citrix netscaler application switch
TRANSCRIPT
Citrix NetScaler Application Switch
Command Reference Guide
Citrix Systems, Inc.
© CITRIX SYSTEMS, INC., 2005. ALL RIGHTS RESERVED. NO PART OF THIS DOCU-MENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMA-TION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC.
ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE AC-CURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IM-PLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.
CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITH-OUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.
The following information is for FCC compliance of Class A devices: This equipment has been test-ed and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction man-ual, may cause harmful interference to radio communications. Operation of this equipment in a res-idential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.
Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.
You can determine whether your equipment is causing interference by turning it off. If the interfer-ence stops, it was probably caused by the NetScaler Request Switch™ 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:
Move the NetScaler equipment to one side or the other of your equipment.
Move the NetScaler equipment farther away from your equipment.
Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)
Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product.
BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScal-er Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus
Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.
Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. Copyright © 1999, 2000 by Jef Pos-kanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright 1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved. Copyright © 1999 Andrzej Bialecki. All rights re-served. Copyright © 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 Uni-versity of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik Lindergren. All rights re-served.
Part No. NS-CRG-61-1105
Last Updated: December 2005
Contents
Introduction ..........................................................................1-1
How to use This Reference 1-1Command Conventions 1-1Command Reference Guide
Command Line Overview 1-2
AAA Commands .....................................................................2-1
stat aaa 2-2show aaa stats 2-4add aaa user 2-5rm aaa user 2-6set aaa user 2-7show aaa user 2-8add aaa group 2-10rm aaa group 2-11show aaa group 2-12bind aaa user 2-14unbind aaa user 2-15bind aaa group 2-16unbind aaa group 2-18set aaa radiusparams 2-19
show aaa radiusparams 2-21set aaa ldapparams 2-23show aaa ldapparams 2-25set aaa tacacsparams 2-27show aaa tacacsparams 2-29set aaa nt4params 2-30show aaa nt4params 2-31set aaa certparams 2-32show aaa certparams 2-33set aaa parameter 2-34show aaa parameter 2-35show aaa session 2-36kill aaa session 2-38
Auditing Commands...............................................................3-1
stat audit 3-2show audit stats 3-3add audit syslogaction 3-4rm audit syslogaction 3-5show audit syslogaction 3-6add audit syslogpolicy 3-7rm audit syslogpolicy 3-8
show audit syslogpolicy 3-9set audit syslogpolicy 3-10set audit syslogparams 3-11show audit syslogparams 3-12unset audit syslogparams 3-13show audit messages 3-14
i
Contents
Authentication Commands.....................................................4-1
add authentication radiusaction 4-2rm authentication radiusaction 4-4show authentication radiusaction 4-5add authentication ldapaction 4-6rm authentication ldapaction 4-8show authentication ldapaction 4-9add authentication tacacsaction 4-10rm authentication tacacsaction 4-12show authentication tacacsaction 4-13add authentication nt4action 4-14rm authentication nt4action 4-15add authentication certaction 4-16show authentication certaction 4-17rm authentication certaction 4-18show authentication nt4action 4-19add authentication localpolicy 4-20rm authentication localpolicy 4-21show authentication localpolicy 4-22set authentication localpolicy 4-23add authentication radiuspolicy 4-24
ii
rm authentication radiuspolicy 4-25show authentication radiuspolicy 4-26set authentication radiuspolicy 4-27add authentication certpolicy 4-28set authentication certpolicy 4-29show authentication certpolicy 4-30rm authentication certpolicy 4-31add authentication ldappolicy 4-32rm authentication ldappolicy 4-33show authentication ldappolicy 4-34set authentication ldappolicy 4-35add authentication tacacspolicy 4-36rm authentication tacacspolicy 4-37show authentication tacacspolicy 4-38set authentication tacacspolicy 4-39add authentication nt4policy 4-40rm authentication nt4policy 4-41show authentication nt4policy 4-42set authentication nt4policy 4-43
Authorization Commands.......................................................5-1
add authorization policy 5-2rm authorization policy 5-4
show authorization policy 5-5set authorization policy 5-6
Base Commands ....................................................................6-1
sync 6-2add server 6-3disable server 6-4enable server 6-5rm server 6-6show server 6-7
add service 6-8bind service 6-12disable service 6-13enable service 6-14rm service 6-15set service 6-16
Command Reference Guide
Contents
show service 6-19unbind service 6-23stat service 6-24add monitor 6-26bind monitor 6-30enable monitor 6-31disable monitor 6-32rm monitor 6-33set monitor 6-34show monitor 6-38unbind monitor 6-42add vlan 6-43bind vlan 6-44rm vlan 6-46show vlan 6-47stat vlan 6-49unbind vlan 6-51clear interface 6-52disable interface 6-53enable interface 6-54
Command Reference Guide
reset interface 6-55set interface 6-56show interface 6-58stat interface 6-63show channel 6-66add channel 6-70set channel 6-72bind channel 6-74unbind channel 6-75rm channel 6-76add location 6-77show location 6-78rm location 6-80set locationparameter 6-81show locationparameter 6-83add locationfile 6-85show locationfile 6-86rm locationfile 6-87clear locationdata 6-88install 6-89
Integrated Caching Commands..............................................7-1
add cache policy 7-2
rm cache policy 7-4show cache policy 7-5bind cache global 7-7unbind cache global 7-8show cache global 7-9add cache contentgroup 7-11rm cache contentgroup 7-15set cache contentgroup 7-16show cache contentgroup 7-21expire cache contentgroup 7-25flush cache contentgroup 7-26show cache forwardProxy 7-27
add cache forwardProxy 7-28
rm cache forwardProxy 7-29show cache object 7-30expire cache object 7-34flush cache object 7-35set cache parameter 7-36show cache parameter 7-38show cache stats 7-39stat cache 7-40
iii
Contents
CLI Commands ......................................................................8-1
help 8-2man 8-4quit 8-5exit 8-6set cli mode 8-7show cli mode 8-8set cli prompt 8-9clear cli prompt 8-10show cli prompt 8-11
iv
@ 8-12alias 8-13builtins 8-14end 8-15history 8-16unalias 8-17while 8-18config 8-19
Compression Commands........................................................9-1
stat cmp 9-2show cmp stats 9-5add cmp action 9-6rm cmp action 9-8show cmp action 9-9add cmp policy 9-11
rm cmp policy 9-13show cmp policy 9-14set cmp policy 9-16bind cmp global 9-18unbind cmp global 9-20show cmp global 9-21
Cache Redirection Commands..............................................10-1
add cr policy 10-2rm cr policy 10-4show cr policy 10-6add cr vserver 10-8bind cr vserver 10-11set cr vserver 10-12
rm cr vserver 10-15enable cr vserver 10-16disable cr vserver 10-17show cr vserver 10-18unbind cr vserver 10-22unset cr vserver 10-23
Content Switching Commands .............................................11-1
add cs policy 11-2rm cs policy 11-4show cs policy 11-5set cs policy 11-7add cs vserver 11-8
bind cs vserver 11-10set cs vserver 11-11rm cs vserver 11-13enable cs vserver 11-14disable cs vserver 11-15
Command Reference Guide
Contents
show cs vserver 11-16stat cs vserver 11-20
Command Reference Guide
unbind cs vserver 11-22
DNS Commands ...................................................................12-1
stat dns 12-2show dns stats 12-6add dns addRec 12-7rm dns addRec 12-8show dns addRec 12-9add dns cnameRec 12-10rm dns cnameRec 12-11show dns cnameRec 12-12add dns mxRec 12-13rm dns mxRec 12-14set dns mxRec 12-15show dns mxRec 12-16add dns nsRec 12-18rm dns nsRec 12-19
show dns nsRec 12-20set dns parameter 12-21show dns parameter 12-22add dns soaRec 12-23set dns soaRec 12-25rm dns soaRec 12-27show dns soaRec 12-28add dns suffix 12-30rm dns suffix 12-31show dns suffix 12-32add dns nameserver 12-33rm dns nameserver 12-34show dns nameserver 12-35flush dns proxyRecords 12-36
DoS Commands....................................................................13-1
add dos policy 13-2rm dos policy 13-3
set dos policy 13-4show dos policy 13-5
Filter Commands..................................................................14-1
add filter action 14-2rm filter action 14-4show filter action 14-5add filter policy 14-7rm filter policy 14-9
show filter policy 14-10set filter policy 14-12bind filter global 14-14unbind filter global 14-15show filter global 14-16
GSLB Commands..................................................................15-1
add gslb site 15-2
set gslb site 15-4v
Contents
rm gslb site 15-5show gslb site 15-6add gslb service 15-8set gslb service 15-11rm gslb service 15-13show gslb service 15-14add gslb vserver 15-17set gslb vserver 15-20rm gslb vserver 15-23enable gslb vserver 15-24disable gslb vserver 15-25show gslb vserver 15-26
vi
bind gslb vserver 15-29unbind gslb vserver 15-30set gslb parameter 15-31show gslb parameter 15-32add gslb policy 15-33rm gslb policy 15-34set gslb policy 15-35show gslb policy 15-36add gslb action 15-37rm gslb action 15-38set gslb action 15-39show gslb action 15-40
Load Balancing Commands ..................................................16-1
bind lb group 16-2show lb group 16-3set lb group 16-5unbind lb group 16-7add lb vserver 16-8bind lb vserver 16-13enable lb vserver 16-14disable lb vserver 16-15
set lb vserver 16-16rm lb vserver 16-20show lb vserver 16-21stat lb vserver 16-26unbind lb vserver 16-28show lb route 16-29add lb route 16-30rm lb route 16-31
NetScaler Commands...........................................................17-1
stat ns 17-2stat ns bridge 17-27stat ns node 17-28show ns stats 17-33add ns arp 17-34disable ns arp 17-35enable ns arp 17-36rm ns arp 17-37send ns arp 17-38show ns arp 17-39
show ns bridgetable 17-41set ns bridgetable 17-42save ns config 17-43set ns config 17-44unset ns config 17-46show ns config 17-47show ns ns.conf 17-49clear ns config 17-50config ns 17-51show ns runningconfig 17-52
Command Reference Guide
Contents
add ns acl 17-53rm ns acl 17-55enable ns acl 17-56disable ns acl 17-57set ns acl 17-58show ns acl 17-60clear ns acls 17-62apply ns acls 17-63stat ns acl 17-64force ns failover 17-66force ns sync 17-67disable ns feature 17-68enable ns feature 17-69show ns feature 17-70show ns info 17-71add ns ip 17-72show ns ip 17-75set ns ip 17-78enable ns ip 17-81disable ns ip 17-82rm ns ip 17-83disable ns mode 17-84enable ns mode 17-85show ns mode 17-86add ns fis 17-87bind ns fis 17-88unbind ns fis 17-89rm ns fis 17-90show ns fis 17-91show ns ci 17-92
Command Reference Guide
bind ns node 17-93unbind ns node 17-94add ns node 17-95set ns node 17-96rm ns node 17-98show ns node 17-99show ns license 17-101show ns rnat 17-102set ns rnat 17-103clear ns rnat 17-104add ns route 17-105set ns route 17-107unset ns route 17-109clear ns route 17-111rm ns route 17-112show ns route 17-113set ns spparams 17-115show ns spparams 17-116set ns tcpbufparam 17-117show ns tcpbufparam 17-118show ns version 17-119set ns weblogparam 17-120show ns weblogparam 17-121set ns rateControl 17-122show ns rateControl 17-123reboot 17-124shutdown 17-125set ns rpcnode 17-126show ns rpcnode 17-127
Policy Commands.................................................................18-1
add policy expression 18-2set policy expression 18-3rm policy expression 18-4
show policy expression 18-5add policy map 18-6rm policy map 18-8
vii
Contents
show policy map 18-9
viii
Performance Queuing Commands........................................19-1
show pq binding 19-2add pq policy 19-3rm pq policy 19-5
set pq policy 19-6show pq policy 19-8
Protocols Commands ...........................................................20-1
stat protocol tcp 20-2stat protocol http 20-9stat protocol icmp 20-12
stat protocol ip 20-15stat protocol udp 20-19
Routing Commands..............................................................21-1
vtysh 21-2set router ospf 21-3unset router ospf 21-5show router ospf 21-7set router rip 21-8unset router rip 21-9show router rip 21-10set router bgp 21-11
show router bgp 21-13unset router bgp 21-14add router bgp 21-16clear router bgp 21-18add router map 21-19set router map 21-20unset router map 21-21show router map 21-22
SureConnect Commands ......................................................22-1
set sc parameter 22-2show sc parameter 22-3add sc policy 22-4
rm sc policy 22-6set sc policy 22-7show sc policy 22-8
SNMP Commands.................................................................23-1
stat snmp 23-2show snmp stats 23-4enable snmp alarm 23-5disable snmp alarm 23-6
set snmp alarm 23-7unset snmp alarm 23-9show snmp alarm 23-10add snmp community 23-11
Command Reference Guide
Contents
rm snmp community 23-12show snmp community 23-13add snmp manager 23-14rm snmp manager 23-15show snmp manager 23-16set snmp mib 23-17
Command Reference Guide
show snmp mib 23-18add snmp trap 23-20rm snmp trap 23-21show snmp trap 23-22show snmp oid 23-23
SSL Commands ....................................................................24-1
stat ssl 24-2show ssl stats 24-9create ssl cert 24-10add ssl certkey 24-13bind ssl certkey 24-15link ssl certkey 24-17rm ssl certkey 24-18show ssl certkey 24-19unbind ssl certkey 24-22unlink ssl certkey 24-24update ssl certkey 24-25show ssl certlink 24-27create ssl certreq 24-28add ssl cipher 24-30bind ssl cipher 24-32
rm ssl cipher 24-34show ssl cipher 24-35create ssl crl 24-37add ssl crl 24-39rm ssl crl 24-42set ssl crl 24-43show ssl crl 24-46create ssl dhparam 24-49
create ssl dsakey 24-50set ssl fips 24-52reset ssl fips 24-54show ssl fips 24-55create ssl fipskey 24-57rm ssl fipskey 24-58show ssl fipskey 24-59import ssl fipskey 24-61export ssl fipskey 24-63create ssl rsakey 24-64convert ssl pkcs12 24-66convert ssl pkcs8 24-68set ssl service 24-69show ssl service 24-75set ssl vserver 24-79
show ssl vserver 24-84create ssl wrapkey 24-88rm ssl wrapkey 24-89show ssl wrapkey 24-90init ssl fipsSIMsource 24-91init ssl fipsSIMtarget 24-92enable ssl fipsSIMtarget 24-93enable ssl fipsSIMsource 24-94
System Commands ..............................................................25-1
batch 25-2
ping 25-3ix
Contents
traceroute 25-5grep 25-7shell 25-9scp 25-10add system cmdPolicy 25-11rm system cmdPolicy 25-12set system cmdPolicy 25-13show system cmdPolicy 25-14add system user 25-15set system user 25-16rm system user 25-17
x
show system user 25-18bind system user 25-19unbind system user 25-20add system group 25-21rm system group 25-22show system group 25-23bind system group 25-24unbind system group 25-25bind system global 25-26unbind system global 25-27show system global 25-28
Tunnel Commands ...............................................................26-1
add tunnel trafficpolicy 26-2rm tunnel trafficpolicy 26-3show tunnel trafficpolicy 26-4set tunnel trafficpolicy 26-6
bind tunnel global 26-7unbind tunnel global 26-8show tunnel global 26-9
SSLVPN Commands..............................................................27-1
stat vpn 27-2show vpn stats 27-4add vpn vserver 27-5show vpn vserver 27-7set vpn vserver 27-10rm vpn vserver 27-11enable vpn vserver 27-12disable vpn vserver 27-13bind vpn vserver 27-14unbind vpn vserver 27-15add vpn intranetapplication 27-16show vpn intranetapplication 27-18rm vpn intranetapplication 27-20bind vpn global 27-21unbind vpn global 27-22
show vpn global 27-23add vpn trafficpolicy 27-24rm vpn trafficpolicy 27-25show vpn trafficpolicy 27-26set vpn trafficpolicy 27-27add vpn trafficaction 27-28rm vpn trafficaction 27-29show vpn trafficaction 27-30add vpn url 27-31rm vpn url 27-32show vpn url 27-33add vpn sessionpolicy 27-34rm vpn sessionpolicy 27-35show vpn sessionpolicy 27-36set vpn sessionpolicy 27-37
Command Reference Guide
Contents
add vpn sessionaction 27-38rm vpn sessionaction 27-43show vpn sessionaction 27-44set vpn parameter 27-48unset vpn parameter 27-53show vpn parameter 27-56
Command Reference Guide
xiContents
xii
Command Reference GuideIntroduction
Welcome to the Command Reference Guide. This reference covers all aspects of using the Command Line Interface in the configuration and operation of the system. For information on accessing your system's Command Line Interface, please refer to the installation chapter in the Installation and Configuration Guide before continuing on from this point.
1.1 How to use This ReferenceThis command reference is organized in two chapters:
• Chapter 1: The Command Line Overview which explains how to use the Command Line Interface.
• Chapter 2: Alphabetically ordered descriptions of all of the commands.
If you are unfamiliar with using the system, you should start with the CLI usage chapter to familiarize yourself with the interface after reviewing the fol-lowing section on document conventions. Otherwise, this document serves as the primary source of information on the commands available in the NSCLI and may be accessed at any arbitrary point as your needs dictate.
1.2 Command ConventionsThese conventions are used to describe the commands in this guide.
Convention Alerts You To
command Command and argument names can be entered in any combination of upper and lower case characters. In this document command and argument names are sometimes displayed in upper and lower case. This is for readability and does not reflect the way in which the commands must be entered.
command argument This typeface represents a command argument.
screen text Text with this typeface represents information on a screen, as well as the names of directories, files, and commands.
Command Reference Guide 1-1
Introduction
Note When entering the argument, neither the brackets nor the vertical bars are included.
1.3 Command Line OverviewThis section discusses the usage of the Command Line Interface. The discus-sion is broken up in to two sections, basic and advanced CLI usage. The basic section covers all of the rudimentary aspects of the CLI which provides the information necessary for basic CLI usage. The advanced usage section expands on the remaining features of the Command Line Interface which allow you to further control and enhance your sessions but are not required for day to day operation.
1.3.1 Basic Command Line Usage
This section discusses the essential instruction necessary for basic command line usage with the system. Start with this section if you are unfamiliar with the CLI.
1.3.1.1 Understanding the Command Structure
Most commands adhere to the general format shown here.
action groupname entity <entityname> [-parameter]
An action is the task that the command is performing such as an add or set action. The groupname is the functional area or feature where the action is being taken such as dns or lb. An entity is the specific type of object such as a vserver that the command is being issued against. The entityname is the name given to an entity instance that the command is being issued upon. If an entity instance is being created with the issued command, such as with the add action, the entityname will be a name of your choosing. Lastly, the parameters
<key name>+<key name> Keyboard key names appear within angle brackets. A plus sign appears between keys you must press simultaneously.
text in italics Italic type emphasizes text or indicates new terms.
Square Brackets ( [ ] ) Arguments that are contained within square brackets are optional. Arguments that are not contained within brackets are required
Angle Brackets (< >) Arguments within angle brackets are variable place holders. Replace these with values appropriate for your configuration.
Vertical Bars ( | ) When arguments are separated by vertical bars, either argument can be specified.
1-2 Command Reference Guide
Introduction
applicable to the command are listed. The actual number and type of available parameters will vary by command.
1.3.1.2 Getting Help in the CLI
The help command offers a quick way to get more information on commands. The command can return help on specific commands, groups of commands, or the entire set of nscli commands.
By typing help alone on the command line, the system will print a brief gen-eral help message as shown here.
> help
nscli - command-line interface to NetScaler
Try :
help <commandName> for full usage of a specific command
help <groupName> for brief usage of a group of commands
help -all for brief usage of all nscli commands
The command groups are:
basic aaa authenti-cation
authorization cache cli
cmp cr cs
dns dos filter
gslb lb ns
policy pq router
snmp sc ssl
system tunnel vpn
Done
>
And by entering help help, you will see the following output which shows the syntax for the help command.
> help help
Command Reference Guide 1-3
Introduction
Usage: help [(commandName) | (<groupName> | [-all]) |]
Done
>
If you need help on using a specific command or command group, utilize the syntax shown above substituting that command or group name you need help for.By specifying the command name, the CLI feedback will provide you with a full listing of the command's syntax along with an expansion on those parame-ters with limited sets of options.If you enter a group name, the CLI will print a full list of the commands that belong to that group. The output below shows an example of using this help method for the add vserver command.
> help add vserver
Usage: add vserver <vServerName>@ <serviceType> [<IPAddress> @
<port> -range <positive_integer>] [-cacheType <cacheType>]
[-backupVServerName <string>] [-redirectURL <URL>]
[-cacheable ( YES | NO )] [-cltTimeout <secs>]
[-soMethod ( CONNECTION | NONE )]
[-soPersistence ( ENABLED | DISABLED )]
[-soPersistenceTimeOut <positive_integer>]
[-soThreshold <positive_integer>] [-state (
ENABLED | DISABLED )]
where:
<serviceType> = ( HTTP | FTP | TCP | UDP | SSL | SSL_BRIDGE |
SSL_TCP | NNTP | DNS | DHCPRA | ANY )
<cacheType> = ( TRANSPARENT | REVERSE | FORWARD )
Done
>
The question mark <?> can also be used to get help in the CLI. By typing a question mark alone, the system will print out a listing of all the actions avail-able from the top level command structure.
