Recently I was involved in a project, where one of the objectives was to restrict access to application resources handled by our Citrix ADC, based on a specific time range.
So from Monday to Friday between 8-16 access should be allowed in this case, where access to the web applications or Citrix Gateway resources should be dropped if initiated outside of our allowed time frame.
This is pretty straight forward to accomplish, we can leverage our SYS.TIME policy expression on our Citrix ADC. The SYS.TIME expression prefix extracts the NetScaler / ADC system time.
Furthermore we can advance it a bit and combine a PatternSet to group allowed source IPs, and a custom audit log action to provide syslog statistics if access is initiated outside our time frame.
Table of Contents
Create a Responder Policy to drop traffic if not within our time range
In this example we create our AppExpert Responder policy, which will be bound to the applicable Content Switch, Load Balancing or Gateway Virtual Server in scope. As an alternative to a DROP action we could choose to create a Responder action and Respond with a HTML Page instead. But in this example we simply DROP the traffic if outside of our time range.
1 |
add responder policy resp-pol-allow-time "!SYS.TIME.WITHIN(GMT 08h,GMT 16h)” DROP |
Create the Allowed Source Client IP net in a PatternSet
Following will be used to group specific IP Subnets in a PatternSet, so we can manage the subnets in a better way, as opposed to edit our Policy expression we edit our logical pattern set if changes is required.
We start by creating our Pattern Set.
1 |
add policy patset pat_set_ipnet_allow |
Then we bind our desired IP Subnet to our Pattern Set.
1 |
bind policy patset pat_set_ipnet_allow 10.11.12.0 -index 1 |
For this to work correctly we have to create our advanced policy expression. Which we will reference later on in our Responder policy. Here we define our Subnet Mask ID.
1 |
add policy expression ip_net_24 "CLIENT.IP.SRC.SUBNET(24) + \"\"" |
Create our Audit Message to log information if policy is triggered
We create an Audit Log Action to tell if our policy was hit outside our time range. This makes is possible to catch any drops and provide statistics in Syslog messages.
First we make sure User Defined Logging is enabled.
1 |
set audit syslogParams -logLevel ALL -userDefinedAuditlog YES |
1 |
set audit nslogParams -userDefinedAuditlog YES |
We customize our desired audit message.
1 |
add audit messageaction audit-act-log-no-time-allow NOTICE “”Access was intiated outside allowed time range via load-balanced-vserver:"+HTTP.REQ.LB_VSERVER.NAME+" ClientIP: "+CLIENT.IP.SRC+" issued a "+HTTP.REQ.METHOD+" request for "+HTTP.REQ.HEADER("Host")+HTTP.REQ.URL.HTTP_URL_SAFE" -bypassSafetyCheck YES |
Final NS CLI to meet our objective
In this combined example we create our policy and allow access based on a specific time schedule.
1 2 3 4 5 6 7 8 |
set audit syslogParams -logLevel ALL -userDefinedAuditlog YES set audit nslogParams -userDefinedAuditlog YES add audit messageaction audit-act-log-no-time-allow NOTICE “”Access was intiated outside allowed time range via load-balanced-vserver:"+HTTP.REQ.LB_VSERVER.NAME+" ClientIP: "+CLIENT.IP.SRC+" issued a "+HTTP.REQ.METHOD+" request for "+HTTP.REQ.HEADER("Host")+HTTP.REQ.URL.HTTP_URL_SAFE" -bypassSafetyCheck YES add policy patset pat_set_ipnet_allow bind policy patset pat_set_ipnet_allow 10.11.12.0 -index 1 add policy expression ip_net_24 "CLIENT.IP.SRC.SUBNET(24) + \"\"" add responder policy resp-pol-allow-time "!SYS.TIME.WITHIN(GMT 08h,GMT 16h) AND ip_net_24.contains_any(\"pat_set_ipnet_allow\").not” DROP -logAction audit-act-log-no-time-allow bind lb vserver lb-vs-name -policyName resp-pol-allow-time -priority 100 |
Relevant Citrix Docs articles
Following Citrix Docs explains the SYS.TIME syntax in more details.
Expressions of NetScaler System Time:
Format of Dates and Times in an Expressions: