Using Operators and Operands in Policy Expressions
An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—that manipulates one or more objects, or operands. The first section in this topic defines the operators you can use and provides a definition. The second section lists the operators you can use with specific qualifiers, such as method, URL, and query.
Operators and Definitions
This section defines the operators that you can use when creating a policy expression and provides a description of the operator.
-
==, !=, EQ, NEQ
These operators test for exact matches. They are case-sensitive (‘‘cmd.exe’’ is NOT EQUAL to ‘‘cMd.exe’’). These operators are useful for creating permissions to allow particular strings that meet an exact syntax, but to exclude other strings.
-
GT
This operator is used for numerical comparisons. It is used on the length of the URLs and query strings.
-
CONTAINS, NOTCONTAINS
These operators perform checks against the specified qualifier to determine if the specified string is contained in the qualifier. These operators are not case-sensitive.
-
EXISTS, NOTEXISTS
These operators check for the existence of a particular qualifier. For example, these operators can be applied to HTTP headers to determine if a particular HTTP header exists or if the URL Query exists.
-
CONTENTS
This operator checks if the qualifier exists and if it has contents (that is, whether a header exists and has a value associated with it, no matter what the value).
Qualifiers, Operators, Operands, Actions, and Examples
This section shows the parameters you can use for operators and operands. Each item starts with the qualifier and then lists the associated operator and operand, describes the action that the expression carries out, and provides an example.
-
Method
Operator: EQ, NEQ Operands: Required:
- Standard HTTP methods
- Supported methods
- GET, HEAD, POST, PUT, DELETE OPTIONS, TRACE, CONNECT Actions: Verifies the incoming request method to the configured method. Example: Method EQ GET
URL
-
Operator: EQ, NEQ Operands: Required: URL (Format: /[prefix][*][.suffix]) Actions: Verifies the incoming URL with the configured URL. Example: URL EQ / foo*.asp URL EQ /foo* URL EQ /*.asp URL EQ /foo.asp
-
Operator: CONTAINS, NOTCONTAINS Operands: Required: Any string (in quotes) Actions: Verifies the incoming URL for the presence of the configured pattern. (Includes URL and URL query.) Example: URL CONTAINS ‘ZZZ’
-
URL LEN
Operator: GT Operands: Required: Length (as an integer value) Actions: Compares the incoming URL length with the configured length. (Includes URL and URL query.) Example: URLLEN GT 60
-
URL QUERY
Operator: CONTAINS, NOTCONTAINS Operands: Required: Any string (in quotes). Optional: Length and offset Actions: Verifies the incoming URL query for the presence of the configured pattern. Used similarly to CONTENTS. If no option is specified, the whole URL query after the pattern is used. If options are present, only the length of the query after the pattern is used. The offset is used to indicate from where to start the search for the pattern. Example: URLQUERY CONTAINS ‘ZZZ’
-
URL QUERY LEN
Operator: GT Operands: Required: Length (as an integer value) Actions: Compares the incoming URL query length with the configured length. Example: URLQUERYLN GT 60
-
URL TOKENS
Operator: EQ, NEQ Operands: Required: URL tokens (Supported URL tokens =, +, %, !, &, ?). Actions: Compares the incoming URL for the presence of configured tokens. A backward slash (\) must be entered in front of the question mark. Example: URLTOKENS EQ ‘% , +, &, \?’