1-4 Command Reference Guide
Introduction
1.3.1.3 Getting Help with Man Pages
The command line interface has it’s own set of man pages similar to those tra-ditionally found in UNIX and UNIX like operating systems. This system returns the same command reference information as is found in this guide. To use this help feature, issue the man command using the name of the command you wish to view information on as the argument.
Once the first screen is displayed, you may scroll through the page either a screen at a time or line by line. To advance line by line, press the <Enter> key. To advance to the next screen use the space bar.
When viewing commands with man, to exit the page before reaching the end of it, press the <Q> key.
1.3.1.4 Using Command Completion
When working on the command line, you can use both the <Tab> key or the <?> key for command completion and assistance. For example, typing show e followed by entering the <Tab> key will complete the command as show expression. If, after typing <Tab> once and no completion is displayed, then hit <Tab> once more and the system will offer you a set of possible comple-tions.After the output is displayed, you are returned to the prompt with the portion of the command that was previously entered so that you may continue where you left off at.
Using the question mark key offers a slightly different completion options.You may enter a question mark at any point on the command line and the system will provide you with a list of all possible completions that are recognized from that point forward. The following example illustrates this usage with the enable command.
> enable <?>
acl fipsSIMsource mode service
alarm fipsSIMtarget monitor snmp ...
arp interface ns ... ssl ...
feature ip server vserver
> enable
Once the possible completions are printed, you are again returned to the com-mand line with your previous entry still at the prompt for you to work with. Note that the question mark you type is not echoed at the CLI prompt.
Any entries in the output that are followed by the ellipsis, such as the ssl com-mand shown in the previous example’s output, have further command comple-tion levels beyond this point in the hierarchy.
Command Reference Guide 1-5
Introduction
1.3.1.5 Utilizing Command Abbreviations and Shortcuts
Another way to shorten command line input is to use command abbreviations. The CLI command abbreviation feature allows you to enter partial commands. To use this feature, you need only enter enough of the command's key words such that each of them is uniquely identifiable by the CLI. For example, to shorten the command add lb vserver, you may enter as little as ad lb vs and the CLI will correctly interpret your command.
Note however, that for command group names you may not abbreviate them. In many cases you may leave them out entirely though. This is possible wher-ever command usage makes the group implicit, such as with the snmp and system group names when the entity type being acted upon is unique to the group. For example, there are no other entities of the community type outside of the snmp command group so issuing the add community command, rather than add snmp community, implicitly places this command in the snmp com-mand group.
This behavior is also illustrated with the system group and its entities. The user entity type exists in the system command group as well as the aaa com-mand group therefore the user entity is not unique to the system group. So if you are issuing an action against a system user, such as an add command, you must specify the system group type so that the CLI will interpret your command as being directed at a system user, not an aaa user. The CLI will alert you in those cases where the group type is omitted incorrectly with an "ERROR: No such command" message.
More examples of using these shortcuts are shown in Table 1.1
Table 1-1 Sample Command Abbreviations.
Abbreviated Command CLI Interpreted Command
cl r clear ns rnat
sh ve show ns version
se vpn p set vpn parameters
f f force ns failover
rm mx rm dns mxRec
ad lb vs add lb vserver
ad pol exp
a e
add policy expression
1-6 Command Reference Guide
Introduction
1.3.1.6 Navigating Command Output
Often times, you will find that the screen output from the NSCLI will span mul-tiple screens. When an output stream pauses at the first screen’s worth of out-put with --More-- displayed, you can navigate the remaining output with keystrokes.
• To cancel viewing the remaining output, press the <Q> key or use <Ctrl>+<C> to abort the command.
• To stream the remaining output without pauses, press the <C> key. • To advance through the output one screen at a time press any other key.
1.3.1.7 Understanding Error Feedback
When a CLI command is entered with invalid arguments, an error message is displayed, possibly preceded by an indication of the location of the error within the command line. After most errors, a short version of the command usage is also displayed.
For example, typing the following command at the prompt:
> add vserver vs 1 htto 10.101.4.99 80
Returns the following error messages:
add vserver vs1 htto 10.101.4.99 80
^^^^
ERROR: invalid argument value [serviceType, htto]
The carats ("^^^^"), if present, indicate the location of the error in the com-mand line.
Note The CLI will alert you if you try to configure a disabled or unlicensed feature. If you attempt to configure disabled features, your configurations will be applied, however they will have no effect on the runtime behavior of the system until the feature is enabled. If you attempt to configure an unlicensed feature, the system will return an error.
1.3.1.8 Accessing the Command History
The command line maintains a per user command entry history across ses-sions. This history maintains the last 100 user entered commands. Note that the history does not record sequentially duplicated commands. You may loop through the history on the command line by using the up and down arrow keys on your keyboard. You can recall the entire history log using the history com-mand. A sample of the history log output is shown here.
> history
Command Reference Guide 1-7
Introduction
1 21:31 sh version
2 21:31 man save ns config
3 21:31 builtins
4 21:32 help authentication
5 21:44 help
6 21:52 history
7 21:53 exit
8 21:53 history
>
You can also recall specific entries from within the history using the exclama-tion mark, or bang character (!). Use the ! in combination with either the desired history event number or an offset from the current event number to recall a specific history entry.
1.3.2 Advanced Command Line Usage
This section illustrates the remaining advanced features of the Command Line Interface.
1.3.2.1 Understanding NSCLI Built-ins
The Command Line Interface has several tools, or builtins, at your disposal for use within CLI sessions. To view these builtins use the builtins command. In addition to the previously mentioned history builtin tool, the use of other built-ins can be used as discussed in the following sections.
1.3.2.2 Compounding CLI Commands
The nscli supports using the semicolon (;) character to enter multiple com-mands. To use this function, simply enter a semicolon between commands on the command line. The commands will be executed in order of entry.
1.3.2.3 Using grep, more, and the Pipe Operator
To help in managing and navigating command output the nscli supports the standard UNIX grep and more commands as well as the pipe operator ( | ). For the grep and more commands refer to the man pages in the nscli for complete usage details.
The pipe operator is used in the nscli as it is on standard UNIX shells to redi-rect command output into another command, commonly with the grep and more commands.
1-8 Command Reference Guide
Introduction
1.3.2.4 Applying Formatting Options
In the nscli, most show commands have an implicit –format argument. This argument formats the command’s output in one of three ways.
Normally the show server command outputs to the screen as shown here.
> show server
2 servers:
1) Name: s1 IPAddress: 10.10.10.11
State: ENABLED
2) Name: s2 IPAddress: 10.10.10.12
State: ENABLED
Done
>
With the -format input option, the show server command prints in the com-mand form that it would be input to the CLI, as shown here.
> show server -format input
2 servers:
add server s1 10.10.10.11
add server s2 10.10.10.12
Done
>
The second formatting option, -format hierarchical, prints in a Cisco-like hier-archical format.
> show server -format hierarchical
2 servers:
server s1
IPAddress: 10.10.10.11
server s2
IPAddress: 10.10.10.12
Done
>
And the third type of formatting option, -format xhierarchical, prints the out-put in a Juniper-like hierarchical format
Command Reference Guide 1-9
Introduction
> show server -format xhierarchical
2 servers:
server s1 {
IPAddress 10.10.10.11;
}
server s2 {
IPAddress 10.10.10.12;
}
Done
>
1.3.2.5 Creating and Using Aliases
In order to allow you to customize your own command shortcuts, the system supports using aliases. To create a command alias you will need to use the alias command followed by the desired alias name and the command you wish to alias. For example, to create an alias for the show system users command you would enter the command as shown below.
> alias users show system users
To use the new alias, specify it as you would any other command.
> users
1 Configured system user:
1) User name: nsroot
Done
>
And to view the established aliases, use the alias command alone on the com-mand line.
> alias
users (show system users)
>
To delete an alias, use the unalias command.
> unalias users
>
1-10 Command Reference Guide
Introduction
1.3.2.6 Customizing the CLI Prompt
By default for all users, the CLI prompt is marked by the > character. You may customize the prompt to display differently using the set cli prompt command. The possible settings and parameters are listed in the following table followed by an example use of the command.
Table 1-2 Prompt Settings
Example:
> set cli prompt "%[T] %u@%h"
Done
[22:23] nsroot@localhost>
Notice that you need to enclose the parameter in double quotes. You may chain multiple parameters together in addition to arbitrary strings and spaces to further customize the prompt. To do this, just include the desired string and parameters within a single double quoted string, as shown in the above exam-ple. If you would like to reset the prompt back to the system default, use the clear cli prompt command.
To ensure that your prompt setting is retained across sessions, save your con-figuration once your desired prompt is set. This command prompt setting will apply only to the current system user.
1.3.2.7 Using the @ Range Operator
Many CLI commands allow for the creation and manipulation of a range of entities. Any command that has the @ symbol in its parameter listing is one of these commands. The presence of the range operator means that the argu-ment it follows may be used with a range specification in order to act on a
Parameter Prompt Displays
%! Current history event number
%u User name
%h, %m Configured hostname
%t Current system time
%T Current system time in 24 hour format
%d Current date
Command Reference Guide 1-11
Introduction
consecutive array of entities. To use these arguments with a range, you sim-ply specify the argument normally and follow it with a bracketed range.
For example, the command for creating a range of five load balancing vservers would use the following syntax:
> add lb vserver httpvserve[1-5] http 192.168.1.1[1-5] 80
Notice that the IP address argument also specifies an address range. When adding a range of entities as shown here, dependant arguments must have a matching range specified as well. The command will return an error if the ranges differ. When you use an add command with the range option as shown here, the system will create 5 vservers with IP addresses ranging from 192.168.1.11 to 192.168.1.15.
When alternately deleting a range of entities, the same methodology applies. To remove the range of vservers created in this example, you would issue the following command:
> rm vserver httpvserve[1-5]
Done
>
Note If a range of entities created with the range operation is somehow broken, such as via the manual removal of one or more of the entities, using the correspond-ing rm or set commands with a range operation against the range will not com-plete successfully.
1.3.2.8 Executing Looped Commands
The nscli allows for the use of UNIX shell style loops for repeated execution of commands. The example here uses this functionality to create ten http vserv-ers with IP addresses 1.1.1.25 to 1.1.1.34.
> @ n = 10
> @ x = 25
> while ($n)
add vserver test$n http 1.1.1.$x 80
@ n--
@ x++
end
Done
Done
Done
1-12 Command Reference Guide
Introduction
Done
Done
Done
Done
Done
Done
Done
>
The primary keywords available in the nscli for using this feature are while, end, and the @ operator. More details on these keywords are available in the respective man pages for each of them as well as their Command Reference descriptions in this reference.
Command Reference Guide 1-13
Introduction
1-14 Command Reference Guide
AAA Commands
This chapter covers the AAA commands.
Command Reference Guide 2-1
stat aaa
stat aaa
Synopsisstat aaa [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays aaa statistics
Counters
Authentication failures (authfails)Count of authentication failures
Authentication successes (authsucc)Count of authentication successes
Non HTTP authorization failures (atznonhtpf)Count of non HTTP connections that failed authorization
HTTP authorization failures (atzhtpf)Count of HTTP connections that failed authorization
Non HTTP authorization successes (atznonhtps)Count of non HTTP connections that succeeded authorization
HTTP authorization successes (atzhtps)Count of HTTP connections that succeeded authorization
AAA sessions (totsess)Count of all AAA sessions
Timed out AAA sessions (totsessto)Count of AAA sessions that have timed out
Current AAA sessions (totcursess)Count of current AAA sessions
2-2 Command Reference Guide
stat aaa
Related Commands
Command Reference Guide 2-3
show aaa stats
show aaa stats
Synopsisshow aaa stats - alias for 'stat aaa'
Descriptionshow aaa stats is an alias for stat aaa
Related Commandsstat aaa
2-4 Command Reference Guide
add aaa user
add aaa user
Synopsisadd aaa user <userName> [-password <string>]
DescriptionThis command adds a user and the authorization compound expression for the user to the LDAP/RADIUS server.
Arguments
userNameSpecifies the name of the user.
passwordSpecifies the password of the user. If the password option is not provided then the CLI will prompt the user to enter the password. The password entered by this method is not displayed to the user. Currently, the hidden password is not implemented. If the password is not specified the username is taken as the default password.
Exampleadd expression p4port VPNPORT == 1666 add expression whizbangport VPNPORT == 7676 add expression only_finance_url URL == /finance* add expression only_finance_svc VPNIP == 10.100.3.44 add aaa user johndoe -HttpRule "only_finance_svc && only_finance_url" -ActionHttp allow -NonHttpRule "p4port || whizbangport" -ActionNonHttp allow The above examples provide the following privileges to user johndoe HTTP: Only access to URLs prefixed with /finance are allowed and access is restricted to finance application server with IP address 10.100.3.44. Non-HTTP: Only access to Perforce and Whizbang  applications is allowed
Related Commandsrm aaa userset aaa usershow aaa user
Command Reference Guide 2-5
rm aaa user
rm aaa user
Synopsisrm aaa user <userName>
DescriptionThis command removes a user from the LDAP server added by the add aaa user CLI command.
Arguments
userNameSpecifies the name of the user in the LDAP server.
Related Commandsadd aaa userset aaa usershow aaa user
2-6 Command Reference Guide
set aaa user
set aaa user
Synopsisset aaa user <userName> <password>
DescriptionThis command sets the password for an existing user
Arguments
userNameSpecifies the name of the user.
passwordSpecifies the password of the user. If the password option is not provided then the CLI will prompt the user to enter the password. The password entered by this method is not displayed to the user. Currently, the hidden password is not implemented. If the password is not specified the username is taken as the default password.
Exampleset aaa user johndoe password abcd The above command sets johndoe password to abcd
Related Commandsadd aaa userrm aaa usershow aaa user
Command Reference Guide 2-7
show aaa user
show aaa user
Synopsisshow aaa user [<userName>] [-loggedin]
DescriptionThis command displays the AAA users who have been added using the add aaa user command.
Arguments
userNameSpecifies the user name. When user name is specified the CLI displays the LDAP or the RADIUS user entry details and groups to which the user belongs.
loggedinSpecifies the loggedin flag. When this flag is turned on, the CLI displays the names of all logged in users.When used with a user name, the CLI displays whether the user is logged in or not.
Output
groupName
policy
priority
intranetApplicationSpecifies the intranet vpn application.
urlNameSpecifies the intranet url.
2-8 Command Reference Guide
show aaa user
intranetipSpecifies the Intranet IP bound to the user
netmaskSpecifies the netmask for the Intranet IP
ExampleExample > show aaa user joe UserName: joe IntranetIP: 10.102.1.123 Bound to groups: GroupName: engg Done >
Related Commandsadd aaa userrm aaa userset aaa user
Command Reference Guide 2-9
add aaa group
add aaa group
Synopsisadd aaa group <groupName>
DescriptionThis command adds a group and the authorization compound expression for the group to the LDAP/RADIUS server.
Arguments
groupNameSpecifies the name of the group.
ExampleTo add a group group_ad and set the HTTP rule and action to deny HTTP access in the 192.30.*.* network: add aaa group group_ad -HttpRule exp_source -ActionHttp deny
Related Commandsrm aaa groupshow aaa group
2-10 Command Reference Guide
rm aaa group
rm aaa group
Synopsisrm aaa group <groupName>
DescriptionThis command removes a group from the LDAP server added by the add aaa group CLI command.
Arguments
groupNameSpecifies the name of the group in the LDAP server. Note:The user sessions belonging to the group will be removed. The user has to login again.
Related Commandsadd aaa groupshow aaa group
Command Reference Guide 2-11
show aaa group
show aaa group
Synopsisshow aaa group [<groupName>] [-loggedin]
DescriptionThis command displays the AAA group that have been added using the add aaa group command.
Arguments
groupNameSpecifies the group name. When the group name is specified the CLI displays the LDAP or the RADIUS group entry details and the users bound to the group.
loggedinSpecifies the loggedin flag. When this flag is turned on, the CLI displays the names of groups which has atleast one user logged in.When used with a group name, the CLI lists the users, within the group, who are logged in.
Output
userName
policy
priority
intranetApplicationSpecifies the intranet vpn application.
urlNameSpecifies the intranet url
2-12 Command Reference Guide
show aaa group
intranetipSpecifies the Intranet IP(s) bound to the group
netmaskSpecifies the netmask for the Intranet IP
Example> show aaa group engg GroupName: engg Bound AAA users: UserName: joe UserName: jane Intranetip IP: 10.102.10.0 Netmask: 255.255.255.0 Done >
Related Commandsadd aaa grouprm aaa group
Command Reference Guide 2-13
bind aaa user
bind aaa user
Synopsisbind aaa user <userName> [-policy <string> [-priority <positive_integer>]] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> [<netmask>]]
DescriptionThis command is used to bind a policy or intranetip or intranetapplication or url to an user.
Arguments
userNameSpecifies the user name.
policySpecifies a policy to be bound to aaa user.
intranetApplicationSpecifies the intranet vpn application.
urlNameSpecifies the intranet url
intranetipSpecifies the IP address to be bound to this user which will be used for Intranet access
ExampleTo bind intranetip to the user joe: bind aaa user joe -intranetip 10.102.1.123
Related Commandsunbind aaa user
2-14 Command Reference Guide
unbind aaa user
unbind aaa user
Synopsisunbind aaa user <userName> [-policy <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> [<netmask>]]
DescriptionThis command is used to unbind a policy or intranetip or intranetapplication or url from an user
Arguments
userNameSpecifies the user name.
policySpecifies a policy to be unbound to aaa user.
intranetApplicationSpecifies the intranet vpn application.
urlNameSpecifies the intranet url
intranetipSpecifies the Intranet IP to be unbound
Exampleunbind aaa user joe -intranetip 10.102.1.123
Related Commandsbind aaa user
Command Reference Guide 2-15
bind aaa group
bind aaa group
Synopsisbind aaa group <groupName> [-userName <string>] [-policy <string> [-priority <positive_integer>]] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]
DescriptionThis command is used to bind an User or Intranet IP or Policy or Intranet Application to a group.
Arguments
groupNameSpecifies the group name.
userNameSpecifies user to with whom the group is bound. If the user belongs to multiple groups, during authorization of a service all the group expressions are evaluated to take a suitable action.
policySpecifies a policy to be bound to aaa group.
intranetApplicationSpecifies the intranet vpn application.
urlNameSpecifies the intranet url.
intranetipSpecifies the ip-block or the IP address to be bound with this group which will be used by the users belong to this group while accessing Intranet resources
ExampleTo bind Intranet IP to the group engg: bind aaa group engg -intranetip 10.102.10.0 255.255.255.0
2-16 Command Reference Guide
bind aaa group
Related Commandsunbind aaa group
Command Reference Guide 2-17
unbind aaa group
unbind aaa group
Synopsisunbind aaa group <groupName> [-userName <string> ...] [-policy <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]
DescriptionThis command is used to unbind an User or Intranet IP or Policy or Intranet Application from a group.
Arguments
groupNameSpecifies the group name.
userNameSpecifies user to be unbound from the group.
policySpecifies the policy to be unbound from aaa group,
intranetApplicationSpecifies the intranet vpn application.
urlNameSpecifies the intranet url.
intranetipSpecifies the Intranet IP to be unbound from the group
Example unbind aaa group engg -intranetip 10.102.10.0 255.255.255.0
Related Commandsbind aaa group
2-18 Command Reference Guide
set aaa radiusparams
set aaa radiusparams
Synopsisset aaa radiusparams [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] -radKey <string> [-radNASip ( ENABLED | DISABLED )] [-radNASid <string>] [-radVendorID <positive_integer>] [-radAttributeType <positive_integer>] [-passEncoding <passEncoding>]
DescriptionThis command sets the global variables for the RADIUS server. It is used globally in SSL-VPN across all Vservers unless a vserver specific configuration is done using authentication policies.
Arguments
serveripSpecifies the IP address of the RADIUS server.
serverportSpecifies the port number on which the RADIUS server is running. The default port number is 1812. Default value: 1812
authTimeoutSpecifies the maximum number of seconds for which NetScaler 9000 system would wait for a response from the RADUIS server. Default value: 3
radKeySpecifies the key shared between the client and the server. This information is required for the Netscaler system to communicate with the RADIUS server.
radNASipIf enabled, the Netscaler's IP address (NSIP) is sent as the "nasip" as part of the Radius protocol to the server. Possible values: ENABLED, DISABLED
Command Reference Guide 2-19
set aaa radiusparams
radNASidIf configured, this string will be sent to the RADIUS server as the "nasid" as part of the Radius protocol.
radVendorIDSpecifies the Vendor ID for Radius group extraction.
radAttributeTypeSpecifies the Attribute type for Radius group extraction.
passEncodingThis option specifies how password should be encoded in the radius packets from the netscaler to the radius server.Valid options are PAP default, CHAP, MSCHAPv1, MSCHAPv2. Possible values: pap, chap, mschapv1, mschapv2 Default value: PAP
ExampleTo configure the default RADIUS parameters: set aaa radiusparams -serverip 192.30.1.2 -radkey sslvpn
Related Commandsadd authentication radiusactionset aaa ldapparamsset aaa parametershow aaa radiusparams
2-20 Command Reference Guide
show aaa radiusparams
show aaa radiusparams
Synopsisshow aaa radiusparams
DescriptionThis command displays the configured RADIUS parameters.
