ADC

Convert policy expressions using the NSPEPI tool

Note:

You can download the NSPEPI and preconfig check tool from the public GitHub. For more information, see the GitHub NSPEPI page and README page for detailed instructions to download, install, and use the tools. We recommend customers to use the tools available in GitHub for the most complete and up-to-date version.

Classic policy-based features and functionalities are deprecated from NetScaler 12.0 build 56.20 onwards. As an alternative, NetScaler recommends you to use the Advanced policy infrastructure for the features supported by the NSPEPI tool. For the list of supported features, see Commands or features handled by the nspepi conversion tool. The features that are not supported by the NSPEPI tool continue to support classic policies. For the list of unsupported features, see NSPEPI tool unsupported features.

The nspepi tool can perform the following tasks:

  1. Convert Classic policy expressions to Advanced policy expressions.
  2. Convert certain Classic policies and their entity bindings to Advanced policies and bindings.
  3. Convert a few more deprecated features to their corresponding non-deprecated features.
  4. Convert classic filter commands to advanced filter commands.

Note:

After the nspepi tool successfully converts the ns.conf config file, the tool displays the converted file as a new file with a prefix, “new_”. If the converted config file has errors or warnings, you must manually fix them as part of the conversion process. Once converted, you must test the file in the test environment and then use it to replace the actual ns.conf config file. After testing, you must reboot the appliance for the newly converted or fixed ns.conf config file.

Features that only support Classic policies or expressions are deprecated and they can be replaced by the corresponding non-deprecated features.

Note:

Information pertaining to the older version of the nspepi tool is available in a PDF format. For more information, see Classic policy conversion using nspepi tool before 12.1-51.16 PDF.

Conversion warnings and error files

Before you use the tool for your conversion, there are a few warnings to keep in mind:

  1. All warnings and errors are output to the console. There is a warning file created where the configuration files are stored.
  2. The warnings and error file has the same name as the input file but with a prefix “warn_” added to the file name. During expression conversion (when using -e), the warnings show up in the current directory with a name “warn_expr”.

Note:

This file is in a standard log file format, with date/time stamp and log level. Previous instances of the file are kept with suffixes like “.1”, “.2”, and so forth as the tool is run multiple times. At most 10 instances will be kept.

Converted file format

When converting a configuration file (using “-f”), the converted file is put into the same directory as where the input configuration file exists with the same name but a prefix “new_”.

Commands or features handled by the nspepi conversion tool

Following are the commands handled during the auto conversion process.

  • The following Classic policies and their expressions are converted to Advanced policies and expressions. The conversion includes entity bindings and global bindings.
  1. add appfw policy
  2. add cmp policy
  3. add cr policy
  4. add cs policy
  5. add ssl policy
  6. add filter action
  7. add filter policy
  8. filter policy binding to load balancing, content switching, cache redirection, and global.
  • The rule parameter configured in “add lb virtual server” is converted from Classic expression to Advanced expression.
  • The SPDY parameter configured in the “add ns httpProfile” or the “set ns httpProfile” command is changed to “-http2 ENABLED”.
  • Named expressions (“add policy expression” commands). Each Classic named policy expression is converted to its corresponding Advanced named expression with “nspepi_adv_” set as the prefix. In addition, usage of named expressions for the converted Classic expressions is changed to the corresponding Advanced named expressions. In addition, every named expression has two named expressions, where one is Classic and the other one is Advanced (as shown below).
  • Handling built-in classic policy bindings in CMP and CR.
  • Patclass feature is converted to Pat set feature.
  • “-pattern” parameter in the “add rewrite action” command is converted to use “-search” parameter.
  • Q and S prefixes of advanced expressions are converted to equivalent non-deprecated advanced expressions. These expressions can be seen in any command where advanced expressions are allowed.

For example:

add policy expression classic_expr ns_true
Converts to:
add policy expression classic_expr ns_true
add policy expression nspepi_adv_classic_expr TRUE
<!--NeedCopy-->
  • The policyType parameter configured in the “set cmp parameter” command is removed. By default, the policy type is “Advanced”.

Convert classic filter commands to advanced filter commands

The nspepi tool can convert commands based on classic filter actions such as add, bind and so forth to advanced filter commands.

However, the nspepi tool does not support the following filter commands.

