedCopy-->
Running nspepi with -f parameter:
nspepi -f sample.conf
<!--NeedCopy-->
Converted config is available in a new file new_sample.conf
.
Check the warn_sample.conf
file for any warnings or errors that might have been generated.
Example output of -f parameter along with -v parameter
nspepi -f sample.conf -v
INFO - add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
INFO - add cr policy cr_pol1 -rule TRUE -action ORIGIN
INFO - bind cr vserver cr_vs -policyName cr_pol1 -priority 100 -gotoPriorityExpression END -type REQUEST
<!--NeedCopy-->
Converted config is available in a new file new_sample.conf
.
Check the warn_sample.conf
file for any warnings or errors that might have been generated.
Running nspepi with -a parameter:
Sample syslog configuration in classic policies before running nspepi:
root@ns# cat /root/sample_syslog.conf
add syslogAction act1 10.106.194.122 -logLevel ALL
add audit syslogPolicy pol1 ns_true act1
add cs vserver sachin_cs-vs HTTP 10.10.102.35 90 -cltTimeout 180 -persistenceType NONE
bind cs vserver sachin_cs-vs -policyName ap1 -priority 11
bind vpn global -policyName pol1 -priority 100
<!--NeedCopy-->
Run nspepi with -a parameter:
root@ns# ./nspepi -f /root/sample_syslog.conf -a
Converted config will be available in a new file new_sample_syslog.conf.
Conversion is successful, no error or warning is generated.
Use nspepi tool available at https://github.com/citrix/ADC-scripts/tree/master/nspepi for the most complete and up-to-date version.
<!--NeedCopy-->
Sample syslog configuration converted to advanced policies after running nspepi with -a parameter:
root@ns# cat /root/new_sample_syslog.conf
add syslogAction act1 10.106.194.122 -logLevel ALL
add audit syslogPolicy pol1 TRUE act1
add cs vserver sachin_cs-vs HTTP 10.10.102.35 90 -cltTimeout 180 -persistenceType NONE
bind cs vserver sachin_cs-vs -policyName ap1 -priority 11
bind syslogGlobal -policyname pol1 -priority 100 -globalBindType VPN_GLOBAL
<!--NeedCopy-->
Converted Config file:
root@ns# cat new_sample.conf
add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
add cr policy cr_pol1 -rule TRUE -action ORIGIN
set cmp parameter -policyType ADVANCED
bind cr vserver cr_vs -policyName cr_pol1 -priority 100 -gotoPriorityExpression END -type REQUEST
<!--NeedCopy-->
Example output of a sample configuration with no errors or warnings:
nspepi -f sample_2.conf
<!--NeedCopy-->
Converted config is available in a new file new_sample_2.conf
.
Check the warn_sample_2.conf
file for any warnings or errors that might have been generated.
Example output of a sample configuration with warnings:
root@ns# cat sample_2.conf
add policy expression security_expr "req.tcp.destport == 80" -clientSecurityMessage "Not allowed"
set cmp parameter -policyType CLASSIC
add cmp policy cmp_pol1 -rule ns_true -resAction COMPRESS
add cmp policy cmp_pol2 -rule ns_true -resAction COMPRESS
add cmp policy cmp_pol3 -rule TRUE -resAction COMPRESS
bind cmp global cmp_pol1
bind cmp global cmp_pol2 -state DISABLED
bind cmp global cmp_pol3 -priority 1 -gotoPriorityExpression END -type RES_DEFAULT
bind lb vserver lb_vs -policyName cmp_pol2
root@ns#
<!--NeedCopy-->
Converted file:
root@ns# cat new_sample_2.conf
add policy expression security_expr "req.tcp.destport == 80" -clientSecurityMessage "Not allowed"
set cmp parameter -policyType ADVANCED
add cmp policy cmp_pol1 -rule TRUE -resAction COMPRESS
add cmp policy cmp_pol2 -rule TRUE -resAction COMPRESS
add cmp policy cmp_pol3 -rule TRUE -resAction COMPRESS
#bind cmp global cmp_pol2 -state DISABLED
#bind cmp global cmp_pol3 -priority 1 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global cmp_pol1 -priority 100 -gotoPriorityExpression END -type RES_DEFAULT
bind lb vserver lb_vs -policyName cmp_pol2 -priority 100 -gotoPriorityExpression END -type RESPONSE
root@ns#
<!--NeedCopy-->
Warning file:
WARNING - Following bind command is commented out because state is disabled. If state is disabled, then command is not in use. Since state parameter is not supported with the advanced configuration, so if we convert this config then functionality will change. If command is required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config': bind cmp global cmp_pol2 -state DISABLED
WARNING - Initial global cmp parameter is classic and in this case advanced policies's bindings are not evaluated. Now global cmp parameter policy type is set to advanced, so existing advanced policies's bindings will be evaluted and can change the functionality. So, bindings of advanced CMP policies to cmp global are commented out. If commands are required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config'.