Arguments
Output
serverip
serverport
radKey
groupAuthName
authTimeout
radNASip
radNASid
IPAddress
Command Reference Guide 2-21
show aaa radiusparams
Example> show aaa radiusparams Configured RADIUS parameters Server IP: 127.0.0.2 Port: 1812 key: secret Timeout: 10 Done >
Related Commandsset aaa radiusparams
2-22 Command Reference Guide
set aaa ldapparams
set aaa ldapparams
Synopsisset aaa ldapparams [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] [-ldapBase <string>] [-ldapBindDn <string>] [-ldapBindDnPassword <string>] [-ldapLoginName <string>] [-searchFilter <string>] [-groupAttrName <string>] [-subAttributeName <string>] [-secType <secType>]
DescriptionThis command sets the global variables for the LDAP server. It is used globally in SSL-VPN across all Vservers unless a vserver specific configuration is done using authentication policies.
Arguments
serveripSpecifies the IP address of the LDAP server. The default value is localhost.
serverportSpecifies the port number on which the LDAP server is running. The default port number for LDAP server is 389. Default value: 389
authTimeoutSpecifies the maximum number of seconds for which the NetScaler system would wait for a response from the LDAP server. Default value: 3
ldapBaseSpecifies the base or the node from where the ldapsearch should start. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.
ldapBindDnSpecifies the full distinguished name that is used to bind to the LDAP server.
ldapBindDnPasswordSpecifies the password that is used to bind to the LDAP server.
Command Reference Guide 2-23
set aaa ldapparams
ldapLoginNameSpecifies the name attribute used by the Netscaler system to query the external LDAP server or an Active Directory.
searchFilterString to be combined with the default LDAP user search string to form the value. For example, vpnallowed=true with ldaploginame "samaccount" and user-supplied username "bob" would yield the LDAP search string "(&(vpnallowed=true)(samaccount=bob)".
groupAttrNameSpecifies the Attribute name for group extraction from LDAP server
subAttributeNameSpecifies the Sub-Attribute name for group extraction from LDAP server
secTypeSpecifies if the communication between the NetScaler 9000 and the LDAP server should encrypted or not. The following values for this parameter: PLAINTEXT: No encryption required. TLS: For using TLS protocol to communicate. SSL: For using SSL Protocol to communicate. Possible values: PLAINTEXT, TLS, SSL Default value: PLAINTEXT
ExampleTo configure authentication in the LDAP server running at 192.40.1.2: set aaa ldapparams -serverip 192.40.1.2 -ldapbase "dc=netscaler,dc=com" -ldapBindDN "cn=Manager,dc=netscaler,dc=com" -ldapBindDnPassword secret -ldaploginname uid
Related Commandsadd authentication ldapactionset aaa radiusparamsset aaa parametershow aaa ldapparams
2-24 Command Reference Guide
show aaa ldapparams
show aaa ldapparams
Synopsisshow aaa ldapparams
DescriptionThis command displays the configured LDAP parameters.
Arguments
Output
serverip
serverport
authTimeout
ldapBindDn
ldapLoginName
ldapBase
secType
searchFilter
groupAttrNameSpecifies the Attribute name for group extraction from LDAP server
Command Reference Guide 2-25
show aaa ldapparams
subAttributeNameSpecifies the Sub-Attribute name for group extraction from LDAP server
groupAuthName
Example> show aaa ldapparams Configured LDAP parameters Server IP: 127.0.0.1 Port: 389 Timeout: 1 BindDn: cn=Manager,dc=florazel,dc=com login: uid Base: dc=florazel,dc=com Secure Type: PLAINTEXT Done >
Related Commandsset aaa ldapparams
2-26 Command Reference Guide
set aaa tacacsparams
set aaa tacacsparams
Synopsisset aaa tacacsparams [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] [-tacacsSecret <string>] [-authorization ( ON | OFF )] [-accounting ( ON | OFF )]
DescriptionThis command sets the global variables for the TACACS+ server. It is used globally in SSL-VPN across all Vservers unless a vserver specific configuration is done using authentication policies.
Arguments
serveripSpecifies the IP address of the TACACS+ server.
serverportSpecifies the port on which the TACACS+ server is running. The default port is 49. Default value: 49
authTimeoutSpecifies the maximum number of seconds for which the NetScaler system would wait for a response from the TACACS+ server. Default value: 3
tacacsSecretSpecifies the key shared between the client and the server. This information is required for the Netscaler system to communicate with the TACACS+ server.
authorizationSpecifies whether this TACACS+ server should be used for streaming authorization. Possible values: ON, OFF
accountingSpecifies weahter this TACACS+ server should be sent accounting messages. Possible values: ON, OFF
Command Reference Guide 2-27
set aaa tacacsparams
ExampleTo configure a TACACS+ server running at 192.168.1.20 set aaa tacacsparams -serverip 192.168.1.20 -tacacssecret secret
Related Commandsadd authentication tacacsactionset aaa radiusparamsset aaa parametershow aaa tacacsparams
2-28 Command Reference Guide
show aaa tacacsparams
show aaa tacacsparams
Synopsisshow aaa tacacsparams
DescriptionDisplay configured AAA TACACS+ server parameters.
Arguments
Output
serverip
serverport
authTimeout
tacacsSecret
authorization
accounting
Example> sh aaa tacacsparams Configured TACACS parameter Server IP: 192.168.1.20 Port: 49 Timeout: 1 secs Done
Related Commandsset aaa tacacsparams
Command Reference Guide 2-29
set aaa nt4params
set aaa nt4params
Synopsisset aaa nt4params [-serverip <ip_addr>] [-nt4ServerName <string>] [-nt4DomainName <string>] [-nt4AdminUser <string>] [-nt4AdminPasswd <string>]
DescriptionThis command sets defines an NT4 authentication server.
Arguments
serveripSpecifies the IP address of the NT4 server.
nt4ServerNameThe name of the NT4 server
nt4DomainNameThe domain name of the NT4 server
nt4AdminUserUsername of an NT4 Domain Administrator
nt4AdminPasswdPassword of the NT4 Domain Administrator
ExampleTo configure a NT4 server running at 192.168.1.21 set aaa nt4params -serverip 192.168.1.21
Related Commandsshow aaa nt4params
2-30 Command Reference Guide
show aaa nt4params
show aaa nt4params
Synopsisshow aaa nt4params
DescriptionDisplay configured AAA NT4 server parameters.
Output
serverip
nt4ServerName
nt4DomainName
nt4AdminUser
nt4AdminPasswd
Related Commandsset aaa nt4params
Command Reference Guide 2-31
set aaa certparams
set aaa certparams
Synopsisset aaa certparams [-userNameField <string>] [-groupNameField <string>]
DescriptionThis command sets the global variables for a certificate policy. It is used globally in SSL-VPN across all Vservers unless a vserver specific configuration is done using authentication policies.
Arguments
userNameFieldSpecifies which field in the client certificate to extract the username from. Should be of the format <field:subfield>. Allowed values for field are "Subject" and "Issuer".
groupNameFieldSpecifies which field in the certificate to extract the group from. Should be of the format <field:subfield>. Allowed values for field are "Subject" and "Issuer".
ExampleTo configure the default certificate parameters: set aaa certparams -userNameField "Subject:CN" -groupNameField "Subject:OU"
Related Commandsadd authentication certactionset aaa parametershow aaa certparams
2-32 Command Reference Guide
show aaa certparams
show aaa certparams
Synopsisshow aaa certparams
DescriptionThis command displays the configured CERT parameters.
Arguments
Output
twoFactorSpecifies whether two factor authentication is on.
userNameFieldSpecifies which field in the certificate to extract the username from.
groupNameFieldSpecifies which field in the certificate to extract the group from.
Related Commandsset aaa certparams
Command Reference Guide 2-33
set aaa parameter
set aaa parameter
Synopsisset aaa parameter [-defaultAuthType <defaultAuthType>] [-maxAAAUsers <positive_integer>]
DescriptionThis command sets the global AAA parameters. Use this command to override the default LDAP authentication.
Arguments
defaultAuthTypeSpecifies the default type of authentication server. If nothing is specified the default value is set to LDAP. Possible values: LOCAL, LDAP, RADIUS, TACACS, NT4, CERT
maxAAAUsersSpecifies the maximum number of concurrent users allowed to login into the NetScaler 9000 at any given instant of time. The default number of users is 5.
Exampleset aaa parameter -defaultAuthType RADIUS -maxAAAUSers 100
Related Commandsshow aaa parameter
2-34 Command Reference Guide
show aaa parameter
show aaa parameter
Synopsisshow aaa parameter
DescriptionThis command displays the AAA parameters which have been configured using the set aaa parameter command.
Arguments
Output
defaultAuthType
maxAAAUsers
Example> show aaa parameter Configured AAA parameters DefaultAuthType: LDAP MaxAAAUsers: 5 Done >
Related Commandsset aaa parameter
Command Reference Guide 2-35
show aaa session
show aaa session
Synopsisshow aaa session [-userName <string>] [-groupName <string>] [-intranetip <ip_addr|*> [<netmask>]]
DescriptionThis command displays the connections initated by the user
Arguments
userNameSpecifies the user name. When the group name is specified the CLI lists the connections initiated by the specified user.
groupNameSpecifies the group name. When the group name is specified the CLI lists the connections initiated by the all the logged-in user within the group.
intranetipIntranet IP address. The command lists all connections whose sessions are using the named intranet IP address
Output
publicIPClient's public IP address
publicPortClient's public port
IPAddressNetscaler's IP address
portNetscaler's port
2-36 Command Reference Guide
show aaa session
privateIPClient's private/mapped IP address
privatePortClient's private/mapped port
destIPDestination IP address
destPortDestination port
intranetipSpecifies the Intranet IP
Example> show aaa connection ClintIp (ClientPort) -> ServerIp(ServerPort) ------------------------- ---------------------------- User Name: Joe 10.102.0.39 (2318 ) -> 10.102.4.245 (443 ) 10.102.0.39 (2320 ) -> 10.102.4.245 (443 ) 10.102.0.39 (2340 ) -> 10.102.4.245 (443 ) Done >
Related Commandskill aaa session
Command Reference Guide 2-37
kill aaa session
kill aaa session
Synopsiskill aaa session [-userName <string>] [-groupName <string>] [-intranetip <ip_addr|*> [<netmask>]] [-all]
DescriptionThis command kills the user sessions
Arguments
userNameSpecifies the user name. The system will terminate the session initiated by the named user.
groupNameSpecifies the group name. The system will terminate the sessions of all the users within the named group.
intranetipIntranet IP address. The system will terminate all sessions using the named intranet IP address
allThe system will terminate the sessions of all the users, who are currently logged in.
Examplekill aaa session -user joe
Related Commandsshow aaa session
2-38 Command Reference Guide
Auditing Commands
This chapter covers the auditing commands.
Command Reference Guide 3-1
stat audit
stat audit
Synopsisstat audit [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays audit statistics
Counters
Audit logs sent to syslog server(s) (LogSnd)Count of audit log messages sent to all the configured syslog servers.
Audit log messages generated (LogGen)Count of audit log messages generated.
NAT allocation failed (Ernatpcb)NAT allocation failed
Nsb allocation failed (Ernsb)Nsb allocation failed
Memory allocation failed (Ermem)Memory allocation for audit context failed
Port allocation failed (Erport)Port allocation failed.
NAT lookup failed (Hshmiss)NAT lookup failed.
Context not found (Ctxntfnd)Context not found.
Related Commands
3-2 Command Reference Guide
show audit stats
show audit stats
Synopsisshow audit stats - alias for 'stat audit'
Descriptionshow audit stats is an alias for stat audit
Related Commandsstat audit
Command Reference Guide 3-3
add audit syslogaction
add audit syslogaction
Synopsisadd audit syslogaction <name> <serverip> [-serverport <port>] -logLevel <logLevel> ... [-dateformat ( MMDDYYYY | DDMMYYYY )]
DescriptionUse this command to add an syslog action
Arguments
nameThe name of the SYSLOG action to be added.
serveripThe IP address of the syslog server.
serverportThe port on which Syslog Server is running. Default value: 514
logLevelSpecifies the audit log level.
dateformatSpecifies the date format. Possible values: MMDDYYYY, DDMMYYYY Default value: MMDDYYYY
Related Commandsrm audit syslogactionshow audit syslogaction
3-4 Command Reference Guide
rm audit syslogaction
rm audit syslogaction
Synopsisrm audit syslogaction <name>
DescriptionUse this to remove a previously created syslog action. Note that an action cannot be removed as long as it is configured in a policy.
Arguments
nameThe name of the action to be removed.
Related Commandsadd audit syslogactionshow audit syslogaction
Command Reference Guide 3-5
show audit syslogaction
show audit syslogaction
Synopsisshow audit syslogaction
DescriptionUse this command to display details of the configured SYSLOG action(s).
Arguments
Output
Related Commandsadd audit syslogactionrm audit syslogaction
3-6 Command Reference Guide
add audit syslogpolicy
add audit syslogpolicy
Synopsisadd audit syslogpolicy <name> <rule> <action>
DescriptionUse this command to add a SYS LOG policy. The policy defines the conditions under which the specified SYS LOG server is to be used for logging.
Arguments
nameThe name to assign to the new SYS LOG policy.
ruleThe name of the rule, or expression, the policy is to use.
actionThe name of the SYS LOG action the policy is to use.
Related Commandsrm audit syslogpolicyshow audit syslogpolicyset audit syslogpolicy
Command Reference Guide 3-7
rm audit syslogpolicy
rm audit syslogpolicy
Synopsisrm audit syslogpolicy <name>
DescriptionUse this to remove an audit SYS LOG policy.
Arguments
nameThe name of the SYS LOG policy to remove.
Related Commandsadd audit syslogpolicyshow audit syslogpolicyset audit syslogpolicy
3-8 Command Reference Guide
show audit syslogpolicy
show audit syslogpolicy
Synopsisshow audit syslogpolicy [<name>]
DescriptionUse this to display configured SYS LOG policies.
Arguments
nameThe name of the policy to display. If this option is not provided, all the configured SYS LOG policies will be displayed.
Output
name
rule
action
Related Commandsadd audit syslogpolicyrm audit syslogpolicyset audit syslogpolicy
Command Reference Guide 3-9
set audit syslogpolicy
set audit syslogpolicy
Synopsisset audit syslogpolicy <name> [-rule <expression>] [-action <string>]
DescriptionUse this command to change properties of a SYS LOG policy.
Arguments
nameThe name of the policy to be modified.
ruleThe new rule to be associated with the policy.
actionThe new SYS LOG action to be associated with the policy.
Related Commandsadd audit syslogpolicyrm audit syslogpolicyshow audit syslogpolicy
3-10 Command Reference Guide
set audit syslogparams
set audit syslogparams
Synopsisset audit syslogparams [-serverip <ip_addr>] [-serverport <port>] [-dateformat ( MMDDYYYY | DDMMYYYY )] [-logLevel <logLevel> ...]
DescriptionUse this command to set default SYS LOG parameters
Arguments
serveripThe IP address of the syslog server. Default value: 127.0.0.1
serverportThe port on which Syslog Server is running. Default value: 514
dateformatSpecifies the date format. Possible values: MMDDYYYY, DDMMYYYY Default value: MMDDYYYY
logLevelSpecifies the audit log level for which messages should be logged. Default value: EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL
Related Commandsshow audit syslogparamsunset audit syslogparams
Command Reference Guide 3-11
show audit syslogparams
show audit syslogparams
Synopsisshow audit syslogparams
DescriptionUse this to display configured SYS LOG params.
Arguments
Output
serverip
serverport
dateformat
logLevelSpecifies the audit log level.
Related Commandsset audit syslogparamsunset audit syslogparams
3-12 Command Reference Guide
unset audit syslogparams
unset audit syslogparams
Synopsisunset audit syslogparams [-serverip] [-serverport] [-logLevel]
DescriptionUse this command to unset syslog parameters
Arguments
serveripUnsets the IP address of the syslog server.
serverportUnsets the port of the syslog server to default 514.
logLevelUnsets the audit log level, so no message is logged.
Related Commandsset audit syslogparamsshow audit syslogparams
Command Reference Guide 3-13
show audit messages
show audit messages
Synopsisshow audit messages [-logLevel <logLevel> ...] [-numOfMesgs <positive_integer>]
DescriptionUse this command to display the most recent audit log messages
Arguments
logLevelThe log level filter.
numOfMesgsSpecifies the number of log messages to be printed. The default is 20. Maximum value can be 256 Default value: 20
Output
valueAudit message
Related Commands
3-14 Command Reference Guide
Authentication Commands
This chapter covers the authentication commands.
Command Reference Guide 4-1
add authentication radiusaction
add authentication radiusaction
Synopsisadd authentication radiusaction <name> [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] -radKey <string> [-radNASip ( ENABLED | DISABLED )] [-radNASid <string>] [-radVendorID <positive_integer>] [-radAttributeType <positive_integer>] [-passEncoding <passEncoding>]
DescriptionUse this command to add a profile for a RADIUS server. The profile contains all the configuration data necessary to communicate with a RADIUS server.
Arguments
nameThe name of the RADIUS action to be added.
serveripThe IP address of the RADIUS server.
serverportThe port on which RADIUS Server is running. The default is 1812. Default value: 1812
authTimeoutThe maximum number of seconds for which NetScaler system will wait for a response from the RADIUS server. Default value: 3
radKeyThe key shared between the client and the server. This information is required for the NetScaler system to communicate with the RADIUS server.
radNASipIf enabled, the Netscaler's IP address (NSIP) is sent as the "nasip" according to the RADIUS protocol to the server. Possible values: ENABLED, DISABLED
4-2 Command Reference Guide
add authentication radiusaction
radNASidIf configured, this string is sent to the RADIUS server as the "nasid" according to the RADIUS protocol.
radVendorIDThe Vendor ID for using RADIUS group extraction.
radAttributeTypeThe Attribute type for using RADIUS group extraction.
passEncodingThis option specifies how password should be encoded in the radius packets from the netscaler to the radius server.Valid options are PAP default, CHAP, MSCHAPv1, MSCHAPv2. Possible values: pap, chap, mschapv1, mschapv2 Default value: PAP
Related Commandsrm authentication radiusactionshow authentication radiusaction
Command Reference Guide 4-3
rm authentication radiusaction
rm authentication radiusaction
Synopsisrm authentication radiusaction <name>
DescriptionUse this to remove a previously created RADIUS action. Note that an action cannot be removed as long as it is configured in a policy.
Arguments
nameThe name of the action to be removed.
Related Commandsadd authentication radiusactionshow authentication radiusaction
4-4 Command Reference Guide
show authentication radiusaction
show authentication radiusaction
Synopsisshow authentication radiusaction
DescriptionUse this command to display details of the configured RADIUS action(s).
Arguments
Output
Related Commandsadd authentication radiusactionrm authentication radiusaction
Command Reference Guide 4-5
add authentication ldapaction
add authentication ldapaction
Synopsisadd authentication ldapaction <name> [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] [-ldapBase <string>] [-ldapBindDn <string>] [-ldapBindDnPassword <string>] [-ldapLoginName <string>] [-searchFilter <string>] [-groupAttrName <string>] [-subAttributeName <string>] [-secType <secType>]
DescriptionUse this command to add a profile for an LDAP server. The profile contains all the configuration data necessary to communicate with the LDAP server..
Arguments
nameThe name for the new LDAP action.
serveripThe IP address of the LDAP server. The default value is localhost.
serverportThe port number on which the LDAP server is running. The default port number is 389. Default value: 389
authTimeoutThe maximum number of seconds for which the NetScaler system will wait for a response from the LDAP server. Default value: 3
ldapBaseThe base, or node, from where the ldapsearch should start. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.
ldapBindDnThe full distinguished name that is used to bind to the LDAP server. The default value of the bindDN is cn=Manager,dc=netscaler,dc=com.
4-6 Command Reference Guide
add authentication ldapaction
ldapBindDnPasswordThe password that is used to bind to the LDAP server.
ldapLoginNameThe name attribute used by the NetScaler system to query the external LDAP server or an Active Directory.
searchFilterString to be combined with the default LDAP user search string to form the value. For example, vpnallowed=true with ldaploginame "samaccount" and user-supplied username "bob" would yield the LDAP search string "(&(vpnallowed=true)(samaccount=bob)".
groupAttrNameThe Attribute name for group extraction from LDAP server.
subAttributeNameThe Sub-Attribute name for group extraction from LDAP server.
secTypeThisn option specifies if communication between the NetScaler 9000 system and the authentication server should be encrypted or not. The following values for this parameter are valid: PLAINTEXT: No encryption required. TLS: For using TLS protocol to communicate. SSL: For using SSL Protocol to communicate. Possible values: PLAINTEXT, TLS, SSL Default value: PLAINTEXT
Related Commandsrm authentication ldapactionshow authentication ldapaction
Command Reference Guide 4-7
rm authentication ldapaction
rm authentication ldapaction
Synopsisrm authentication ldapaction <name>
DescriptionUse this command to remove an LDAP action. Note that an action cannot be removed as long as it is configured in a policy.
Arguments
nameThe name of the LDAP action to be removed.
Related Commandsadd authentication ldapactionshow authentication ldapaction
4-8 Command Reference Guide
show authentication ldapaction
show authentication ldapaction
Synopsisshow authentication ldapaction
DescriptionUse this to display details of the configured LDAP action(s).
Arguments
Output
ldapBindDn
ldapLoginName
ldapBase
searchFilter
groupAttrName
subAttributeName
secType
Related Commandsadd authentication ldapactionrm authentication ldapaction
Command Reference Guide 4-9
add authentication tacacsaction
add authentication tacacsaction
Synopsisadd authentication tacacsaction <name> [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] [-tacacsSecret <string>] [-authorization ( ON | OFF )] [-accounting ( ON | OFF )]
DescriptionUse this command to add a profile for a TACACS+ server. The profile contains all the configuration data necessary to communicate with the TACACS+ server.