  1. add filter action <action Name> FORWARD <service name>
  2. add filter action <action name> ADD prebody
  3. add filter action <action name> ADD postbody

Note:

  1. If there are existing rewrite or responder features in ns.conf and their policies are bound globally with the GOTO expression as END or USER_INVOCATION_RESULT and the bind type is REQ_X or RES_X then the tool converts bind filter commands partially and comments out. An error is displayed for the manual conversion.
  2. If there are existing rewrite or responder features and their policies are bound to virtual servers(for example, load balancing, content switching or cache redirect) of type HTTPS with GOTO - END or USER_INVOCATION_RESULT, the tool converts bind filter commands partially and then comments out. Warning is displayed for the manual conversion.

Example

Following is a sample input:

add lb vserver v1 http 1.1.1.1 80 -persistenceType NONE -cltTimeout 9000
add cs vserver csv1 HTTP 1.1.1.2 80 -cltTimeout 180 -persistenceType NONE
add cr vserver crv1 HTTP 1.1.1.3 80 -cacheType FORWARD
add service svc1 1.1.1.4 http 80
add filter action fact_add add 'header:value'
add filter action fact_variable add 'H1:%%HTTP.TRANSID%%'
add filter action fact_prebody add prebody
add filter action fact_error_act1 ERRORCODE 200 "<HTML>Good URL</HTML>"
add filter action fact_forward_act1 FORWARD svc1
add filter policy fpol_add_res -rule ns_true -resAction fact_add
add filter policy fpol_error_res -rule ns_true -resAction fact_error_act1
add filter policy fpol_error_req -rule ns_true -reqAction fact_error_act1
add filter policy fpol_add_req -rule ns_true -reqAction fact_add
add filter policy fpol_variable_req -rule ns_true -reqAction fact_variable
add filter policy fpol_variable_res -rule ns_true -resAction fact_variable
add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody
add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody
add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1
bind lb vserver v1 -policyName fpol_add_res
bind lb vserver v1 -policyName fpol_add_req
bind lb vserver v1 -policyName fpol_error_res
bind lb vserver v1 -policyName fpol_error_req
bind lb vserver v1 -policyName fpol_variable_res
bind lb vserver v1 -policyName fpol_variable_req
bind lb vserver v1 -policyName fpol_forward_req
bind cs vserver csv1 -policyName fpol_add_req
bind cs vserver csv1 -policyName fpol_add_res
bind cs vserver csv1 -policyName fpol_error_res
bind cs vserver csv1 -policyName fpol_error_req
bind cr vserver crv1 -policyName fpol_add_req
bind cr vserver crv1 -policyName fpol_add_res
bind cr vserver crv1 -policyName fpol_error_res
bind cr vserver crv1 -policyName fpol_error_req
bind cr vserver crv1 -policyName fpol_forward_req
bind filter global fpol_add_req
bind filter global fpol_add_res
bind filter global fpol_error_req
bind filter global fpol_error_res
bind filter global fpol_variable_req
bind filter global fpol_variable_res
bind filter global fpol_variable_res -state DISABLED
bind filter global fpol_prebody_req
bind filter global fpol_forward_req
After conversion, warning/error messages will be displayed for manual effort.
Warning files:
cat warn_<input file name>:
2019-11-07 17:13:34,724: ERROR - Conversion of [add filter action fact_prebody add prebody] not supported in this tool.
2019-11-07 17:13:34,739: ERROR - Conversion of [add filter action fact_forward_act1 FORWARD svc1] not supported in this tool.
2019-11-07 17:13:38,042: ERROR - Conversion of [add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody] not supported in this tool.
2019-11-07 17:13:38,497: ERROR - Conversion of [add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody] not supported in this tool.
2019-11-07 17:13:39,035: ERROR - Conversion of [add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1] not supported in this tool.
2019-11-07 17:13:39,060: WARNING - Following bind command is commented out because state is disabled. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation. If command is required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config': bind filter global fpol_variable_res -state DISABLED


<!--NeedCopy-->

Following is a sample output. All converted commands are commented.