<!--NeedCopy-->
Binding Priorities
Advanced policies do not allow arbitrary interleaving by priority between global and non-global and between different binding types. If you rely on such interleaving of Classic policy priorities, you need to adjust the priorities to conform to the Advanced policy rules and to get the behavior you desire. Priorities in Advanced policies are local to a bind point. A bind point is a unique combination of protocol, feature, direction, and entity (entities are specific virtual servers, users, groups, services, and either global override or global default). Policy priorities are not followed across bind points.
For a given protocol, feature, and direction, the following is the order of evaluation of Advanced policies:
- Global override.
- (Current) authentication, authorization, and auditing user.
- Authentication, authorization, and auditing groups (that the user is a member of) in order of weight - ordering is undefined if two or more groups have the same weight.
- LB virtual server that either the request was received on or that Content Switching selected.
- Content switching virtual server, cache redirection virtual server that the request was received on.
- Service selected by load balancing.
- Global default.
Within each bind point, the policies are evaluated in order of priority from lowest numbered to highest numbered. Policies are only evaluated for the protocol used and the direction that the message was received from.
Classic policy bindings that require manual reprioritization
Here are some types of Classic policy bindings that require manual reprioritization to accomplish your needs. All these are for a given feature and the direction.
- Classic priorities that increase in priority number opposite to the direction of the above entity type lists. For example a content switching virtual server binding lower than a load balancing virtual server binding.
- Classic priorities that increase in number other than the order of weights of authentication, authorization, and auditing groups.
- Classic global priorities that are less than some non-global priority and the same global priorities are greater than some other non-global priority (in other words, any segment of priorities that are a non-global, followed by one or more globals, followed by a non-global).
NSPEPI
and check_invalid_config
tools can be run on the CentOS
and Ubuntu
systems
The The following modules are the prerequisites for using these tools:
- Python
- Perl
- Python pip module
- PLY module for Python
- Switch.pm for Perl
If Python 3 is installed, create a soft link, for example, "ln -s /usr/bin/python3 /usr/bin/python"
.
To install Python pip module, PLY module for Python, and Switch.pm for Perl in CentOS, run the following commands:
sudo yum install -y perl-Switch
sudo yum install python-pip
sudo yum install python-ply
To install Python pip module, PLY module for Python, and Switch.pm for Perl in Ubuntu, run the following commands:
sudo apt install libswitch-perl
sudo apt install python-ply
sudo apt install python-pip or sudo apt install python3-pip
In this article
- Conversion warnings and error files
- Converted file format
- Commands or features handled by the nspepi conversion tool
- Convert classic filter commands to advanced filter commands
- Convert classic filter commands to advanced feature commands if existing rewrite or responder policy bindings have goto expression END or USE_INNVOCATION
- Running the nspepi tool
- Binding Priorities
- Classic policy bindings that require manual reprioritization
- The NSPEPI and check_invalid_config tools can be run on the CentOS and Ubuntu systems