Arguments
nameThe name for the new TACACS+ action.
serveripThe IP address of the TACACS+ server.
serverportThe port on which the TACACS+ server is running. The default port is 49. Default value: 49
authTimeoutThe maximum number of seconds for which the NetScaler system will wait for a response from the TACACS+ server. Default value: 3
tacacsSecretThe key shared between the client and the server. This information is required for the NetScaler system to communicate with the TACACS+ server.
authorizationSpecifies whether this TACACS+ server should be used for streaming authorization. Possible values: ON, OFF
4-10 Command Reference Guide
add authentication tacacsaction
accountingSpecifies whether this TACACS+ server should be sent accounting messages. Possible values: ON, OFF
Related Commandsrm authentication tacacsactionshow authentication tacacsaction
Command Reference Guide 4-11
rm authentication tacacsaction
rm authentication tacacsaction
Synopsisrm authentication tacacsaction <name>
DescriptionUse this to remove a TACACS+ action. Note that an action cannot be removed as long as it is configured in a policy.
Arguments
nameThe name of TACACS+ action to be removed.
Related Commandsadd authentication tacacsactionshow authentication tacacsaction
4-12 Command Reference Guide
show authentication tacacsaction
show authentication tacacsaction
Synopsisshow authentication tacacsaction
DescriptionUse this to display details of the configured TACACS+ action(s).
Arguments
Output
tacacsSecret
authorizationSpecifies whether this TACACS+ server should be used for streaming authorization.
accountingSpecifies weahter this TACACS+ server should be sent accounting messages.
Related Commandsadd authentication tacacsactionrm authentication tacacsaction
Command Reference Guide 4-13
add authentication nt4action
add authentication nt4action
Synopsisadd authentication nt4action <name> [-serverip <ip_addr>] [-nt4ServerName <string>] [-nt4DomainName <string>] [-nt4AdminUser <string>] [-nt4AdminPasswd <string>]
DescriptionUse this command to add a profile for an NT4 server. The profile contains all the configuration data necessary to communicate with the NT4 server.
Arguments
nameThe name for the new NT4 action.
serveripThe IP address of the NT4 server.
nt4ServerNameThe name of the NT4 server
nt4DomainNameThe domain name of the NT4 server
nt4AdminUserThe username of an NT4 Domain Administrator
nt4AdminPasswdThe password of the NT4 Domain Administrator
Related Commandsrm authentication nt4actionshow authentication nt4action
4-14 Command Reference Guide
rm authentication nt4action
rm authentication nt4action
Synopsisrm authentication nt4action <name>
DescriptionUse this to remove an NT4 action. Note that an action cannot be removed as long as it is configured in a policy.
Arguments
nameThe name of the NT4 action to be removed.
Related Commandsadd authentication nt4actionshow authentication nt4action
Command Reference Guide 4-15
add authentication certaction
add authentication certaction
Synopsisadd authentication certaction <name> [-twoFactor ( ON | OFF )] [-userNameField <string> [-groupNameField <string>]]
DescriptionThis command adds a certificate action.
Arguments
nameThe name of the CERT action to be added.
twoFactorSpecifies whether two factor authentication is on. Two factor authentication means client certificate authentication followed by password authentication. Possible values: ON, OFF Default value: OFF
userNameFieldSpecifies which field in the client certificate to extract the username from. Should be of the format <field:subfield>. Allowed values for field are "Subject" and "Issuer".
Exampleadd authentication certaction -twoFactor ON -userNameField "Subject:CN" -groupNameField "Subject:OU"
Related Commandsadd aaa certparamadd authentication certpolicyshow authentication certactionrm authentication certaction
4-16 Command Reference Guide
show authentication certaction
show authentication certaction
Synopsisshow authentication certaction
DescriptionThis command displays the details of configured CERT action(s).
Arguments
Output
twoFactorSpecifies whether two factor authentication is on.
userNameFieldSpecifies which field in the certificate to extract the username from.
groupNameFieldSpecifies which field in the certificate to extract the group from.
Related Commandsadd authentication certactionrm authentication certaction
Command Reference Guide 4-17
rm authentication certaction
rm authentication certaction
Synopsisrm authentication certaction <name>
DescriptionUse this to remove an cert action. Note that an action cannot be removed as long as it is configured in a policy.
Arguments
nameThe name of the NT4 action to be removed.
Related Commandsadd authentication certactionshow authentication certaction
4-18 Command Reference Guide
show authentication nt4action
show authentication nt4action
Synopsisshow authentication nt4action
DescriptionUse this to display the details of the configured NT4 action(s).
Arguments
Output
nt4ServerName
nt4DomainName
nt4AdminUser
Related Commandsadd authentication nt4actionrm authentication nt4action
Command Reference Guide 4-19
add authentication localpolicy
add authentication localpolicy
Synopsisadd authentication localpolicy <name> <rule>
DescriptionUse this command to add an authentication LOCAL policy. The policy defines the conditions under which the kernel will authenticate the user.
Arguments
nameThe name to assign to the new authentication LOCAL policy.
ruleThe name of the rule, or expression, the policy is to use.
Related Commandsrm authentication localpolicyshow authentication localpolicyset authentication localpolicy
4-20 Command Reference Guide
rm authentication localpolicy
rm authentication localpolicy
Synopsisrm authentication localpolicy <name>
DescriptionUse this to remove an authentication LOCAL policy.
Arguments
nameThe name of the LOCAL policy to remove.
Related Commandsadd authentication localpolicyshow authentication localpolicyset authentication localpolicy
Command Reference Guide 4-21
show authentication localpolicy
show authentication localpolicy
Synopsisshow authentication localpolicy [<name>]
DescriptionUse this to display configured LOCAL policies.
Arguments
nameThe name of the policy to display. If this option is not provided, all the configured LOCAL policies will be displayed.
Output
name
rule
Related Commandsadd authentication localpolicyrm authentication localpolicyset authentication localpolicy
4-22 Command Reference Guide
set authentication localpolicy
set authentication localpolicy
Synopsisset authentication localpolicy <name> [-rule <expression>]
DescriptionUse this command to change properties of a LOCAL policy.
Arguments
nameThe name of the policy to be modified.
ruleThe new rule to be associated with the policy.
Related Commandsadd authentication localpolicyrm authentication localpolicyshow authentication localpolicy
Command Reference Guide 4-23
add authentication radiuspolicy
add authentication radiuspolicy
Synopsisadd authentication radiuspolicy <name> <rule> [<reqAction>]
DescriptionUse this command to add an authentication RADIUS policy. The policy defines the conditions under which the specified RADIUS server is to be used for authentication.
Arguments
nameThe name to assign to the new authentication RADIUS policy.
ruleThe name of the rule, or expression, the policy is to use.
reqActionThe name of the RADIUS action the policy is to use.
Related Commandsrm authentication radiuspolicyshow authentication radiuspolicyset authentication radiuspolicy
4-24 Command Reference Guide
rm authentication radiuspolicy
rm authentication radiuspolicy
Synopsisrm authentication radiuspolicy <name>
DescriptionUse this to remove an authentication RADIUS policy.
Arguments
nameThe name of the RADIUS policy to remove.
Related Commandsadd authentication radiuspolicyshow authentication radiuspolicyset authentication radiuspolicy
Command Reference Guide 4-25
show authentication radiuspolicy
show authentication radiuspolicy
Synopsisshow authentication radiuspolicy [<name>]
DescriptionUse this to display configured RADIUS policies.
Arguments
nameThe name of the policy to display. If this option is not provided, all the configured RADIUS policies will be displayed.
Output
name
rule
reqAction
Related Commandsadd authentication radiuspolicyrm authentication radiuspolicyset authentication radiuspolicy
4-26 Command Reference Guide
set authentication radiuspolicy
set authentication radiuspolicy
Synopsisset authentication radiuspolicy <name> [-rule <expression>] [-reqAction <string>]
DescriptionUse this command to change properties of a RADIUS policy.
Arguments
nameThe name of the policy to be modified.
ruleThe new rule to be associated with the policy.
reqActionThe new RADIUS action to be associated with the policy.
Related Commandsadd authentication radiuspolicyrm authentication radiuspolicyshow authentication radiuspolicy
Command Reference Guide 4-27
add authentication certpolicy
add authentication certpolicy
Synopsisadd authentication certpolicy <name> <rule> [<reqAction>]
DescriptionUse this command to add an authentication cert policy. The policy defines the conditions under which the specified cert action is to be used for authentication.
Arguments
nameThe name for the new policy.
ruleThe name of the rule, or expression, the policy is to use.
reqActionThe cert action to associate with the policy.
Related Commandsset authentication certpolicyshow authentication certpolicyrm authentication certpolicy
4-28 Command Reference Guide
set authentication certpolicy
set authentication certpolicy
Synopsisset authentication certpolicy <name> [-rule <expression>] [-reqAction <string>]
DescriptionUse this command to change the properties of a CERT policy.
Arguments
nameThe name of the policy to be modified.
ruleThe new rule to associate with the policy.
reqActionThe new cert action to associate to the policy.
Related Commandsadd authentication certpolicyshow authentication certpolicyrm authentication certpolicy
Command Reference Guide 4-29
show authentication certpolicy
show authentication certpolicy
Synopsisshow authentication certpolicy [<name>]
DescriptionUse this to display configured CERT policies.
Arguments
nameThe name of the policy to display. If this option is not provided, all of the configured policies are shown.
Output
nameThe name of the policy displayed.
ruleThe rule associated with the policy.
reqActionThe cert action associated with the policy.
Related Commandsadd authentication certpolicyset authentication certpolicyrm authentication certpolicy
4-30 Command Reference Guide
rm authentication certpolicy
rm authentication certpolicy
Synopsisrm authentication certpolicy <name>
DescriptionUse this to remove an CERT authentication policy.
Arguments
nameThe name of the CERT policy to be removed.
Related Commandsadd authentication certpolicyset authentication certpolicyshow authentication certpolicy
Command Reference Guide 4-31
add authentication ldappolicy
add authentication ldappolicy
Synopsisadd authentication ldappolicy <name> <rule> [<reqAction>]
DescriptionUse this command to add an authentication LDAP policy. The policy defines the conditions under which the specified LDAP server is to be used for authentication.
Arguments
nameThe name for the new policy.
ruleThe name of the rule, or expression, the policy is to use.
reqActionThe LDAP action to associate with the policy.
Related Commandsrm authentication ldappolicyshow authentication ldappolicyset authentication ldappolicy
4-32 Command Reference Guide
rm authentication ldappolicy
rm authentication ldappolicy
Synopsisrm authentication ldappolicy <name>
DescriptionUse this to remove an LDAP authentication policy.
Arguments
nameThe name of the LDAP policy to be removed.
Related Commandsadd authentication ldappolicyshow authentication ldappolicyset authentication ldappolicy
Command Reference Guide 4-33
show authentication ldappolicy
show authentication ldappolicy
Synopsisshow authentication ldappolicy [<name>]
DescriptionUse this to display configured LDAP policies.
Arguments
nameThe name of the policy to display. If this option is not provided, all of the configured policies are shown.
Output
name
rule
reqAction
Related Commandsadd authentication ldappolicyrm authentication ldappolicyset authentication ldappolicy
4-34 Command Reference Guide
set authentication ldappolicy
set authentication ldappolicy
Synopsisset authentication ldappolicy <name> [-rule <expression>] [-reqAction <string>]
DescriptionUse this to change properties of an LDAP policy.
Arguments
nameThe name of the policy to be changed.
ruleThe new rule to associate with the policy.
reqActionThe new LDAP action to associate with the policy.
Related Commandsadd authentication ldappolicyrm authentication ldappolicyshow authentication ldappolicy
Command Reference Guide 4-35
add authentication tacacspolicy
add authentication tacacspolicy
Synopsisadd authentication tacacspolicy <name> <rule> [<reqAction>]
DescriptionUse this command to add an authentication TACACS+ policy. The policy defines the conditions under which the specified TACACS+ server is to be used for authentication.
Arguments
nameThe name of the new TACACS+ policy.
ruleThe name of the rule, or expression, the policy is to use.
reqActionThe name of the TACACS+ action to be associated with the policy.
Related Commandsrm authentication tacacspolicyshow authentication tacacspolicyset authentication tacacspolicy
4-36 Command Reference Guide
rm authentication tacacspolicy
rm authentication tacacspolicy
Synopsisrm authentication tacacspolicy <name>
DescriptionUse this command to remove a TACACS+ policy.
Arguments
nameThe name of the TACACS+ policy to be removed.
Related Commandsadd authentication tacacspolicyshow authentication tacacspolicyset authentication tacacspolicy
Command Reference Guide 4-37
show authentication tacacspolicy
show authentication tacacspolicy
Synopsisshow authentication tacacspolicy [<name>]
DescriptionUse this to display the configured TACACS+ policies.
Arguments
nameThe name of the TACACS+ policy to display. If this option is not given, all of the configured TACACS+ policies are shown.
Output
name
rule
reqAction
Related Commandsadd authentication tacacspolicyrm authentication tacacspolicyset authentication tacacspolicy
4-38 Command Reference Guide
set authentication tacacspolicy
set authentication tacacspolicy
Synopsisset authentication tacacspolicy <name> [-rule <expression>] [-reqAction <string>]
DescriptionUse this command to change the properties of a TACACS+ policy.
Arguments
nameThe name of the policy to be modified.
ruleThe new rule to associate with the policy.
reqActionThe new TACACS+ action to associate to the policy.
Related Commandsadd authentication tacacspolicyrm authentication tacacspolicyshow authentication tacacspolicy
Command Reference Guide 4-39
add authentication nt4policy
add authentication nt4policy
Synopsisadd authentication nt4policy <name> <rule> [<reqAction>]
DescriptionUse this command to add an authentication NT4 policy. The policy defines the conditions under which the specified NT4 server is to be used for authentication.
Arguments
nameThe name for the new NT4 policy.
ruleThe name of the rule, or expression, the policy is to use.
reqActionThe NT4 action the policy is to use.
Related Commandsrm authentication nt4policyshow authentication nt4policyset authentication nt4policy
4-40 Command Reference Guide
rm authentication nt4policy
rm authentication nt4policy
Synopsisrm authentication nt4policy <name>
DescriptionUse this command to remove an NT4 policy.
Arguments
nameThe name of the NT4 policy to remove.
Related Commandsadd authentication nt4policyshow authentication nt4policyset authentication nt4policy
Command Reference Guide 4-41
show authentication nt4policy
show authentication nt4policy
Synopsisshow authentication nt4policy [<name>]
DescriptionUse this command to display NT4 policies.
Arguments
nameThe name of the NT4 policy to be displayed. If this option is not given, all the configured NT4 policies will be shown.
Output
name
rule
reqAction
Related Commandsadd authentication nt4policyrm authentication nt4policyset authentication nt4policy
4-42 Command Reference Guide
set authentication nt4policy
set authentication nt4policy
Synopsisset authentication nt4policy <name> [-rule <expression>] [-reqAction <string>]
DescriptionUse this command to change the properties of an NT4 policy.
Arguments
nameThe name of the NT4 policy to be modified.
ruleThe name of the new rule to be associated with the policy.
reqActionThe name of the NT4 action to be associated with the policy.
Related Commandsadd authentication nt4policyrm authentication nt4policyshow authentication nt4policy
Command Reference Guide 4-43
set authentication nt4policy
4-44 Command Reference Guide
Authorization Commands
This chapter covers the authorization commands.
Command Reference Guide 5-1
add authorization policy
add authorization policy
Synopsisadd authorization policy <name> <rule> <action>
DescriptionUse this command to add an authorization policy. Authorization policies are used to authorize access to resources for AAA users and AAA groups through the SSL VPN. By default, the SSLVPN is configured to allow access to all resources. Authorization policies can be used to alter this default action. (This can be modified for a SSLVPN session through vpn session policy. See "add vpn sessionpolicy"). Access to some resources can selectively be altered to DENY by binding one (or more) authorization policies to the AAA user (or AAA group). Once bound, an authorization policy acts on all incoming AAA user requests for resources. If the authorization policy's rule is evaluated to TRUE, the associated action (ALLOW/DENY) is applied. If the rule is evaluated to be FALSE, negation of the action applied implicitly. Multiple authorization policies may also be bound to AAA users and AAA groups and with different priorities (see "bind aaa user/group"). If the policies are of different priorities the policies are sorted internally according to the priority in descending order. During evaluation of those policies the following principles are applied: 1. DENY has the highest priority and takes effect immediately. 2. ALLOW has next highest priority. It waits for any other DENY (explicit) from a authorization policy of same priority. 3. Implicit DENY has 3rd. highest priority. It waits for both explicit ALLOW/DENY of *any* priority. 4. Implicit ALLOW has lowest priority, waits for explicit ALLOW/DENY of any priority and Implict DENY of same priority.
Arguments
nameThe name for the new authorization policy.
ruleThe rule or expression for conditional evaluation of the policy. This rule can be an expression specified by "add policy expression." or it may be an inline expression.
5-2 Command Reference Guide
add authorization policy
actionThe action to be taken when the expression is satisfied. The allowed actions are ALLOW or DENY.
ExampleExample: Consider the following authorization policy, "author-policy", add authorization policy author-policy "URL == /*.gif" DENY bind aaa user foo -policy author-policy If the user "foo" now logs in through the SSL VPN and makes any other request except "gif", the rule will be evaluated to FALSE, and the negetion of DENY, i.e. ALLOW, will be applied. So all those resource will implicitly be allowed to access. If "foo" tries to accesss "abc.gif" this access will be denied.
Related Commandsrm authorization policyshow authorization policyset authorization policy
Command Reference Guide 5-3
rm authorization policy
rm authorization policy
Synopsisrm authorization policy <name>
DescriptionUse this command to remove a configured authorization policy.
Arguments
nameThe name of the authorization policy to be removed.
Related Commandsadd authorization policyshow authorization policyset authorization policy
5-4 Command Reference Guide
show authorization policy
show authorization policy
Synopsisshow authorization policy
DescriptionUse this command to display all the configured authorization policies .
Arguments
Output
nameThe name of the policy.
ruleRule of the policy.
actionAuthorization action associated with the policy. It can be either ALLOW or DENY.
Related Commandsadd authorization policyrm authorization policyset authorization policy
Command Reference Guide 5-5
set authorization policy
set authorization policy
Synopsisset authorization policy <name> [-rule <expression>] [-action <string>]
DescriptionUse this command to modify the rule or action value of a configured authorization policy.
Arguments
nameThe name of the authorization policy to be modified.
ruleThe new rule to be associated with the authorization policy.
actionThe new action to be associated with the authorization policy.
Related Commandsadd authorization policyrm authorization policyshow authorization policy
5-6 Command Reference Guide
Base Commands
This chapter covers the base commands.
Command Reference Guide 6-1
sync
sync
Synopsissync [<Mode> ...]
DescriptionThe sync command is used to synchronize SSL Certificates, SSL CRL lists, and SSL VPN bookmarks from the primary node to the secondary node in a high-availability pair. The node in primary state is always considered authoritative. Files are copied from primary to secondary overwriting all differences, even when the command is invoked from a node in secondary state. The sync command supports three modes; all, bookmarks, and ssl. The following paths correspond to the synchronization mode: Mode Paths all /nsconfig/ssl/ /var/vpn/bookmarks/ ssl /nsconfig/ssl/ bookmarks /var/vpn/bookmarks/
Arguments
ModeSync mode all, bookmark, or ssl.
Examplesync all
Related Commands
6-2 Command Reference Guide
add server
add server
Synopsisadd server <name>@ (<IPAddress>@ | <domain>) [-state ( ENABLED | DISABLED )]
DescriptionUse this command to add a physical server on the NetScaler system. This is a prerequisite for configuring Load Balancing, Cache Redirection, Content Switching, and SureConnect.
Arguments
nameSpecifies the server's name. The server name can be up to 31 characters long.
IPAddressSpecifies the IP address of the server.
domainThe domain name of the server for which a service needs to be added. If IP Address has been specified, the domain name does not need to be specified
stateThe initial state of the service. Possible values: ENABLED, DISABLED Default value: ENABLED
Related Commandsadd servicedisable serverenable serverrm servershow server
Command Reference Guide 6-3
disable server
disable server
Synopsisdisable server <serverName>@ [<delay>]
DescriptionThis command disables all services (that have been configured in the NetScaler 9000 system) for the specified server. Services can be enabled with the enable service command.
Arguments
serverNameSpecifies the name of the server (created with the add server command) for which services will be disabled.
delaySpecifies time in seconds after which all services in this server are brought down
Exampledisable server web_svr 30
Related Commandsadd servicedisable serviceadd serverenable serverrm servershow server
6-4 Command Reference Guide
enable server
enable server
Synopsisenable server <serverName>@
DescriptionUse this command to enable a server. When a server is enabled, all the services under this server are also enabled. Note: A server when added to the NetScaler system is enabled by default. On disabling a server, all the services that under this server are also disabled.
Arguments
serverNameSpecifies the server name.
Related Commandsshow serviceenable serviceadd serverdisable serverrm servershow server
Command Reference Guide 6-5
rm server
rm server
Synopsisrm server <name>@ ...
DescriptionUse this command to remove a server entry from the NetScaler system.
Arguments
nameSpecifies the name of the server to be removed.
Examplerm server web_svr
Related Commandsrm serviceadd serverdisable serverenable servershow server
6-6 Command Reference Guide
show server
show server
Synopsisshow server [<serverName>]
DescriptionUse this command to view the name and IP address of a particular physical server configured on the NetScaler system.