cat new_<input file name>
add rewrite action fact_add insert_http_header header "\"value\""
add filter action fact_prebody add prebody
add filter action fact_forward_act1 FORWARD svc1
add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody
add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody
add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1
bind lb vserver v1 -policyName fpol_forward_req
bind cr vserver crv1 -policyName fpol_forward_req
#bind filter global fpol_variable_res -state DISABLED
bind filter global fpol_prebody_req
bind filter global fpol_forward_req
add rewrite action nspepi_adv_fact_variable insert_http_header H1 HTTP.RES.TXID
add rewrite action fact_variable insert_http_header H1 HTTP.REQ.TXID
add responder action fact_error_act1 respondwith "HTTP.REQ.VERSION.APPEND(\" 200 OK\\r
nConnection: close\\r
nContent-Length: 21\\r\\n\\r
n<HTML>Good URL</HTML>\")"
add rewrite action nspepi_adv_fact_error_act1 replace_http_res "HTTP.REQ.VERSION.APPEND(\" 200 OK\\r
nConnection: close\\r
nContent-Length: 21\\r\\n\\r
n<HTML>Good URL</HTML>\")"
add rewrite policy fpol_add_res TRUE fact_add
add rewrite policy fpol_error_res TRUE nspepi_adv_fact_error_act1
add responder policy fpol_error_req TRUE fact_error_act1
add rewrite policy fpol_add_req TRUE fact_add
add rewrite policy fpol_variable_req TRUE fact_variable
add rewrite policy fpol_variable_res TRUE nspepi_adv_fact_variable
set cmp parameter -policyType ADVANCED
bind rewrite global fpol_add_req 100 NEXT -type REQ_DEFAULT
bind rewrite global fpol_variable_req 200 NEXT -type REQ_DEFAULT
bind rewrite global fpol_add_res 100 NEXT -type RES_DEFAULT
bind rewrite global fpol_error_res 200 NEXT -type RES_DEFAULT
bind rewrite global fpol_variable_res 300 NEXT -type RES_DEFAULT
bind responder global fpol_error_req 100 END -type REQ_DEFAULT
bind lb vserver v1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_variable_res -type RESPONSE -priority 300 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_variable_req -type REQUEST -priority 200 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END
bind cs vserver csv1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END
bind cr vserver crv1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END

<!--NeedCopy-->

Convert classic filter commands to advanced feature commands if existing rewrite or responder policy bindings have goto expression END or USE_INNVOCATION

In this conversion, if a rewrite policy bound to one or more virtual servers and if the server has END or USE_INVOCATION_RESULT, the tool comments out the commands.

Example

Following is a sample input command:

COPY
add filter policy fpol1 -rule ns_true -resAction reset
add filter policy fpol2 -rule ns_true -reqAction reset
add rewrite policy pol1 true NOREWRITE
add rewrite policylabel pl http_res
bind rewrite policylabel pl pol1 1
bind rewrite global NOPOLICY 1 USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel pl
add responder policy pol2 true NOOP
add responder policylabel pl -policylabeltype HTTP
bind responder policylabel pl pol2 1
bind responder global NOPOLICY 1 USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel pl
bind lb vserver v1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind cs vserver csv1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind lb vserver v1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cs vserver csv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cr vserver crv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind lb vserver v1_http -policyName fpol1
bind cs vserver csv1_http -policyName fpol1
bind lb vserver v2_http -policyName fpol2
bind cs vserver csv2_http -policyName fpol2
bind cr vserver crv2_http -policyName fpol2
bind filter global fpol1 -priority 100
bind filter global fpol2 -priority 100
<!--NeedCopy-->

Following is a sample output command:

COPY
add rewrite policy pol1 true NOREWRITE
add rewrite policylabel pl http_res
bind rewrite policylabel pl pol1 1
add responder policy pol2 true NOOP
add responder policylabel pl -policylabeltype HTTP
bind responder policylabel pl pol2 1
add rewrite policy fpol1 TRUE RESET
add responder policy fpol2 TRUE RESET
#bind lb vserver v1_http -policyName fpol1 -type RESPONSE
#bind cs vserver csv1_http -policyName fpol1 -type RESPONSE
#bind rewrite global fpol1 100 -type RES_DEFAULT
#bind lb vserver v2_http -policyName fpol2 -type REQUEST
#bind cs vserver csv2_http -policyName fpol2 -type REQUEST
#bind cr vserver crv2_http -policyName fpol2 -type REQUEST
#bind responder global fpol2 100 -type REQ_DEFAULT
bind rewrite global NOPOLICY 1 USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel pl
bind responder global NOPOLICY 1 USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel pl
bind lb vserver v1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind lb vserver v1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cs vserver csv1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind cs vserver csv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cr vserver crv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST-