-
VERSION
Operator: EQ, NEQ Operands: Required: Standard HTTP versions. Valid HTTP version strings HTTP/1.0, HTTP/1.1 Actions: Compares the incoming request’s HTTP version with the configured HTTP version. Example: VERSION EQ HTTP/1.1
Header
-
Operator: EXISTS, NOTEXISTS Operands: None Actions: Examines the incoming request for the presence of the HTTP header. Example: Header Cookie EXISTS
-
Operator: CONTAINS, NOTCONTAINS Operands: Required: Any string (in quotes). Optional: Length and offset Actions: Verifies the incoming request for the presence of a configured pattern in the specific header. Used similarly to CONTENTS. If no option is specified, the whole HTTP header value after the pattern is used. If options are present, only the length of the header after the pattern is used. The offset is used to indicate from where to start the search for the pattern. Example: Header Cookie CONTAINS “\&sid”
-
Operator: CONTENTS Operands: Optional: Length and offset Actions: Uses the contents of the HTTP header. If no option is specified, the whole HTTP header value is used. If options are present, only the length of the header starting from the offset is used. Example: Header User-Agent CONTENTS
-
SOURCEIP
Operator: EQ, NEQ Operands: Required: IP address Optional: Subnet mask Actions: Verifies the source IP address in the incoming request against the configured IP address. If the optional subnet mask is specified, the incoming request is verified against the configured IP address and subnet mask. Example: Sourceip EQ 192.168.100.0 -netmask 255.255.255.0
-
DESTIP
Operator: EQ, NEQ Operands: Required: IP address Optional: Subnet mask Actions: Verifies the destination IP address in the incoming request against the configured IP address. If the optional subnet mask is specified, the incoming request is verified against the configured IP address and subnet mask. Example: Sourceip EQ 192.168.100.0 -netmask 255.255.255.0
-
SOURCEPORT
Operator: EQ, NEQ Operands: Required: Port number Optional: Port range Actions: Verifies the source port number in the incoming request against the configured port number. Example: SOURCEPORT EQ 10–20
-
DESTPORT
Operator: EQ, NEQ Operands: Required: Port number Optional: Port range Actions: Verifies the destination port number in the incoming request against the configured port number. Example: DESTPORT NEQ 80
-
CLIENT.SSL.VERSION
Operator: EQ, NEQ Operands: Required: SSL version Actions: Checks the version of the SSL or TLS version used in the secure connection. Example: CLIENT.SSL.VERSION EQ SSLV3
-
CLIENT.CIPHER.TYPE
Operator: EQ, NEQ Operands: Required: Client cipher type Actions: Checks for the type of the cipher being used (export or non-export). Example: CLIENT.CIPHER.TYPE EQ EXPORT
-
CLIENT.CIPHER.BITS
Operator: EQ, NEQ, GE, LE, GT, LT Operands: Required: Client cipher bits Actions: Checks for the key strength of the cipher being used. Example: CLIENT.CIPHER.BITS GE 40
-
CLIENT.CERT
Operator: EXISTS, NOTEXISTS Operands: none Actions: Checks whether the client sent a valid certificate during the SSL handshake. Example: CLIENT.CERT EXISTS
-
CLIENT.CERT.VERSION
Operator: EQ, NEQ, GE, LE, GT, LT Operands: Client certificate version Actions: Checks the version of the client certificate. Example: CLIENT.CERT.VERSION EQ 2
-
CLIENT.CERT.SERIALNUMBER
Operator: EQ, NEQ Operands: Required: Client certificate serial number Actions: Checks the serial number of the client certificate. The serial number is treated as a string. Example: CLIENT.CERT.SER IALNUMBER EQ 2343323
-
CLIENT.CERT.SIGALGO
Operator: EQ, NEQ Operands: Required: Client certificate signature algorithm. Actions: Checks the signature algorithm used in the client certificate. Example: CLIENT.CERT.SIGALGO EQ md5WithRSAEncryption
-
CLIENT.CERT.SUBJECT
Operator: CONTAINS, NOTCONTAINS Operands: Required: Client certificate subject Optional: Length, offset Actions: Checks the subject field of the client certificate. Example: CLIENT.CERT.SUBJECT CONTAINS CN= Access_Gateway
-
CLIENT.CERT.ISSUER
Operator: CONTAINS, NOTCONTAINS Operands: Required: Client certificate issuer Optional: Length, offset Actions: Checks the issuer field of the client certificate. Example: CLIENT.CERT.ISSUER CONTAINS O=Verisign
-
CLIENT.CERT.VALIDFROM
Operator: EQ, NEQ, GE, LE, GT, LT Operands: Required: Date Actions: Checks the date from which the client certificate is valid. Valid date formats are: Tue, 05 Nov 1994 08:12:31 GMT Tuesday, 05-Nov-94 08:12:31 GMT Tue Nov 14 08:12:31 1994 Example: CLIENT.CERT.VALIDFROM GE ‘Tue Nov 14 08:12:31 1994’
-
CLIENT.CERT.VALIDTO
Operator: EQ, NEQ, GE, LE, GT, LT Operands: Required: Date Actions: Checks the date until which the client certificate is valid. Valid date formats are: Tue, 05 Nov 1994 08:12:31 GMT Tuesday, 05-Nov-94 08:12:31 GMT Tue Nov 14 08:12:31 1994 Example: CLIENT.CERT.VALIDTO GE ‘Tue Nov 14 08:12:31 1994’