Arguments
serverNameThe name of the server to be displayed.If servername is specifed, then all the services under that server will be displayed
Output
IPAddress
state
domain
Exampleshow server web_svr
Related Commandsshow serviceadd serverdisable serverenable serverrm server
Command Reference Guide 6-7
add service
add service
Synopsisadd service <name>@ (<serverName>@ | <IP>@) <serviceType> <port> [-clearTextPort <port>] [-cacheType <cacheType>] [-state ( ENABLED | DISABLED )]
DescriptionUse this command to add a service to the NetScaler 9000 system. Each server can have multiple services. To add multiple services, use this command repeatedly. Note:Each time a service is added, it must have a unique port number specified.
Arguments
nameThe name of the service. This name must not exceed 31 characters
serverNameSpecifies the name of the server (created with the add server command) for which a service will be added.
IPSpecifies the IP address of the server for which a service will be added.
serviceTypeSpecifies the type of service that is being added. Supported protocols are: HTTP - To load balance web servers and to provide connection multiplexing, latency improvement, and other content and TCP protection benefits for HTTP traffic. FTP - To load balance FTP servers. In this mode, the NetScaler 9000 system provides TCP protection benefits, protection against SYN attacks, and surge protection. TCP - To host any other TCP protocols that are not HTTP, FTP, NNTP, or SSL. In this mode, the NetScaler 9000 system provides TCP protection benefits, protection against SYN attack, and surge protection UDP - To load balance servers with UDP-based services (other than DNS) SSL - To provide end to end encryption while providing SSL acceleration. SSL_BRIDGE - To load balance SSL servers. SSL_TCP - To offload SSL traffic for TCP applications. NNTP - To load balance NNTP servers. DNS - To load balance DNS servers. ADNS: To create
6-8 Command Reference Guide
add service
an authoritative DNS service. ANY - To load balance a service type not listed above (for example, for IP traffic when load balancing firewalls). Note:The NNTP service is for cache redirection. Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, RPCSVR, DNS, ADNS, SNMP, DHCPRA, ANY
portSpecifies the port number to be used for the service.
clearTextPortSpecifies the clear-text port number where the clear-text data is sent. Used with SSL offload service
cacheTypeSpecifies the cache type option supported by the cache server. The options are: TRANSPARENT, REVERSE and FORWARD. Possible values: TRANSPARENT, REVERSE, FORWARD
maxClientSpecifies the maximum number of open connections to the service.
maxReqSpecifies the maximum number of requests that can be sent on a persistent connection to the service.
cacheableSpecifies whether a virtual server (used in the NetScaler 9000 system's load balancing or content switching feature) routes a request to the virtual server (used in transparent cache redirection) on the same NetScaler 9000 system before sending it to the configured servers. The virtual server used for transparent cache redirection determines if the request to the cache servers or configured servers. Note:Do not specify this argument if -cacheType cacheType is specified. This argument is disabled by default. Possible values: YES, NO Default value: NO
cipEnables or disables insertion of the Client IP header for the service. Possible values: ENABLED, DISABLED
Command Reference Guide 6-9
add service
cipHeaderSpecifies the client IP header. If client IP insertion is enabled and the client IP header is not specified then the value that has been set by the set ns config CLI command will be used as the Client IP header.
usipEnables or disables the use of client's IP Address as the source IP Address while connecting to this server. By default, the NetScaler 9000 system uses a mapped IP address for its server connection; however, you can use this option, so that the client's IP address is used when the NetScaler 9000 system communicates with the server. Possible values: YES, NO
scSpecifies whether SureConnect is enabled on this service. Note:This parameter is supported for legacy purposes only, it has no effect on this CLI command and the only valid value is OFF. Possible values: ON, OFF Default value: OFF
spSpecifies whether surge protection needs to be enabled on this service. Possible values: ON, OFF Default value: OFF
cltTimeoutThe idle time in seconds after which the client connection is terminated.
svrTimeoutThe idle time in seconds after which the server connection is terminated.
serveridA positive integer to identify the service. Used when the persistency type is set to Custom Server ID.
CKAThe state of the Client Keep-Alive feature for the service. Possible values: YES, NO
TCPBThe state of the TCP Buffering feature for this service. Possible values: YES, NO
CMPThe state of the HTTP Compression feature for this service. Possible values: YES, NO
6-10 Command Reference Guide
add service
maxBandwidthA positive integer that identifies the maximum bandwidth in kbps allowed for this service
accessDownUse this option to allow access to disabled or down services. If enabled, all packets to this service are bridged, else they are dropped. Possible values: YES, NO Default value: NO
monThresholdSpecifies the monitoring threshold. Default value: 0
stateThe state of the service after it is added. Possible values: ENABLED, DISABLED Default value: ENABLED
Exampleadd service http_svc 10.102.1.112 http 80
Related Commandsbind servicedisable serviceenable servicerm serviceset serviceshow serviceunbind servicestat service
Command Reference Guide 6-11
bind service
bind service
Synopsisbind service <serviceName>@ -policyName <string>
DescriptionUse this command to bind a policy to a service. Notes: 1. This command does not support SureConnect policies. 2.This command only works for services that are not bound to virtual servers. If you attempt to bind a policy to a service that is already bound to a virtual server, the error message "Binding invalid policy" is displayed.
Arguments
serviceNameThe name of the service to which the policy is to be bound.
policyNameThe name of the DoS protection policy to be bound to the service. For DoS protection to work on a service, an appropriate policy needs to be bound to it.
Related Commandsadd servicedisable serviceenable servicerm serviceset serviceshow serviceunbind servicestat service
6-12 Command Reference Guide
disable service
disable service
Synopsisdisable service <serviceName>@ [<delay>]
DescriptionUse this command to disable a service.
Arguments
serviceNameThe name of the service that needs to be disabled.
delayThe time in seconds for a graceful shutdown. During this period, new connections or requests are still sent to this service for clients who already have persistent sessions on the NetScaler system. Connections or requests from fresh or new clients who do not have a persistence sessions yet on the NetScaler system are not sent to this service. They are load balanced among other available services. After the delay time has passed, no new requests or connections are sent to this service.
Exampledisable service http_svc 10
Related Commandsadd servicebind serviceenable servicerm serviceset serviceshow serviceunbind servicestat service
Command Reference Guide 6-13
enable service
enable service
Synopsisenable service <name>@
DescriptionUse this command to enable a service.
Arguments
nameThe name of the service that needs to be enabled.
Exampleenable service http_svc
Related Commandsenable vserveradd servicebind servicedisable servicerm serviceset serviceshow serviceunbind servicestat service
6-14 Command Reference Guide
rm service
rm service
Synopsisrm service <name>@
DescriptionUse this command to remove a service from the NetScaler system.
Arguments
nameThe name of the service that needs to be removed.
Examplerm service http_svc
Related Commandsadd servicebind servicedisable serviceenable serviceset serviceshow serviceunbind servicestat service
Command Reference Guide 6-15
set service
set service
Synopsisset service <name>@ [-maxClient <positive_integer>] [-maxReq <positive_integer>] [-cacheable ( YES | NO )] [-cip ( ENABLED | DISABLED ) [<cipHeader>]] [-usip ( YES | NO )] [-sc ( ON | OFF )] [-sp ( ON | OFF )] [-cltTimeout <secs>] [-svrTimeout <secs>] [-serverid <positive_integer>] [-CKA ( YES | NO )] [-TCPB ( YES | NO )] [-CMP ( YES | NO )] [-maxBandwidth <positive_integer>] [-accessDown ( YES | NO )] [-monThreshold <positive_integer>] [-weight <positive_integer> <monitorName>]
DescriptionUse this command to modify the attributes of an existing service
Arguments
nameThe name of the service whose attributes need to be changed.
maxClientSpecifies the maximum number of open connections to the service.
maxReqSpecifies the maximum number of requests that can be sent on a persistent connection to the service.
cacheableSpecifies whether a virtual server (used in the NetScaler 9000 system's load balancing or content switching feature) routes a request to the virtual server (used in transparent cache redirection) on the same NetScaler 9000 system before sending it to the configured servers. The virtual server used for transparent cache redirection determines if the request to the cache servers or configured servers. Note:Do not specify this argument if -cacheType cacheType is specified. This argument is disabled by default. Possible values: YES, NO Default value: NO
6-16 Command Reference Guide
set service
cipEnables or disables insertion of the Client IP header for the service. Possible values: ENABLED, DISABLED
usipEnables or disables the use of client's IP Address as the source IP Address while connecting to this server. By default, the NetScaler 9000 system uses a mapped IP address for its server connection; however, you can use this option, so that the client's IP address is used when the NetScaler 9000 system communicates with the server. Possible values: YES, NO
scSpecifies whether SureConnect is to be enabled on this service. Possible values: ON, OFF
spSpecifies whether surge protection needs to be enabled on this service. Possible values: ON, OFF Default value: OFF
cltTimeoutThe idle time in seconds after which the client connection is terminated.
svrTimeoutThe idle time in seconds after which the server connection is terminated.
serveridA positive integer to identify the service. Used when the persistency type is set to Custom Server ID.
CKAThe state of the Client Keep-Alive feature for the service. Possible values: YES, NO
TCPBThe state of the TCP Buffering feature for this service. Possible values: YES, NO
CMPThe state of the HTTP Compression feature for this service. Possible values: YES, NO
maxBandwidthA positive integer that identifies the maximum bandwidth in kbps allowed for this service
Command Reference Guide 6-17
set service
accessDownUse this option to allow access to disabled or down services. If enabled, all packets to this service are bridged, else they are dropped. Possible values: YES, NO Default value: NO
monThresholdSpecifies the monitoring threshold. Default value: 0
weightThe weight for the specified monitor.
Exampleset service http_svc -maxClient 100
Related Commandsadd servicebind servicedisable serviceenable servicerm serviceshow serviceunbind servicestat service
6-18 Command Reference Guide
show service
show service
Synopsisshow service [<serviceName> | -all]
DescriptionUse this command to display the services configured on the NetScaler system. This command either lists all services or displays complete information about a particular service.
Arguments
serviceNameThe name of the service to be displayed.
allUse this option to display both the configured and dynamically learned services. If you do not use this option, only the configured services are displayed.
Output
serverName
serviceType
port
value
clearTextPort
gslb
Command Reference Guide 6-19
show service
cacheType
maxClient
maxReq
cacheable
cip
cipHeader
usip
scSpecifies whether SureConnect is enabled on this service or not.
sp
cltTimeout
svrTimeout
publicIP
publicPort
serverid
6-20 Command Reference Guide
show service
CKA
TCPB
CMP
maxBandwidth
accessDown
svrState
IPAddress
monitorName
monThreshold
monState
ExampleAn example of the output of the show service -all command is as follows: 4 configured services: 1) svc1 (10.124.99.12:80) - HTTP State: UP Max Conn: 0 Max Req: 0 Use Source IP: NO Client Keepalive(CKA): NO TCP Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED 2) svc_3 (10.100.100.3:53) - DNS State: UP Max Conn: 0 Max Req: 0 Use Source IP: NO Client Keepalive(CKA): NO TCP Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED 3) tsvc1 (77.45.32.45:80) - HTTP State: UP Max Conn: 0 Max Req: 0 Use Source IP: NO Client Keepalive(CKA): NO TCP
Command Reference Guide 6-21
show service
Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED 4) foosvc (10.124.99.13:7979) - HTTP State: UP Max Conn: 0 Max Req: 0 Use Source IP: NO Client Keepalive(CKA): NO TCP Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED
Related Commandsadd servicebind servicedisable serviceenable servicerm serviceset serviceunbind servicestat service
6-22 Command Reference Guide
unbind service
unbind service
Synopsisunbind service <serviceName>@ -policyName <string>
DescriptionUse this command to unbind a policy from a service.
Arguments
serviceNameThe name of the service.
policyNameName of the policy to be unbound.
Related Commandsadd servicebind servicedisable serviceenable servicerm serviceset serviceshow servicestat service
Command Reference Guide 6-23
stat service
stat service
Synopsisstat service [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplays the stats of a service
Arguments
name
Output
Counters
IP address (IP)The ip address at which the service is running.
Port (port)The port at which the service is running.
StateCurrent state
Service type (Type)The type of the service.
Current client connections (ClntConn)The number of current client connections to the vserver
Current server connections (SvrConn)The number of current connections to the real servers behind the vserver.
Requests (Req)The total number of requests.
6-24 Command Reference Guide
stat service
Responses (Rsp)Number of responses
Request bytes (Reqb)The total number of request bytes.
Response bytes (Rspb)Number of response bytes
Maximum server connections (MaxConn)The maximum open connections allowed on this service.
Requests in surge queue (surgeQ)The number requests in the surge queue.
Connections in reuse pool (ReuseP)The number requests in the idle queue/ reuse pool.
Average server TTFB (svrTTFB)The average TTFB between the netscaler and the server.
Related Commandsadd servicebind servicedisable serviceenable servicerm serviceset serviceshow serviceunbind service
Command Reference Guide 6-25
add monitor
add monitor
Synopsisadd monitor <monitorName> <type>
DescriptionUse this command to add a monitor to the NetScaler 9000 system. This command exists in two parts. The first part of the command creates the monitor and the second enables the user to add response codes to the HTTP monitor type.
Arguments
monitorNameThe name of the monitor to be added.
typeThe type of monitor that is being added. Possible values: PING, TCP, HTTP, TCP-ECV, HTTP-ECV, UDP-ECV, DNS, FTP, LDNS-PING, LDNS-TCP, LDNS-DNS, RADIUS, USER, HTTP-INLINE
actionUse this option to specify the action to be taken in INLINE monitors. Possible values: NONE, LOG, DOWN Default value: DOWN
respcodeThe response codes. For the probe to succeed, the HTTP/RADIUS response from the server must be of one of the types specified.
httprequestThe HTTP request that is sent to the server (for example, "HEAD /file.html"). Default value: \007
sendThe string that is sent to the service. Applicable to TCP-ECV, HTTP-ECV, and UDP-ECV monitor types. Default value: \007
6-26 Command Reference Guide
add monitor
recvThe string that is expected from the server to mark the server as UP. Applicable to TCP-ECV, HTTP-ECV, and UDP-ECV monitor types.
queryThe DNS query (domain name) sent to the DNS service that is being monitored. Default value: \007
querytypeSpecifies the type of DNS query that is sent. Possible values: Address, Zone
userNameUsername on the FTP/RADIUS server. This user name is used in the probe.
passwordPassword used in FTP/RADIUS server monitoring.
radKeyThe radius key
radNASidThe NAS ID to be used in Radius monitoring
radNASipThe NAS IP to be used in Radius monitoring
LRTMEnables or disables response time calculation of probes Possible values: ENABLED, DISABLED
scriptNameThe path and name of the script to execute.
scriptArgsThe string that are put in the POST data - they are copied to the request verbatim
dispatcherIPThe IP Address of the dispatcher to which the probe is sent
dispatcherPortThe port of the dispatcher to which the probe is sent
Command Reference Guide 6-27
add monitor
intervalThe frequency (in seconds) at which the probe is sent to a service. The interval should be greater than the response timeout. Default value: 5
resptimeoutThe interval for which the NetScaler system waits before it marks the probe as FAILED. The response timeout should be less than the value specified in -interval parameter. The UDP-ECV monitor type does not decide the probe failure by the response timeout. NetScaler 9000 system considers the probe successful for UDP-ECV monitor type, when the server response matches the criteria set by the -send and -recv options or if the response is not received from the server (unless the -reverse option is set to yes). Note:The -send option specifies what data is to be sent to the server in the probe and -recv specifies the server response criteria for the probe to succeed. The probe failure is caused by the ICMP port unreachable error from the service. Default value: 2
retriesThe number of consecutive probes failures after which the NetScaler system marks the service as DOWN. Default value: 3
downtimeThe duration in seconds for which the NetScaler system waits to make the next probe once the service is marked as DOWN. Default value: 30
destIPThe IP address to which the probe is sent. If the destination IP address is set to 0, the destination IP address is that of the server to which the monitor is bound.
destPortThe TCP/UDP port to which the probe is sent. If the destination port is set to 0, the destination port is of the service to which the monitor is bound. For a USER monitor, however, this will be the port sent in the HTTP request to the dispatcher. This option is ignored if the monitor is of the PING type.
stateThe state of the monitor. The valid states are ENABLED and DISABLED. If the monitor is disabled, this monitor-type probe is not sent for all services. If the monitor is bound, the state of this monitor is not taken into account when the service of this state is determined. Possible values: ENABLED, DISABLED Default value: ENABLED
6-28 Command Reference Guide
add monitor
reverseUse this option to specify whether the probe's criterion is checked for success directly or in reverse. Possible values: YES, NO Default value: NO
transparentSpecifies whether the monitor is enabled for transparent devices, such as firewalls, based on the responsiveness of the services behind them. If the monitoring of transparent devices is enabled, the destination IP address should be specified. The probe is sent to the specified destination IP address using the MAC address of the transparent device. Possible values: YES, NO Default value: NO
secureUse this option to enable the secure monitoring of services. SSL handshake will be done on the TCP connection established. Applicable only for TCP based monitors. Possible values: YES, NO Default value: NO
Exampleadd monitor http_mon http
Related Commandsenable monitordisable monitorrm monitorset monitorshow monitor
Command Reference Guide 6-29
bind monitor
bind monitor
Synopsisbind monitor <monitorName> (<serviceName>@ [-state ( ENABLED | DISABLED )] [-weight <positive_integer>])
DescriptionUse this command to bind a monitor to a service. Multiple monitors can be bound to the service. The server's state is determined by the state of all the bound monitors using the AND condition. All monitor's probes have to succeed for the service to be in the UP state.
Arguments
monitorNameThe name of the monitor to be bound.
serviceNameThe name of the service to which the monitor is to be bound.
Examplebind monitor http_mon http_svc
Related Commandsunbind monitor
6-30 Command Reference Guide
enable monitor
enable monitor
Synopsisenable monitor <serviceName>@ [<monitorName>]
DescriptionUse this command to enable the monitor that is bound to a specific service. If no monitor name is specified, all monitors bound to the service are enabled.
Arguments
serviceNameThe name of the service to which the monitor is bound.
monitorNameThe name of the monitor that is to be enabled.
Exampleenable monitor http_svc http_mon
Related Commandsadd serviceadd monitordisable monitorrm monitorset monitorshow monitor
Command Reference Guide 6-31
disable monitor
disable monitor
Synopsisdisable monitor <serviceName>@ [<monitorName>]
DescriptionUse this command to disable the monitor for a service. If the monitor name is not specified, all monitors bound to the service are disabled.
Arguments
serviceNameThe name of the service being monitored.
monitorNameThe name of the monitor to be disabled.
Exampledisable monitor http_svc http_mon
Related Commandsadd serviceadd monitorenable monitorrm monitorset monitorshow monitor
6-32 Command Reference Guide
rm monitor
rm monitor
Synopsisrm monitor <monitorName> <type> [-respcode <int[-int]> ...]
DescriptionUse this command to remove either a specified monitor or response code for the HTTP monitor. While the response codes for a specified monitor are removed, the monitor itself is not removed. Built-in monitors can not be removed.
Arguments
monitorNameThe name of the monitor to be removed.
typeThe type of monitor being removed. Possible values: PING, TCP, HTTP, TCP-ECV, HTTP-ECV, UDP-ECV, DNS, FTP, LDNS-PING, LDNS-TCP, LDNS-DNS, RADIUS, USER, HTTP-INLINE
respcodeThe response codes to be deleted from the response codes list of the HTTP monitor.
Examplerm monitor http_mon http
Related Commandsadd monitorenable monitordisable monitorset monitorshow monitor
Command Reference Guide 6-33
set monitor
set monitor
Synopsisset monitor <monitorName> <type> [-action <action>] [-respcode <int[-int]> ...] [-httprequest <string>] [-send <string>] [-recv <string>] [-query <string>] [-querytype ( Address | Zone )] [-userName <string>] [-password <string>] [-radKey <string>] [-radNASid <string>] [-radNASip <ip_addr>] [-LRTM ( ENABLED | DISABLED )] [-scriptName <string>] [-scriptArgs <string>] [-dispatcherIP <ip_addr>] [-dispatcherPort <port>] [-interval <integer>] [-resptimeout <integer>] [-retries <integer>] [-downtime <integer>] [-destIP <ip_addr>] [-destPort <port>] [-state ( ENABLED | DISABLED )] [-reverse ( YES | NO )] [-transparent ( YES | NO )] [-secure ( YES | NO )]
DescriptionUse this command to modify the parameters of a specific monitor.
Arguments
monitorNameThe name of the monitor that is being set.
typeSpecifies the type of monitor that is being modified. Possible values: PING, TCP, HTTP, TCP-ECV, HTTP-ECV, UDP-ECV, DNS, FTP, LDNS-PING, LDNS-TCP, LDNS-DNS, RADIUS, USER, HTTP-INLINE
actionUse this option to specify the action to be taken in INLINE monitors. Possible values: NONE, LOG, DOWN Default value: DOWN
respcodeSets (substitutes existing) response codes. The HTTP response from the server must be of one of the types specified for the probe to succeed.