<!--NeedCopy-->

Running the nspepi tool

The following is a command line example for running the nspepi tool. This tool is run from the command line of the shell (you need to type the “shell” command to the NetScaler”CLI” to get to that). Either “-f” or”-e” must be specified to perform a conversion. Use of “-d” is intended for Citrix personnel to analyze for support purposes.

usage: nspepi [-h] (-e <classic policy expression> | -f <path to ns config file>)[-d] [-v] [-V

Convert classic policy expressions to advanced policy expressions and deprecated commands to non-deprecated
commands.

optional arguments:
-h, --help show this help message and exit
-e <classic policy expression>, --expression <classic policy expression>
convert classic policy expression to advanced policy
expression (maximum length of 8191 allowed)
-f <path to ns config file>, --infile <path to ns config file>
convert netscaler config file
-d, --debug log debug output
-v, --verbose show verbose output
-V, --version show program's version number and exit
<!--NeedCopy-->

Usage Examples:

  1. nspepi -e "req.tcp.destport == 80"
  2. nspepi -f /nsconfig/ns.conf

Following are few examples of running the nspepi tool by using the CLI

Example output for –e parameter:

root@ns# nspepi -e "req.http.header foo == \"bar\""
"HTTP.REQ.HEADER(\"foo\").EQ(\"bar\")"
<!--NeedCopy-->

Example output for -f parameter:

root@ns# cat sample.conf
add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
add cr policy cr_pol1 -rule ns_true
bind cr vserver cr_vs -policyName cr_pol1
<!--NeedCopy-->

Running nspepi with -f parameter:

nspepi -f sample.conf
<!--NeedCopy-->

Converted config is available in a new file new_sample.conf. Check the warn_sample.conf file for any warnings or errors that might have been generated.

Example output of -f parameter along with -v parameter

nspepi -f sample.conf -v
INFO - add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
INFO - add cr policy cr_pol1 -rule TRUE -action ORIGIN
INFO - bind cr vserver cr_vs -policyName cr_pol1 -priority 100 -gotoPriorityExpression END -type REQUEST
<!--NeedCopy-->

Converted config is available in a new file new_sample.conf. Check the warn_sample.conf file for any warnings or errors that might have been generated.

Converted Config file:

root@ns# cat new_sample.conf
add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
add cr policy cr_pol1 -rule TRUE -action ORIGIN
set cmp parameter -policyType ADVANCED
bind cr vserver cr_vs -policyName cr_pol1 -priority 100 -gotoPriorityExpression END -type REQUEST

<!--NeedCopy-->

Example output of a sample configuration with no errors or warnings:

nspepi -f sample_2.conf
<!--NeedCopy-->

Converted config is available in a new file new_sample_2.conf. Check the warn_sample_2.conf file for any warnings or errors that might have been generated.

Example output of a sample configuration with warnings:

root@ns# cat sample_2.conf
add policy expression security_expr "req.tcp.destport == 80" -clientSecurityMessage "Not allowed"
set cmp parameter -policyType CLASSIC
add cmp policy cmp_pol1 -rule ns_true -resAction COMPRESS
add cmp policy cmp_pol2 -rule ns_true -resAction COMPRESS
add cmp policy cmp_pol3 -rule TRUE -resAction COMPRESS
bind cmp global cmp_pol1
bind cmp global cmp_pol2 -state DISABLED
bind cmp global cmp_pol3 -priority 1 -gotoPriorityExpression END -type RES_DEFAULT
bind lb vserver lb_vs -policyName cmp_pol2
root@ns#
<!--NeedCopy-->

Example of running nspepi with -f parameter:

root@ns# nspepi -f sample_2.conf
ERROR - Error in converting expression security_expr : conversion of clientSecurityMessage based expression is not supported.
WARNING - Following bind command is commented out because state is disabled. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation. If command is required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config': bind cmp global cmp_pol2 -state DISABLED
Warning - Bindings of advanced CMP policies to cmp global are commented out, because initial global cmp parameter is classic but advanced policies are bound. Now global cmp parameter policy type is set to advanced. If commands are required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config'. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation.
root@ns#
<!--NeedCopy-->

Converted file:

root@ns# cat new_sample_2.conf  
add policy expression security_expr "req.tcp.destport == 80" -clientSecurityMessage "Not allowed"
set cmp parameter -policyType ADVANCED
add cmp policy cmp_pol1 -rule TRUE -resAction COMPRESS
add cmp policy cmp_pol2 -rule TRUE -resAction COMPRESS
add cmp policy cmp_pol3 -rule TRUE -resAction COMPRESS
#bind cmp global cmp_pol2 -state DISABLED
#bind cmp global cmp_pol3 -priority 1 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global cmp_pol1 -priority 100 -gotoPriorityExpression END -type RES_DEFAULT
bind lb vserver lb_vs -policyName cmp_pol2 -priority 100 -gotoPriorityExpression END -type RESPONSE
root@ns#
<!--NeedCopy-->

Warning file:

root@ns# cat warn_sample_2.conf
2019-02-28 06:20:10,590: ERROR - Error in converting expression security_expr : conversion of clientSecurityMessage based expression is not supported.
2019-02-28 06:20:12,187: WARNING - Following bind command is commented out because state is disabled. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation. If command is required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config': bind cmp global cmp_pol2 -state DISABLED
2019-02-28 06:20:12,191: WARNING - Bindings of advanced CMP policies to cmp global are commented out, because initial global cmp parameter is classic but advanced policies are bound. Now global cmp parameter policy type is set to advanced. If commands are required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config'. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation.
root@ns#
<!--NeedCopy-->

Binding Priorities

Advanced policies do not allow arbitrary interleaving by priority between global and non-global and between different binding types. If you rely on such interleaving of Classic policy priorities, you need to adjust the priorities to conform to the Advanced policy rules and to get the behavior you desire. Priorities in Advanced policies are local to a bind point. A bind point is a unique combination of protocol, feature, direction, and entity (entities are specific virtual servers, users, groups, services, and either global override or global default). Policy priorities are not followed across bind points.

For a given protocol, feature, and direction, the following is the order of evaluation of Advanced policies:

  • Global override.
  • (Current) authentication, authorization, and auditing user.
  • Authentication, authorization, and auditing groups (that the user is a member of) in order of weight - ordering is undefined if two or more groups have the same weight.
  • LB virtual server that either the request was received on or that Content Switching selected.
  • Content switching virtual server, cache redirection virtual server that the request was received on.
  • Service selected by load balancing.
  • Global default.

Within each bind point, the policies are evaluated in order of priority from lowest numbered to highest numbered. Policies are only evaluated for the protocol used and the direction that the message was received from.

Classic policy bindings that require manual reprioritization

Here are some types of Classic policy bindings that require manual reprioritization to accomplish your needs. All these are for a given feature and the direction.

  • Classic priorities that increase in priority number opposite to the direction of the above entity type lists. For example a content switching virtual server binding lower than a load balancing virtual server binding.
  • Classic priorities that increase in number other than the order of weights of authentication, authorization, and auditing groups.
  • Classic global priorities that are less than some non-global priority and the same global priorities are greater than some other non-global priority (in other words, any segment of priorities that are a non-global, followed by one or more globals, followed by a non-global).

The NSPEPI and check_invalid_config tools can be run on the CentOS and Ubuntu systems

The following modules are the prerequisites for using these tools:

  • Python
  • Perl
  • Python pip module
  • PLY module for Python
  • Switch.pm for Perl

If Python 3 is installed, create a soft link, for example, "ln -s /usr/bin/python3 /usr/bin/python".

To install Python pip module, PLY module for Python, and Switch.pm for Perl in CentOS, run the following commands:

  • sudo yum install -y perl-Switch
  • sudo yum install python-pip
  • sudo yum install python-ply

To install Python pip module, PLY module for Python, and Switch.pm for Perl in Ubuntu, run the following commands:

  • sudo apt install libswitch-perl
  • sudo apt install python-ply
  • sudo apt install python-pip or sudo apt install python3-pip