6-34 Command Reference Guide
set monitor
httprequestSpecifies HTTP request string, sent to the server. For example "HEAD /file.html".
sendApplicable to TCP-ECV, HTTP-ECV and UDP-ECV monitor types only. This parameter specifies the string that is sent to the service.
recvApplicable to TCP-ECV, HTTP-ECV and UDP-ECV monitor types only. This parameter specifies the response string that is expected from the service.
querySpecifies the DNS query (domain name) sent to the DNS service that is being monitored.
querytypeSpecifies whether the address or zone type of DNS query is sent. Possible values: Address, Zone
userNameSpecifies username on the FTP/RADIUS server. This user name is used in the probe.
passwordSpecifies the password used to probe FTP/RADIUS server.
radKeyThe radius key
radNASidThe NAS ID to be used in Radius monitoring
radNASipThe NAS IP to be used in Radius monitoring
LRTMEnables or disables response time calculation of probes Possible values: ENABLED, DISABLED
scriptNameThe path and name of the script to execute.
Command Reference Guide 6-35
set monitor
scriptArgsThe string that are put in the POST data - they are copied to the request verbatim
dispatcherIPThe IP Address of the dispatcher to which the probe is sent
dispatcherPortThe port of the dispatcher to which the probe is sent
intervalSpecifies how often (in seconds) the probe is sent to a service. The interval should be greater than the response timeout.
resptimeoutSpecifies how long the NetScaler 9000 system waits before it considers the probe has failed. The exception is UDP-ECV monitor type. In this case, the NetScaler 9000 system considers the probe successful if the response comes and matches the criteria or if response does not come. A failed probe is one that initiates an ICMP port unreachable error from the service. The response timeout should be less than the value specified in the -interval parameter.
retriesSpecifies the number of consecutive probes to be sent before the NetScaler 9000 system considers the service to be down.
downtimeSpecifies the time period for which the NetScaler 9000 system waits to send a probe after the service state is marked DOWN.
destIPSpecifies the destination IP address to which the probe is sent. You can either specify an IP address or select * to select any IP address. Note:If the destination IP address is set to 0, the destination IP address is that of the server to which the monitor is bound.
destPortSpecifies the TCP/UDP port to which the probe is sent. You can either specify a specific port number or select * to select any port number. Notes: 1.If the destination port is set to 0, the destination port is of the service to which the monitor is bound. 2.This option is ignored if the monitor is of the PING type.
6-36 Command Reference Guide
set monitor
stateSpecifies whether the monitor is enabled or disabled. If the monitor is disabled, this monitor-type probe is not sent for all services. If the monitor is bound, the NetScaler 9000 system does not consider the state of this monitor to determine service. Possible values: ENABLED, DISABLED
reverseSpecifies whether the probe's criteria is checked for success directly or reverse. Possible values: YES, NO
transparentSpecifies whether the monitor is enabled for transparent devices, such as firewalls, based on the responsiveness of the services behind them. If the monitoring of transparent devices is enabled, the destination IP address (destip) should be specified. The probe is sent to the specified destination IP address using the MAC address of the transparent device. Possible values: YES, NO
secureEnables the secure monitoring of services. SSL handshake will be done on the TCP connection established. Applicable only for TCP based monitors. Possible values: YES, NO
Exampleset monitor http_mon http -respcode 100
Related Commandsadd monitorenable monitordisable monitorrm monitorshow monitor
Command Reference Guide 6-37
show monitor
show monitor
Synopsisshow monitor [<monitorName>]
DescriptionUse this command to display the parameters for the specified monitor. If the monitor_name argument is not specified, a list of all existing monitors is displayed.
Arguments
monitorNameThe name of the monitor for which parameters are to be shown.
Output
monitorName
type
interval
resptimeout
retries
downtime
destIP
6-38 Command Reference Guide
show monitor
destPort
state
reverse
transparent
secure
action
respcode
httprequest
send
recv
query
querytype
userName
password
Command Reference Guide 6-39
show monitor
radKey
radNASid
radNASip
LRTM
lrtm_conf
scriptName
scriptArgs
dispatcherIP
dispatcherPort
ExampleAn example of the show monitor command output is as follows: 8 configured monitors: 1) Name.......: ping Type......: PING State....ENABLED 2) Name.......: tcp Type......: TCP State....ENABLED 3) Name.......: http Type......: HTTP State....ENABLED 4) Name.......: tcp-ecv Type......: TCP-ECV State....ENABLED 5) Name.......: http-ecv Type......: HTTP-ECV State....ENABLED 6) Name.......: udp-ecv Type......: UDP-ECV State....ENABLED 7) Name.......: dns Type......: DNS State....ENABLED 8) Name.......: ftp Type......: FTP State....ENABLED
Related Commandsadd monitorenable monitor
6-40 Command Reference Guide
show monitor
disable monitorrm monitorset monitor
Command Reference Guide 6-41
unbind monitor
unbind monitor
Synopsisunbind monitor <monitorName> <serviceName>@
DescriptionUse this command to unbind a specified monitor from the service.
Arguments
monitorNameThe name of the monitor to be unbound.
serviceNameThe service name (added with the add service command) from which the monitor is to be unbound.
Exampleunbind monitor http_mon http_svc
Related Commandsbind monitor
6-42 Command Reference Guide
add vlan
add vlan
Synopsisadd vlan <id>
DescriptionThis command creates a VLAN. Each VLAN is identified by a VID (integer from 1-4094). The VLAN created is empty (without members). This VLAN is not active until interfaces are bound to it. VLAN 1 is created by default and cannot be added or deleted.
Arguments
idSpecifies the VID. The value ranges from 2 to 4094.
Related Commandsbind vlanrm vlanshow vlanstat vlanunbind vlan
Command Reference Guide 6-43
bind vlan
bind vlan
Synopsisbind vlan <id> [-ifnum <interface_name> ... [-tagged]] [-IPAddress <ip_addr> <netmask>]
DescriptionThis command binds an interface or an ip address to a VLAN. An interface can be bound to a VLAN as a tagged or an untagged interface. Adding an interface as an untagged member (default) deletes it from its current native VLAN and adds it to the new VLAN. If an interface is added as a tagged member to a VLAN, it still remains a member of its native VLAN.
Arguments
idSpecifies the virtual LAN ID.
ifnumSpecifies the interface name represented in the <slot/port> notation. For example 1/1. Use the show interface CLI command to view the NetScaler 9000 system interfaces.
IPAddressThis argument gives an IP address thst is to be assigned to the VLAN. An entry for this subnet is to be added in the routing table prior to the issue of this command. Overlapping subnets are not allowed. Each VLAN can have only a single IP address assigned to it. The VLAN specified by id should already have been created by the add command. The IP address specified can be used as the default gateway among the hosts in the subnet to allow for IP forwarding between VLANs. In a high availability configuration, this IP address is shared by the NetScaler 9000 systems and is active in the master. CAUTION:DO NOT specify an IP address for VLAN 1.
Related Commandsadd vlanrm vlanshow vlan
6-44 Command Reference Guide
bind vlan
stat vlanunbind vlan
Command Reference Guide 6-45
rm vlan
rm vlan
Synopsisrm vlan <id>
DescriptionRemoves the VLAN created by the add vlan command. Once the VLAN is removed, its interfaces become members of VLAN 1.
Arguments
idSpecifies the VID. Enter a number from 2 to 4094.
Related Commandsadd vlanbind vlanshow vlanstat vlanunbind vlan
6-46 Command Reference Guide
show vlan
show vlan
Synopsisshow vlan [<id>] show vlan stats - alias for 'stat vlan'
DescriptionThis command displays the configured VLANs. If id is specified, then only that particular VLAN information is displayed. If it is not specified, all configured VLANs are displayed.
Arguments
idSpecifies the VID (VLAN identification number). Enter an integer from 1 to 4094.
Output
id
IPAddress
netmask
rnat
portbitmap
tagbitmap
ifaces
Command Reference Guide 6-47
show vlan
tagIfaces
ExampleAn example of the output of the show vlan command is as follows: 3 configured VLANs: 1) VLAN ID: 1 Member Interfaces : 0/1 1/1 1/4 Tagged: None 2) VLAN ID: 2 IP: 10.250.0.254 Mask: 255.255.0.0 ReverseNAT: YES Member Interfaces : 1/2 Tagged: None 3) VLAN ID: 3 IP: 10.251.0.254 Mask: 255.255.0.0 ReverseNAT: YES Member Interfaces : 1/3 Tagged: None
Related Commandsadd vlanbind vlanrm vlanstat vlanunbind vlan
6-48 Command Reference Guide
stat vlan
stat vlan
Synopsisstat vlan [<id>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionShows statistics for one or all VLANs.
Arguments
idSpecifies the VID (VLAN identification number). Enter an integer from 1 to 4094.
Output
Counters
Packets received (RxPkts)Number of packets received on the VLAN.
Bytes received (RxBytes)Number of bytes received on the VLAN.
Packets sent (TxPkts)Number of packets transmitted on the VLAN.
Bytes sent (TxBytes)Number of bytes transmitted on the VLAN.
Packets dropped (DropPkts)Number of packets dropped on the VLAN.
Broadcast pkts sent & received (BcastPkt)Number of Broadcast packets sent and received by the VLAN.
Examplestat vlan 1
Command Reference Guide 6-49
stat vlan
Related Commandsadd vlanbind vlanrm vlanshow vlanunbind vlan
6-50 Command Reference Guide
unbind vlan
unbind vlan
Synopsisunbind vlan <id> [-ifnum <interface_name> ... [-tagged]] [-IPAddress]
DescriptionThis command unbinds the specified interface from the VLAN. If the interface was an untagged member of this VLAN, it is added to the default VLAN (VLAN 1).
Arguments
idSpecifies the virtual LAN (VLAN) id.
ifnumSpecifies the interface number represented in the <slot/port> notation. For example, 1/1. Use the show interface CLI command to view the NetScaler 9000 system interfaces.
IPAddressClears the IP address of the VLAN.
Related Commandsadd vlanbind vlanrm vlanshow vlanstat vlan
Command Reference Guide 6-51
clear interface
clear interface
Synopsisclear interface <id>
DescriptionThis command clears the statistics of the specified interface. It does not reset the interface. Note:Resetting the interface will not clear the statistics.
Arguments
idSpecifies the number of the interface to be cleared.
Related Commandsdisable interfaceenable interfacereset interfaceset interfaceshow interfacestat interface
6-52 Command Reference Guide
disable interface
disable interface
Synopsisdisable interface <id>
DescriptionThis command disables the interface specified by the ifnum argument. Interface monitoring for high availability mode is also disabled. The NetScaler 9000 system does not receive or transmit any packets on this interface and LCD indicator does not shows "link down" alerts for this disabled interface. Note:To see the status of an interface, use the show interface command.
Arguments
idThe number of the interface to be disabled.
Related Commandsclear interfaceenable interfacereset interfaceset interfaceshow interfacestat interface
Command Reference Guide 6-53
enable interface
enable interface
Synopsisenable interface <id>
DescriptionAll interfaces are enabled by default. If the interface is disabled, use this command to enable it. As soon as interface is enabled, the high availability monitoring for this interface will also be activated using the set interface -hamonitor on command.
Arguments
idSpecifies the interface name that needs to be enabled.
Related Commandsclear interfacedisable interfacereset interfaceset interfaceshow interfacestat interface
6-54 Command Reference Guide
reset interface
reset interface
Synopsisreset interface <id>
DescriptionThis command forces a reset of the specified interface. The interface saves the configured settings of duplex, speed, and so on. Interface breaks the connection and then tries to reestablish the link using the current settings. If Ethernet autonegotiation is enabled for this interface then resulting link state depends on the counterpart Ethernet port settings.
Arguments
idSpecifies the number of the interface to be reset.
Related Commandsclear interfacedisable interfaceenable interfaceset interfaceshow interfacestat interface
Command Reference Guide 6-55
set interface
set interface
Synopsisset interface <id> [-speed <speed>] [-duplex <duplex>] [-flowcontrol <flowcontrol>] [-autoneg ( DISABLED | ENABLED )] [-hamonitor ( ON | OFF )] [-trunk ( ON | OFF )]
DescriptionThis command sets attributes for the NetScaler 9000 system interface specified by the ifnum variable.
Arguments
idSpecifies the number of the interface.
speedSpecifies the Ethernet speed for the interface specified by ifnum. The default setting is AUTO. This means that the NetScaler 9000 system will attempt auto-negotiate or auto-sense the line speed on this interface when this interface is brought up. The other Ethernet speed settings that you can enter are 10, 100, or 1000 Mbps. Setting a speed other than AUTO on an interface requires the device at the other end of the link to be configured identically. Mismatching speed and/or duplex configurations on two ends will lead to link errors, packet losses, and so on. It must be avoided. Some interfaces do not support certain speeds. If you try to set a speed on an interface that does not support it, it is reported as an error. Possible values: AUTO, 10, 100, 1000
duplexSpecifies the duplex mode for the interface. The default setting is AUTO. This means that the NetScaler 9000 system will attempt auto-negotiate for the duplex mode on this interface when this interface is brought up. Other duplex modes you can specify are half and full duplex. NetScaler 9000 system recommends that the speed remain as AUTO. If you need to force the duplex mode, then set both the duplex mode and speed manually identically on both side of the link. Possible values: AUTO, HALF, FULL
6-56 Command Reference Guide
set interface
flowcontrolSpecifies the required 802.3x flow control for the NetScaler 9000 system interface. You can specify OFF (the default), RX, TX, RXTX and ON (which means "forced RXTX"). For Fast Ethernet interfaces, only OFF is available. 802.3x specification does not define the flow control for speeds 10 and 100 MB but Gigabit Ethernet interfaces still support it for all three possible speeds. Real flow control status depend on the auto-negotiation results. Option ON still use the auto-negotiation to give the peer opportunity to negotiate the flow control but then force the two-way flow control for this interface. As for any other link parameters mismatches it sometimes can cause problems and should be avoided and checked throughly. Possible values: OFF, RX, TX, RXTX
autonegThis option controls the auto negotiation feature for this interface (default is ENABLED). Possible values: DISABLED, ENABLED
hamonitorThis option is used for a high availability configuration to specify which interfaces to monitor for failing events. By default, this is set to ON for all interfaces. When ON, in a HA configuration the failover occurs when an interface fails. If an interface is not being used, or if failover is not required, select the value as OFF. Also if interface is not used in current configuration than it is advisable to completely disable it using the disable interface command. Possible values: ON, OFF
trunkThis option is used to select whether trunk mode is ON for this interface . By default, this is set to OFF for all interfaces. When ON, the traffic will be tagged for all vlans bound to this interface. If one wants 802.1q behaviour with backward compatibility the OFF setting for this variable. Possible values: ON, OFF Default value: OFF
Related Commandsclear interfacedisable interfaceenable interfacereset interfaceshow interfacestat interface
Command Reference Guide 6-57
show interface
show interface
Synopsisshow interface [<id>] show interface stats - alias for 'stat interface'
DescriptionThis command shows the interface settings configured in the NetScaler 9000 system for the specified interface number. If ifnum is not specified, the settings are shown for all interfaces (in a brief format).
Arguments
idSpecifies the number of the interface.
Output
deviceName
unit
description
flags
mtu
vlan
mac
6-58 Command Reference Guide
show interface
uptime
downtime
reqMedia
reqSpeed
reqDuplex
reqFlowcontrol
media
speed
duplex
flowcontrol
media
conndistr
macdistr
Mode
Command Reference Guide 6-59
show interface
hamonitor
state
autoneg
autonegResult
tagged
trunk
taggedany
taggedautolearn
hangdetect
hangreset
rxpackets
rxbytes
rxerrors
rxdrops
6-60 Command Reference Guide
show interface
txpackets
txbytes
txerrors
txdrops
inDisc
outDisc
fctls
hangs
ExampleThe output for the show interface command is as follows: 5 interfaces: 1) Interface 0/1 (NIC 0/bx0) Broadcom BCM5701A10 1000Base-T flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native vlan=1, eaddr=00:30:48:31:22:f6, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX 2) Interface 1/1 (NIC 1/bx1) 3Com 3C996BT Gigabit Server NIC flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native vlan=1, eaddr=00:04:76:ef:03:33, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX 3) Interface 1/3 (NIC 2/bx2) 3Com 3C996BT Gigabit Server NIC flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native vlan=3, eaddr=00:04:76:eb:d4:46, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX 4) Interface 1/2 (NIC 3/bx3) 3Com 3C996BT Gigabit Server NIC flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native
Command Reference Guide 6-61
show interface
vlan=2, eaddr=00:04:76:ef:03:32, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX 5) Interface 1/4 (NIC 4/bx4) 3Com 3C996BT Gigabit Server NIC flags=0x24000 <disable, down, autoneg on, 802.1q support> mtu=1514, native vlan=1, eaddr=00:04:76:eb:cd:d0, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media AUTO, speed AUTO, duplex AUTO, fctl RXTX The output for the show interface 1/1 command is as follows: Interface 1/1 (NIC 1/bx1) 3Com 3C996BT Gigabit Server NIC flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native vlan=1, eaddr=00:04:76:ef:03:33, uptime 2h24m33s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX RX: Pkts(16010) Bytes(1386354) Errs(3) Drops(5261) TX: Pkts(17132) Bytes(2344334) Errs(0) Drops(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Hangs(0)
Related Commandsclear interfacedisable interfaceenable interfacereset interfaceset interfacestat interface
6-62 Command Reference Guide
stat interface
stat interface
Synopsisstat interface [<id>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplays the statistics of an interface
Arguments
idSpecifies the number of the interface.
Output
Counters
Bytes received (bRx)Number of bytes received by this interface
Packets received (PktRx)Number of packets received by this interface
Bytes transmitted (bTx)Number of bytes transmitted by this interface
Packets transmitted (PktTx)Number of packets transmitted by this interface
Multicast packets (McastPkt)Number of multicast packets received by this interface
Netscaler packets (NSPkt)Number of Netscaler packets received by this interface
Error packets received (ErRx)Number of erroneous packets received by this interface
Command Reference Guide 6-63
stat interface
Error packets transmitted (ErTx)Number of erroneous packets transmitted by this interface
Megabits received (MbRx)Number of Megabits received by this interface
Megabits transmitted (MbTx)Number of Megabits transmitted by this interface
Link uptime (UpTime)Current link uptime
Link downtime (DnTime)Current link downtime
Received packets dropped (DrpRxPkt)Number of received packets dropped, by this interface
Packets dropped in Tx (DrpTxPkt)Number of packets dropped, in transmission, by this interface
Packets queued in Tx (TxQlen)Number of packets queued in transmission
NIC hangs (Hangs)Number of NIC hangs
Duplex mismatches (DupMism)Number of duplex mismatches registered
Buffer errors (BufErr)Number of buffer errors
High-priority packets queued (HpTxQlen)Number of high-priority packets queued for transmit
Low-priority packets queued (LpTxQlen)Number of low-priority packets queued for transmit
CRC errors (CRCErr)Number of CRC errors
6-64 Command Reference Guide
stat interface
Inbound packets discarded (InDisc)Number of inbound error-free packets discarded
Outbound packets discarded (OutDisc)Number of outbound error-free packets discarded
Link re-initializations (LnkReint)Number of link re-initializations
Output non-unicast packets (ONonUPkt)Number of output non-unicast packets
Collisions in Tx (ErrTxCol)Number of collisions in transmission
Excess collisions in Tx (ErrExCol)Number of excess collisions in transmission
Late collisions in Tx (ErrLtCol)Number of late collisions in transmission
Carrier errors (ErrCarr)Number of carrier errors
Related Commandsclear interfacedisable interfaceenable interfacereset interfaceset interfaceshow interface
Command Reference Guide 6-65
show channel
show channel
Synopsisshow channel [<id>]
DescriptionThis command shows the Link Aggregate channel settings configured in the NetScaler 9000 system for the specified channel. If channel is not specified, the settings are shown for all channels in a brief format.
Arguments
idLA channel name (in form LA/*)
Output
deviceName
unit
description
flags
mtu
vlan
mac
6-66 Command Reference Guide
show channel
uptime
reqMedia
reqSpeed
reqDuplex
reqFlowcontrol
media
speed
duplex
flowcontrol
media
conndistr
macdistr
Mode
hamonitor
Command Reference Guide 6-67
show channel
state
autoneg
autonegResult
tagged
trunk
taggedany
taggedautolearn
hangdetect
hangreset
rxpackets
rxbytes
rxerrors
rxdrops
txpackets
6-68 Command Reference Guide
show channel
txbytes
txerrors
txdrops
inDisc
outDisc
fctls
hangs
Related Commandsadd channelset channelbind channelunbind channelrm channel
Command Reference Guide 6-69
add channel
add channel
Synopsisadd channel <id> [-ifnum <interface_name> ...]
DescriptionThis command adds the specified Link Aggregate channel into NetScaler 9000 system.
Arguments
idLA channel name (in form LA/*)
ifnumSpecifies interfaces to be bound to Link Aggregate channel.
stateSets initial state for the LA channel. Possible values: ENABLED, DISABLED Default value: ENABLED
ModeSets initital mode for the LA channel. Possible values: MANUAL, AUTO, DESIRED
conndistrEnables/disables 'connection' distribution mode for the LA channel. Possible values: DISABLED, ENABLED
macdistrSets specified 'MAC' distribution mode for the LA channel. Possible values: SOURCE, DESTINATION, BOTH
speedSets required speed for the LA channel. Possible values: AUTO, 10, 100, 1000
flowcontrolSets required flow control for the LA channel. Possible values: OFF, RX, TX, RXTX
6-70 Command Reference Guide
add channel
hamonitorEnables/disables HA-monitoring for the LA channel. Possible values: ON, OFF
trunkThis option is used for to select whether port is trunk or not. By default, this is set to OFF for all interfaces. When ON, the port membership in all vlans will be tagged. If one wants 802.1q behaviour with native vlan use the OFF setting for this variable. Possible values: ON, OFF Default value: OFF
Related Commandsshow channelset channelbind channelunbind channelrm channel
Command Reference Guide 6-71
set channel
set channel
Synopsisset channel <id> [-state ( ENABLED | DISABLED )] [-Mode <Mode>] [-conndistr ( DISABLED | ENABLED )] [-macdistr <macdistr>] [-speed <speed>] [-flowcontrol <flowcontrol>] [-hamonitor ( ON | OFF )] [-trunk ( ON | OFF )]
DescriptionThis command sets configuration of the specified Link Aggregate channel.
Arguments
idLA channel name (in form LA/*)
stateEnables/disables packet processing for the LA channel. Possible values: ENABLED, DISABLED
ModeSets mode for the LA channel. Possible values: MANUAL, AUTO, DESIRED
conndistrEnables/disables 'connection' distribution mode for the LA channel. Possible values: DISABLED, ENABLED
macdistrSets specified 'MAC' distribution mode for the LA channel. Possible values: SOURCE, DESTINATION, BOTH
speedSets required speed for the LA channel. Possible values: AUTO, 10, 100, 1000
flowcontrolSets required flow control for the LA channel. Possible values: OFF, RX, TX, RXTX
6-72 Command Reference Guide
set channel
hamonitorEnables/disables HA-monitoring for the LA channel. Possible values: ON, OFF
trunkThis option is used for to select whether this port is a trunk port or not. By default, this is set to OFF for all interfaces. When ON, all the vlans will be tagged. If one wants 802.1q with native vlan behaviour use the OFF setting for this variable. Possible values: ON, OFF Default value: OFF
Related Commandsshow channeladd channelbind channelunbind channelrm channel
Command Reference Guide 6-73
bind channel
bind channel
Synopsisbind channel <id> <ifnum> ...
DescriptionThis command binds specified interfaces to the Link Aggregate channel.
Arguments
idLA channel name (in form LA/*)
ifnumInterfaces to be bound to the LA channel.
Related Commandsshow channeladd channelset channelunbind channelrm channel
6-74 Command Reference Guide
unbind channel
unbind channel
Synopsisunbind channel <id> <ifnum> ...
DescriptionThis command unbinds specified interfaces from the Link Aggregate channel.
Arguments
idLA channel name (in form LA/*)
ifnumInterfaces to be unbound to the LA channel.
Related Commandsshow channeladd channelset channelbind channelrm channel
Command Reference Guide 6-75
rm channel
rm channel
Synopsisrm channel <id>
DescriptionThis command removes the specified Link Aggregate channel from NetScaler 9000 system.
Arguments
idLA channel name (in form LA/*)
Related Commandsshow channeladd channelset channelbind channelunbind channel
6-76 Command Reference Guide
add location
add location
Synopsisadd location <ipfrom> <ipto> <preferredlocation>
DescriptionThis command is used for configuring Custom Location entries.
Arguments
ipfromSpecifies the start of the IP address range in dotted notation.
iptoSpecifies the end of the IP address range in dotted notation.
preferredlocationSpecifies the qualifiers in dotted notation for the ipaddress range mentioned.
ExampleAdd location 192.168.100.1 192.168.100.100 *.us.ca.san jose
Related Commandsshow locationrm location
Command Reference Guide 6-77
show location
show location
Synopsisshow location [-IPAddress <ip_addr>]
DescriptionThis command displays custom location entries configured in Netscaler System.
Arguments
IPAddressWhen specified displays qualifier information for that IPAddress. If not specified all the custom entries will be displayed.
Output
ipfrom
ipto
preferredlocation
q1label
q2label
q3label
q4label
6-78 Command Reference Guide
show location
q5label
q6label
Exampleshow location
Related Commandsadd locationrm location
Command Reference Guide 6-79
rm location
rm location
Synopsisrm location <ipfrom> <ipto>
DescriptionThis command removes custom location entry configured in Netscaler System
Arguments
ipfromSpecifies the start of the IP address range in dotted notation.
iptoSpecifies the end of the IP address range in dotted notation.
Examplerm location 192.168.100.1 192.168.100.100
Related Commandsadd locationshow location
6-80 Command Reference Guide
set locationparameter
set locationparameter
Synopsisset locationparameter [-context ( geographic | custom )] [-q1label <string>] [-q2label <string>] [-q3label <string>] [-q4label <string>] [-q5label <string>] [-q6label <string>]
DescriptionThis command specifies the location parameters used for static proximity based load balancing
Arguments
contextSpecifies in which context static proximity decision has to be made. Possible values: geographic, custom
q1labelSpecifies the label for the 1st qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.
q2labelSpecifies the label for the 2nd qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.
q3labelSpecifies the label for the 3rd qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.
q4labelSpecifies the label for the 4th qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.
Command Reference Guide 6-81
set locationparameter
q5labelSpecifies the label for the 5th qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.
q6labelSpecifies the label for the 6th qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.
Exampleset locationparameter -context custom
Related Commandsshow locationparameter
6-82 Command Reference Guide
show locationparameter
show locationparameter
Synopsisshow locationparameter
DescriptionThis command displays the information about context and qualifier labels which are used for static proximity based load balancing.
Output
context
q1label
q2label
q3label
q4label
q5label
q6label
locationfile
format
Command Reference Guide 6-83
show locationparameter
custom
static
flags
status
Exampleshow locationparameter
Related Commandsset locationparameter
6-84 Command Reference Guide
add locationfile
add locationfile
Synopsisadd locationfile <locationfile> [-format <format>]
DescriptionThis command loads static database into NetScaler System.
Arguments
locationfileSpecifies the name of the location file. The name of the file has to be given with the full path. If the fullpath is not given, then the default path /var/nsmap/ will considered as the path. In high availabilty mode, both the systems should have the static database stored in the same location
formatSpecifies the format of the location file. This optional argument is used to advise the NetScaler system on how to understand the file. where: format = netscaler, ip-country, ip-country-isp, ip-country-region-city, ip-country-region-city-isp, geoip-country, geoip-region, geoip-city, geoip-country-org, geoip-country-isp,geoip-city-isp-org . Possible values: netscaler, ip-country, ip-country-isp, ip-country-region-city, ip-country-region-city-isp, geoip-country, geoip-region, geoip-city, geoip-country-org, geoip-country-isp, geoip-city-isp-org Default value: netscaler
Exampleadd locationfile /var/nsmap/locationdb -format netscaler
Related Commandsshow locationfilerm locationfile
Command Reference Guide 6-85
show locationfile
show locationfile
Synopsisshow locationfile
DescriptionDisplays the locationfile loaded in Netscaler System
Arguments
Output
locationfile
format
Exampleshow locationfile
Related Commandsadd locationfilerm locationfile
6-86 Command Reference Guide
rm locationfile
rm locationfile
Synopsisrm locationfile
DescriptionThis command removes the location file loaded into the NetScaler system
Examplerm locationfile
Related Commandsadd locationfileshow locationfile
Command Reference Guide 6-87
clear locationdata
clear locationdata
Synopsisclear locationdata
DescriptionThis command clears all the location information including the custom entries as well as the static database entries
Output
Exampleclear locationdata
Related Commands
6-88 Command Reference Guide
install
install
Synopsisinstall <url>
DescriptionThe install command is used to install a version of Netscaler software on the system. The command takes a single argument consisting of a valid URL for the HTTP, HTTPS, FTP, and SFTP protocols. Local files may be specified using the file:// URL variation. http://[user]:[password]@host/path/to/file https://[user]:[password]@host/path/to/file sftp://[user]:[password]@host/path/to/file scp://[user]:[password]@host/path/to/file ftp://[user]:[password]@host/path/to/file file:///path/to/file
Arguments
urlhttp://[user]:[password]@host/path/to/file https://[user]:[password]@host/path/to/file sftp://[user]:[password]@host/path/to/file scp://[user]:[password]@host/path/to/file ftp://[user]:[password]@host/path/to/file file:///path/to/file
Exampleinstall http://host.netscaler.com/ns-6.0-41.2.tgz
Related Commands
Command Reference Guide 6-89
install
6-90 Command Reference Guide
Integrated Caching Commands
This chapter covers the Integrated Caching commands.
Command Reference Guide 7-1
add cache policy
add cache policy
Synopsisadd cache policy <policyName> -rule <expression> -action <action>
DescriptionUse this command to create Integrated Cache policies. The newly created policy is in inactive state. Use the 'bind cache global' CLI command to activate the policy. The type of the policy is a function of whether it is a request or a response policy and the type of the specified action. CACHE or MAY_CACHE action : positive cachability policy NOCACHE or MAY_NOCACHE action : negative cachability policy INVAL action : Dynamic Invalidation Policy The order in which the policies are configured is significant. The significance is explained in the NetScaler 9000 System Installation and Configuration Guide.
Arguments
policyNameThe name of the new Integrated Cache policy.
ruleThe request/response rule that will trigger the given action. Both request and response rules cannot be specified for the same policy. The MAY_CACHE, MAY_NOCACHE and INVAL actions can only be specified with a request rule. A rule is specified using a single expression or a logical combination of expressions, called compound expression. Expressions can be combined using && and || operators. Refer to the add expression CLI command for information on creating expressions. Note:If a compound expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following are examples of valid expressions: ns_ext_cgi||ns_ext_asp "ns_non_get && (ns_header_cookie||ns_header_pragma)"
actionThe integrated cache action that has to be applied when the content that matches the rules is seen. The following actions can be used: CACHE, NOCACHE, MAY_CACHE,
7-2 Command Reference Guide
add cache policy
MAY_NOCACHE, INVAL Possible values: CACHE, NOCACHE, MAY_CACHE, MAY_NOCACHE, INVAL
storeInGroupThe Content group to store the object when action directive is CACHE
invalGroupsThe Content group(s) to be invalidated when action directive is INVAL
invalObjectsThe Content group(s) in which the objects are to be invalidated when action directive is INVAL
Related Commandsrm cache policyshow cache policy
Command Reference Guide 7-3
rm cache policy
rm cache policy
Synopsisrm cache policy <policyName>
DescriptionUse this command to remove the specified Integrated Cache policy.
Arguments
policyNameThe name of the cache policy that needs to be removed.
Related Commandsadd cache policyshow cache policy
7-4 Command Reference Guide
show cache policy
show cache policy
Synopsisshow cache policy [<policyName>]
DescriptionUse this command to display all configured cache policies. It can also be used to display a single cache policy, by specifying the name of the policy. The following information is displayed for each cache policy: Name: Name of the policy Status: Active or Passive Request/Response rule: The rule used for selecting the content group Action: The integrated cache action that has to be applied when content matching the rules is received. Hits: The number of times content matching the request/response rule was received by the cache. When all the Integrated Cache policies are displayed then the display order within each group is same as the evaluation ordering of policies. There are three groups - Request policies, response policies and dynamic invalidation policies.
Arguments
policyNameThe name of the cache policy that has to be displayed. This parameter is optional.
Output
name
rule
action
storeInGroup
invalGroups
Command Reference Guide 7-5
show cache policy
invalObjects
priority
hits
flags
precedeDefRules
Related Commandsadd cache policyrm cache policy
7-6 Command Reference Guide
bind cache global
bind cache global
Synopsisbind cache global <policy> -priority <positive_integer> [-precedeDefRules ( YES | NO )]
DescriptionUse this command to activate a policy defined using the 'add cache policy' CLI command
Arguments
policyThe name of the Integrated Cache policy to be bound.
Related Commandsunbind cache globalshow cache global
Command Reference Guide 7-7
unbind cache global
unbind cache global
Synopsisunbind cache global <policy>
DescriptionUse this command to inactivate the policy.
Arguments
policyThe name of the Integrated Cache policy to unbind
Related Commandsbind cache globalshow cache global
7-8 Command Reference Guide
show cache global
show cache global
Synopsisshow cache global
DescriptionUse this command to display all the active policies
Output
policyName
rule
action
storeInGroup
invalGroups
invalObjects
priority
hits
flags
Command Reference Guide 7-9
show cache global
precedeDefRules
Related Commandsbind cache globalunbind cache global
7-10 Command Reference Guide
add cache contentgroup
add cache contentgroup
Synopsisadd cache contentgroup <name> [-prefetchMaxPending <positive_integer>] [-alwaysEvalPolicies ( YES | NO )] [-pinned ( YES | NO )]
DescriptionUse this command to create a new content group
Arguments
nameThe name of the content group to be created
weakPosRelExpiryUse this parameter for responses with response codes between 200 and 299. Similar to -relExpiry but has lesser precedence. Default value: 3600
heurExpiryParamThe heuristic expiry time in percentage of the duration since the object was last modified Default value: 10
relExpiryThe relative expiry time in seconds
relExpiryMilliSecThe relative expiry time in milliseconds
absExpiryUpto 4 times in a day (local time) when all the objects in the content group must expire.
absExpiryGMTUpto 4 times in a day (GMT) when all the objects in the content group must expire.
weakNegRelExpiryUse this parameter for all negative responses. This value is used only if the expiry time could not be figured out from any other source. Default value: 600
Command Reference Guide 7-11
add cache contentgroup
hitParamsUse these parameters for parameterized hit evaluation of an object. Upto 128 parameters can be configured.
invalParamsUse these parameters for parameterized invalidation of an object. Upto 8 parameters can be configured.
ignoreParamValueCaseUse this parameter to specify whether to ignore case while comparing parameter values during parameterized hit evaluation. Parameter value case is always ignored during parameterized invalidation. Possible values: YES, NO Default value: NO
matchCookiesUse this parameter to specify whether to look for parameters in the Cookie header also Possible values: YES, NO Default value: NO
invalRestrictedToHostUse this parameter to specify whether Host header should be taken into account during parameterized invalidation. Possible values: YES, NO Default value: NO
pollEveryTimeUse this parameter to specify whether to poll every time for the objects in this content group Possible values: YES, NO Default value: NO
ignoreReloadReqUse this parameter to specify whether a request can force the system to reload a cached object from the origin. To guard against any Denial of Service attacks you should set this flag to YES. To get RFC compliant behavior you should set it to NO. Possible values: YES, NO Default value: YES
removeCookiesUse this parameter to specify whether to remove cookies from response Possible values: YES, NO Default value: YES
prefetchUse this parameter to specify whether Integrated Cache should attempt to refresh an object just when it is about to go stale. Possible values: YES, NO Default value: YES
7-12 Command Reference Guide
add cache contentgroup
prefetchPeriodThe duration in seconds just before the calculated expiry time of the object during which prefetch should be attempted
prefetchPeriodMilliSecThe duration in milliseconds just before the calculated expiry time of the object during which prefetch should be attempted
prefetchMaxPendingThe maximum number of outstanding prefetches on the contentgroup Default value: 0xFFFFFFFE
flashCacheUse this parameter to specify whether Integrated Cache should do flash cache Possible values: YES, NO Default value: NO
expireAtLastByteUse this parameter to specify whether Integrated Cache should expire the content immediately after receving the last body byte Possible values: YES, NO Default value: NO
insertViaUse this parameter to specify whether Integrated Cache should insert Via header Possible values: YES, NO Default value: YES
insertAgeUse this parameter to specify whether Integrated Cache should insert Age header Possible values: YES, NO Default value: YES
insertETagUse this parameter to specify whether Integrated Cache should insert ETag header Possible values: YES, NO Default value: YES
cacheControlUse this parameter to specify the Cache-Control header to be inserted
quickAbortSizeIf client aborts when the downloaded response size is less than or equal to quick-abort-size then Integrated Cache will stop downloading the response Default value: 4194303
Command Reference Guide 7-13
add cache contentgroup
minResSizeThe minimum size of the response. Default value: 0
maxResSizeThe maximum size of the response Default value: 80
memLimitThe memory limit in MB for the content group. The limit is not exact, at times a group's memory utilization can overshoot the limit only to stabilize later. Default value: 4095
ignoreReqCachingHdrsUse this parameter to specify whether to ignore the Cache-control and Pragma headers in the incoming request. Possible values: YES, NO Default value: YES
minHitsSpecify the minimum number of accesses for an object to be stored in Cache. Default value: 0
alwaysEvalPoliciesForces policy evaluation for each response arriving from origin. Possible values: YES, NO Default value: NO
pinnedSetting pinned to YES prevents IC from flushing objects from this contentgroup under memory pressure. Possible values: YES, NO Default value: NO
Related Commandsrm cache contentgroupset cache contentgroupshow cache contentgroupexpire cache contentgroupflush cache contentgroup
7-14 Command Reference Guide
rm cache contentgroup
rm cache contentgroup
Synopsisrm cache contentgroup <name>
DescriptionUse this command to remove the specified content group.
Arguments
nameThe name of the content group to be removed.
Related Commandsadd cache contentgroupset cache contentgroupshow cache contentgroupexpire cache contentgroupflush cache contentgroup
Command Reference Guide 7-15
set cache contentgroup
set cache contentgroup
Synopsisset cache contentgroup <name> [-weakPosRelExpiry <secs> | -relExpiry <secs> | -relExpiryMilliSec <msecs> | -absExpiry <HH:MM> ... | -absExpiryGMT <HH:MM> ...] [-heurExpiryParam <positive_integer>] [-weakNegRelExpiry <secs>] [-hitParams <string> ...] [-invalParams <string> ...] [-ignoreParamValueCase ( YES | NO )] [-matchCookies ( YES | NO )] [-invalRestrictedToHost ( YES | NO )] [-pollEveryTime ( YES | NO )] [-ignoreReloadReq ( YES | NO )] [-removeCookies ( YES | NO )] [-prefetch ( YES | NO )] [-prefetchPeriod <secs> | -prefetchPeriodMilliSec <msecs>] [-prefetchMaxPending <positive_integer>] [-flashCache ( YES | NO )] [-expireAtLastByte ( YES | NO )] [-insertVia ( YES | NO )] [-insertAge ( YES | NO )] [-insertETag ( YES | NO )] [-cacheControl <string>] [-quickAbortSize <KBytes>] [-minResSize <KBytes>] [-maxResSize <KBytes>] [-memLimit <MBytes>] [-ignoreReqCachingHdrs ( YES | NO )] [-minHits <integer>] [-alwaysEvalPolicies ( YES | NO )] [-pinned ( YES | NO )]
DescriptionUse this command to modify attributes of the content group
Arguments
nameThe name of the content group whose attibutes are to be changed
weakPosRelExpiryUse this parameter for responses with response codes between 200 and 299. Similar to -relExpiry but has lesser precedence.
7-16 Command Reference Guide
set cache contentgroup
heurExpiryParamThe heuristic expiry time in percentage of the duration since the object was last modified
relExpiryThe relative expiry time in seconds
relExpiryMilliSecThe relative expiry time in milliseconds
absExpiryUpto 4 times in a day (local time) when all the objects in the content group must expire.
absExpiryGMTUpto 4 times in a day (GMT) when all the objects in the content group must expire.
weakNegRelExpiryUse this parameter for all negative responses. This value is used only if the expiry time could not be figured out from any other source.
hitParamsUse these parameters for parameterized hit evaluation of an object. Upto 128 parameters can be configured.
invalParamsUse these parameters for parameterized invalidation of an object. Upto 8 parameters can be configured.
ignoreParamValueCaseUse this parameter to specify whether to ignore case while comparing parameter values during parameterized hit evaluation. Parameter value case is always ignored during parameterized invalidation. Possible values: YES, NO
matchCookiesUse this parameter to specify whether to look for parameters in the Cookie header also Possible values: YES, NO
invalRestrictedToHostUse this parameter to specify whether Host header should be taken into account during parameterized invalidation. Possible values: YES, NO
Command Reference Guide 7-17
set cache contentgroup
pollEveryTimeUse this parameter to specify whether to poll every time for the objects in this content group Possible values: YES, NO
ignoreReloadReqUse this parameter to specify whether a request can force the system to reload a cached object from the origin. To guard against any Denial of Service attacks you should set this flag to YES. To get RFC compliant behavior you should set it to NO. Possible values: YES, NO
removeCookiesUse this parameter to specify whether to remove cookies from response Possible values: YES, NO
prefetchUse this parameter to specify whether Integrated Cache should attempt to refresh an object just when it is about to go stale. Possible values: YES, NO
prefetchPeriodUse this parameter to specify the duration in seconds just before the calculated expiry time of the object during which prefetch should be attempted
prefetchPeriodMilliSecUse this parameter to specify the duration in milliseconds just before the calculated expiry time of the object during which prefetch should be attempted
prefetchMaxPendingThe maximum number of outstanding prefetches on the contentgroup
flashCacheUse this parameter to specify whether Integrated Cache should do flash cache Possible values: YES, NO
expireAtLastByteUse this parameter to specify whether Integrated Cache should expire the content immediately after receving the last body byte Possible values: YES, NO
insertViaUse this parameter to specify whether Integrated Cache should insert Via header Possible values: YES, NO
7-18 Command Reference Guide
set cache contentgroup
insertAgeUse this parameter to specify whether Integrated Cache should insert Age header Possible values: YES, NO
insertETagUse this parameter to specify whether Integrated Cache should insert ETag header Possible values: YES, NO
cacheControlUse this parameter to specify whether the Cache-Control header to be inserted
quickAbortSizeIf client aborts when the downloaded response size is less than or equal to quick-abort-size then Integrated Cache will stop downloading the response
minResSizeThe minimum size of the response.
maxResSizeThe maximum size of the response
memLimitThe memory limit in MB for the content group. The limit is not exact, at times a group's memory utilization can overshoot the limit only to stabilize later.
ignoreReqCachingHdrsUse this parameter to specify whether to ignore the Cache-control and Pragma headers in the incoming request. Possible values: YES, NO
minHitsSpecify the minimum number of accesses for an object to be stored in Cache.
alwaysEvalPoliciesForces policy evaluation for each response arriving from origin. Possible values: YES, NO
pinnedSetting pinned to YES prevents IC from flushing objects from this contentgroup under memory pressure. Possible values: YES, NO
Command Reference Guide 7-19
set cache contentgroup
Related Commandsadd cache contentgrouprm cache contentgroupshow cache contentgroupexpire cache contentgroupflush cache contentgroup
7-20 Command Reference Guide
show cache contentgroup
show cache contentgroup
Synopsisshow cache contentgroup [<name>]
DescriptionUse this command to display all the content groups. It can also be used to display a single content group, by specifying the name of the content group.
Arguments
nameThe name of the content group that has to be displayed. This parameter is Optional.
Output
name
flags
relExpiry
relExpiryMilliSec
absExpiry
absExpiryGMT
heurExpiryParam
Command Reference Guide 7-21
show cache contentgroup
weakPosRelExpiry
weakNegRelExpiry
hitParams
invalParams
ignoreParamValueCase
matchCookies
invalRestrictedToHost
pollEveryTime
ignoreReloadReq
removeCookies
prefetch
prefetchPeriod
prefetchPeriodMilliSec
prefetchCur
7-22 Command Reference Guide
show cache contentgroup
prefetchMaxPending
flashCache
expireAtLastByte
insertVia
insertAge
insertETag
cacheControl
quickAbortSize
minResSize
maxResSize
memUsage
memLimit
ignoreReqCachingHdrs
cacheNon304Hits
Command Reference Guide 7-23
show cache contentgroup
cache304Hits
cacheCells
cacheGroupIncarnation
minHits
alwaysEvalPolicies
pinned
Related Commandsadd cache contentgrouprm cache contentgroupset cache contentgroupexpire cache contentgroupflush cache contentgroup
7-24 Command Reference Guide
expire cache contentgroup
expire cache contentgroup
Synopsisexpire cache contentgroup <name>
DescriptionUse this command to expire the objects in the specified content group.
Arguments
nameThe name of the content group in which the objects are to be expired.
Related Commandsadd cache contentgrouprm cache contentgroupset cache contentgroupshow cache contentgroupflush cache contentgroup
Command Reference Guide 7-25
flush cache contentgroup
flush cache contentgroup
Synopsisflush cache contentgroup <name> [-query <string>] [-host <string>]
DescriptionUse this command to flush the objects in the specified content group.
Arguments
nameThe name of the content group in which the objects are to be flushed.
queryIf query string is specified then selected objects in this group will be flushed using parameterized invalidation. Otherwise all the objects in this group will be flushed.
hostTo be set only if parameterized invalidation is being done. Objects belonging only to the specified host will be flushed. The host argument can be provided if and only if -invalRestrictedToHost is set to YES for given group.
Related Commandsadd cache contentgrouprm cache contentgroupset cache contentgroupshow cache contentgroupexpire cache contentgroup
7-26 Command Reference Guide
show cache forwardProxy
show cache forwardProxy
Synopsisshow cache forwardProxy
DescriptionUse this command to display all forward proxies known to Integrated cache
Output
numCacheFwpxyNumber of forward proxies
IPAddressForward proxy IP
portForward proxy port
Related Commandsadd cache forwardProxyrm cache forwardProxy
Command Reference Guide 7-27
add cache forwardProxy
add cache forwardProxy
Synopsisadd cache forwardProxy <IPAddress> <port>
DescriptionUse this command to add a forward proxy known to Integrated cache
Arguments
IPAddressThe IP address of the forward proxy.
portThe port of the forward proxy.
Related Commandsshow cache forwardProxyrm cache forwardProxy
7-28 Command Reference Guide
rm cache forwardProxy
rm cache forwardProxy
Synopsisrm cache forwardProxy <IPAddress> <port>
DescriptionUse this command to remove a forward proxy known to Integrated cache
Arguments
IPAddressThe IP address of the forward proxy.
portThe port of the forward proxy.
Related Commandsshow cache forwardProxyadd cache forwardProxy
Command Reference Guide 7-29
show cache object
show cache object
Synopsisshow cache object -url <URL> -host <string> [-port <port>] [-groupName <string>] [-httpMethod ( GET | POST )]
DescriptionUse this command to display the properties of a cached object.
Arguments
urlThe URL of the object to be displayed
hostThe host of the object to be displayed
portThe host port of the object to be displayed Default value: 80
groupNameThe name of the content group to be in which the cell is present
httpMethodThe HTTP request method which caused the object to be stored. Possible values: GET, POST Default value: GET
Output
url
host
port
7-30 Command Reference Guide
show cache object
cacheResSize
cacheResHdrSize
httpStatus
cacheETag
cacheResLastMod
cacheControl
cacheResDate
contentgroup
destIP
destPort
cacheCellComplex
hitParams
hitValues
cacheCellReqTime
Command Reference Guide 7-31
show cache object
cacheCellResTime
cacheCurAge
cacheCellExpires
cacheCellExpiresMilliSec
prefetch
prefetchPeriod
prefetchPeriodMilliSec
cacheCellCurReaders
cacheCellCurMisses
cacheCellHits
cacheCellMisses
cacheCellGzipCompressed
cacheCellDeflateCompressed
cacheCellHttp11
7-32 Command Reference Guide
show cache object
cacheCellWeakEtag
cacheCellResBadSize
markerReason
cacheCellPollEveryTime
cacheCellEtagInserted
cacheCellReadyWithLastByte
cacheCellDestipVerified
cacheCellFwpxyObj
cacheCellBasefile
cacheCellMinHitFlag
cacheCellMinHit
httpMethod
Related Commandsexpire cache objectflush cache object
Command Reference Guide 7-33
expire cache object
expire cache object
Synopsisexpire cache object -url <URL> -host <string> [-port <port>] [-groupName <string>] [-httpMethod ( GET | POST )]
DescriptionUse this command to expire a cached object.
Arguments
urlThe URL of the object to be expired
hostThe host of the object to be expired
portThe host port of the object to be expired Default value: 80
groupNameThe name of the content group to be in which the cell is present
httpMethodThe HTTP request method which caused the object to be stored. Possible values: GET, POST Default value: GET
Related Commandsshow cache objectflush cache object
7-34 Command Reference Guide
flush cache object
flush cache object
Synopsisflush cache object -url <URL> -host <string> [-port <port>] [-groupName <string>] [-httpMethod ( GET | POST )]
DescriptionUse this command to flush a cached object.
Arguments
urlThe URL of the object to be flushed
hostThe host of the object to be flushed
portThe host of the object to be flushed Default value: 80
groupNameThe name of the content group to be in which the cell is present
httpMethodThe HTTP request method which caused the object to be stored. Possible values: GET, POST Default value: GET
Related Commandsshow cache objectexpire cache object
Command Reference Guide 7-35
set cache parameter
set cache parameter
Synopsisset cache parameter [-memLimit <MBytes>] [-via <string>] [-verifyUsing <verifyUsing>] [-maxPostLen <positive_integer>] [-prefetchMaxPending <positive_integer>] [-enableBypass ( YES | NO )]
DescriptionUse this command to modify the global configuration of Integrated Cache.
Arguments
memLimitThe memory limit for Integrated Cache.
viaThe string that has to be inserted in the "Via" header. Via header is inserted in all responses served from a content group if its insertVia flag is set. The default via header string is: "NS-CACHE-6.0:<last octect of NetScaler's IP address>".
verifyUsingThe criteria for deciding whether a cached object can be served for an incoming HTTP request. a.If the value of this attribute is set to HOSTNAME, then URL , host name and host port values in the incoming HTTP request header must match before a cached object can be served. The IP address and the TCP port of the destination host are not matched. For certain deployments the HOSTNAME setting can be a security risk. A rogue client can access a rogue server via the Integrated Cache using the following HTTP request : GET / HTTP/1.1 Host: sensitive.foo.com Integrated Cache will store the rogue page served by the rogue server. Any subsequent client trying to access the root page from sensitive.foo.com will be served the rogue page. The HOSTNAME setting should only be set if it is certain that no rogue client can access a rogue server via the Integrated Cache. The YES setting can lead to more hits if DNS based load balancing is in use and the same content can be served by multiple backend servers. b.If the attribute is set to HOSTNAME_AND_IP, then the URL, host name, host port in the incoming HTTP request header and the IP address and TCP port of the destination server must match. c.If
7-36 Command Reference Guide
set cache parameter
the attribute is set to DNS, then the URL, host name and host port in the incoming HTTP request and the TCP port should match. As far as the destination server's IP address is concerned, the hostname is used to do a DNS lookup and it is compared with the set of addresses returned by the DNS lookup. The default value of this attribute is DNS Possible values: HOSTNAME, HOSTNAME_AND_IP, DNS
maxPostLenThe maximum POST body size that IC should accumulate
prefetchMaxPendingThe maximum number of outstanding prefetches in IC
enableBypassIf set to NO then an incoming request will serve ahit if a matching object could be found in the cache storage regardless of the cacheability policy configuration. If set to YES then the bound request cacheability policies are evaluated before any hit selection in the cache storage is attempted. If the request happens to match a policy with NOCACHE action then the request will bypass all cache processing. This flag does not affect the processing of those requests that match any invalidation policy. Possible values: YES, NO
Related Commandsshow cache parameter
Command Reference Guide 7-37
show cache parameter
show cache parameter
Synopsisshow cache parameter
DescriptionUse this command to display the global configuration of Integrated Cache.
Output
memLimit
useOnlyHostInReq
via
verifyUsing
maxPostLen
prefetchCur
prefetchMaxPending
enableBypass
Related Commandsset cache parameter
7-38 Command Reference Guide
show cache stats
show cache stats
Synopsisshow cache stats - alias for 'stat cache'
Descriptionshow cache stats is an alias for stat cache
Related Commandsstat cache
Command Reference Guide 7-39
stat cache
stat cache
Synopsisstat cache [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionUse this command to display the Integrated Cache statistics.
Counters
Requests (CacReq)Total requests. (= Total hits + Total misses)
Hits being served (CacHit)This number should be close to the number of hits being served currently.
Non-304 hits (Non304Hit)Total number of full responses served from the cache.
304 hits (304Hit)Total number of 304 Not Modified responses served from the cache.
Hits (TotHit)Total number of hits. (= 304 hits + Non-304 hits)
304 hit ratio(%) (Pct304Hit)Ratio of 304 hits to total hits expressed as percentage
Hit ratio(%) (PctHit)Cache hit ratio expressed as percentage. (= Hits / Requests)
Recent 304 hit ratio(%) (RPct304Hit)Recently recorded ratio of 304 hits to all hits expressed as percentage
Recent hit ratio(%) (RPctHit)Recently recorded cache hit ratio expressed as percentage
7-40 Command Reference Guide
stat cache
Misses being handled (CurMiss)Number of clients that are being served by the origin via the cache. This number should be close to the number of requests being served at present and that had experienced a store-able miss. It does not include those requests that had experienced a non-store-able miss.
Misses (TotMiss)Total number of misses to the server
Storable misses (StrMiss)Total number of misses where the response was considered cacheable.
Non-storable misses (NStrMiss)Total number of misses where the response was considered non-cacheable.
Revalidations (Reval)Number of times cache generated a conditional request to the origin
Conversions to conditional req (FuToCon)Number of times cache converted a full request from the client to a conditional request to the origin
Storable miss ratio(%) (PStrMiss)Ratio of store-able misses to all misses expressed as percentage
Recent storable miss ratio(%) (RPctStMis)Recently recorded ratio of store-able misses to all misses expressed as percentage.
Successful reval ratio(%) (PSucRev)Percentage of times stored content was successfully revalidated by a 304 response rather than by a full response
Recent successful reval ratio(%) (RPSucRev)Recently recorded percentage of times stored content was successfully revalidated by a 304 response rather than by a full response
Successful revalidations (TSucRev)Total number of times stored content was successfully revalidated by a 304 Not Modified response from the origin
Command Reference Guide 7-41
stat cache
Byte hit ratio(%) (PByHit)Cache byte hit ratio expressed as percentage. Here we define byte hit ratio as ((number of bytes served from the cache)/(total number of bytes served to the client)). This is the standard definition of Byte Hit Ratio. If compression is turned ON in NS then this ratio doesn't mean much. This might under or over estimate the origin-to-cache bandwidth saving (depending upon whether bytes served by CMP in NetScaler are more or less than compressed bytes served from the cache). If CMP is turned OFF in NS then this ratio is same as cachePercentOriginBandwidthSaved.
Recent byte hit ratio(%) (RPcByHit)Recently recorded cache byte hit ratio expressed as percentage. Here we define byte hit ratio as ((number of bytes served from the cache)/(total number of bytes served to the client)). This is the standard definition of Byte Hit Ratio. If compression is turned ON in NS then this ratio doesn't mean much. This might under or over estimate the origin-to-cache bandwidth saving (depending upon whether bytes served by CMP in NetScaler are more or less than compressed bytes served from the cache). If CMP is turned OFF in NS then this ratio is same as cacheRecentPercentOriginBandwidthSaved.
Largest response so far(B) (LarResp)Size of the largest response received so far
Bytes served by NetScaler (RespBy)Total number of HTTP response bytes served by NetScaler
Bytes served by cache (BySer)Total number of bytes served from the cache
Compressed bytes from cache (CmpBySer)Total number of compressed bytes served from the cache
Parameterized inval requests (PInReq)Total number of requests which performed parameterized invalidation. Parameterized invalidation happens when the INVAL policy has the invalObjects parameter specified.
Full inval requests (NPInReq)Total number of requests which performed full invalidation. Full invalidation happens when the INVAL policy has the invalGroups parameter specified.
7-42 Command Reference Guide
stat cache
Inval requests (INStrMis)Total number of invalidation requests. This happens when an incoming request matches a cache INVAL policy. A request can perform both parameterized and full invalidarion.
Origin bandwidth saved(%) (POrBan)Percentage of bandwidth saved at the origin is given by ((number of extra bytes that would have been served by the origin if the cache were absent)/(extra bytes that would have been served by the origin + number of bytes served by the origin). With this definition we are able to show benefits of integrated compression. The assumption here is that all the compression has been done in NetScaler, otherwise the b/w saving might get over estimated.
Recent origin bandwidth saved(%) (RPOrBan)Recently Recorded Cache byte hit ratio expressed as percentage. Here we define byte hit ratio as ((number of extra bytes that would have been served by the origin)/(total number of bytes served to the client)). With this definition we are able to show benefits of integrated compression. The byte hit ratio can be greater than 1 because of integrated cmp. The assumption here is that all the compression has been done in NetScaler.
Expire at last byte (ExpLa)Total number of objects that were expired at last byte
Flashcache misses (FlMi)Total number of FlashCache misses
Flashcache hits (FlHi)Total number of FlashCache hits
Parameterized non-304 hits (PN304Hit)Total number of full responses served from cache for parameterized requests
Parameterized requests (PReq)Total number of parameterized requests
Parameterized 304 hits (P304Hit)Total number of 304 responses served from cache for parameterized requests
Total parameterized hits (PHit)Total number of hits for parameterized requests (= Parameterized 304 hits + Parameterized non-304 hits)
Command Reference Guide 7-43
stat cache
Parameterized 304 hit ratio(%) (PP304Hit)Ratio of parameterized 304 hits to all parameterized hits expressed as a percentage
Recent parameterized 304 hit ratio(%) (RPPHit)Recently recorded ratio of parameterized 304 hits to all parameterized hits expressed as a percentage
Poll every time requests (PeReq)Total number of PET requests
Poll every time hits (PeHit)Total number of PET hits
Poll every time hit ratio(%) (PPeHit)Ratio of successful PET revalidations expressed as percentage
Maximum memory(KB) (MaxMem)Maximum size of Cache storage in kilobytes
Utilized memory(KB) (UtiMem)Current size of Cache storage in kilobytes
Cached objects (NumCac)Number of objects in the cache. This includes (1) objects fully download (2) objects being downloaded (3) objects expired but not yet removed (4) objects flushed but not yet removed
Memory allocation failures (ErrMem)Total number of times the cache failed to allocate memory to store transactions
Marker objects (NumMark)Number of marker objects in cache. A marker object is created in cache on two occasions. (1) When the size of the response exceeds the max and min response sizes specified on its contentgroup. (2) When minHits > 0 on the contentgroup and the object has not yet received minHits(minimum number of configured hits).
Related Commands
7-44 Command Reference Guide
CLI Commands
This chapter covers the CLI commands.
Command Reference Guide 8-1
help
help
Synopsishelp [(commandName) | <groupName> | -all]
DescriptionUse this command to display the help information for a specific CLI command, for a specific group of commands, or for all CLI commands.
Arguments
commandNameThe name of a specific command for which you want full usage information.
groupNameThe name of a command group for which you want basic usage information.
allUse this option to request basic usage information for all commands.
Example1.To view help information on adding a virtual server, enter the following CLI command: help add vserver Following information is displayed: Usage: add vserver <vServerName> <serviceType> [<IPAddress> port>] [-type ( CONTENT | ADDRESS )] [-cacheType <cacheType>] [-backupVServerName <string>] [-redirectURL <URL>] [-cacheable ( ON | OFF )] [-state ( ENABLED | DISABLED )] where: serviceType = ( HTTP | FTP | TCP | UDP | SSL | SSL_BRIDGE | SSL_TCP | NNTP| DNS | ANY ) <cacheType> = ( TRANSPARENT | REVERSE | FORWARD ) Done 2.To view help information about all DNS commands, enter the following command: help dns Following information is displayed: add addRec <hostname> <IPAddress> ... [-TTL <secs>] [-private <ip_addr>] rm addRec <hostname> [<IPAddress> ...] show addRec [<hostname> | -type <type>] add cnameRec <aliasName> <canonicalName> [-TTL <secs>] rm cnameRec <aliasName> show cnameRec [<aliasName> | -type <type>] add mxRec <domain> -mx <string> -pref <positive_integer> [-TTL <secs>] rm mxRec <domain> <mx> set mxRec <domain> -mx <string> [-pref <positive_integer>] [-TTL <secs>] show mxRec [<domain> | -type <type>] add nsRec <domain> [-p <string>] [-s <string>] [-TTL <secs>] rm nsRec
8-2 Command Reference Guide
help
<domain> [-p <string> | -s <string>] show nsRec [<domain> | -type <type>] set dns parameter [-timeout <secs>] [-retries <positive_integer>] [-minTTL <secs>] [-maxTTL <secs>] [-TTL ( ENABLED | DISABLED )] show dns parameter add soaRec <domain> -contact <string> -serial <positive_integer> -refresh <secs> -retry <secs> -expire <secs> -minimum <secs>-TTL <secs> rm soaRec <domain> set soaRec <domain> [-contact <string>] [-serial <positive_integer>][-refresh <secs>] [-retry <secs>] [-expire <secs>] [-minimum <secs>][-TTL <secs>] show soaRec [<domain> | -type <type>] Done
Related Commands
Command Reference Guide 8-3
man
man
Synopsisman [(commandName)]
DescriptionUse this command to invoke the man page for the specified command. You can either specify the command in full, or partially, if it is uniquely resolvable.
Arguments
commandNameThe name of the command.
Exampleman add vs
Related Commandsquitexit@aliasbuiltinsendhistoryunaliaswhileconfig
8-4 Command Reference Guide
quit
quit
Synopsisquit
DescriptionUse this command to terminate the CLI. Note: typing <Ctrl>+<d> will also terminate the CLI.
Related Commandsmanexit@aliasbuiltinsendhistoryunaliaswhileconfig
Command Reference Guide 8-5
exit
exit
Synopsisexit
DescriptionUse this command to back out one level in config mode, or to terminate the CLI when not in config mode. );
Related Commandsquit man@aliasbuiltinsendhistoryunaliaswhileconfig
8-6 Command Reference Guide
set cli mode
set cli mode
Synopsisset cli mode [-page ( ON | OFF )] [-total ( ON | OFF )] [-color ( ON | OFF )] [-disabledFeatureAction <disabledFeatureAction>]
DescriptionUse this command to specify how the CLI displays command output.
Arguments
pageDetermines whether output that spans more than one screen is "paged". Specify ON to have display pause after each screenful of output. The default is OFF. Possible values: ON, OFF
totalDetermines whether CLI "show" commands display a total count of objects before displaying the objects themselves. The default is ON. Possible values: ON, OFF
colorSpecifies whether coloured output can be shown if the terminal supports it. Possible values: ON, OFF
disabledFeatureActionSpecifies what will happen when a configuration command is issued for a disabled feature, and can take one of the following values: NONE - the action is allowed and no warning message is issued; ALLOW - the action is allowed but a warning message is issued; DENY - the action is not allowed; HIDE - commands that configure disabled features are hidden, and the CLI behaves as if they did not exist. Possible values: NONE, ALLOW, DENY, HIDE
Related Commandsshow cli mode
Command Reference Guide 8-7
show cli mode
show cli mode
Synopsisshow cli mode
DescriptionUse this command to display the current settings of the parameters that can be set with the 'set cli mode' command.
Related Commandsset cli mode
8-8 Command Reference Guide
set cli prompt
set cli prompt
Synopsisset cli prompt <promptString>
DescriptionUse this command to customize the CLI prompt. To save a prompt so that it will be used by future CLI sessions, use the 'save cli settings' command.
Arguments
promptStringthe prompt string. The following special values can be used: %! - will be replaced by the history event number %u - will be replaced by the NetScaler user name %h - will be replaced by the NetScaler hostname %t - will be replaced by the current time %T - will be replaced by the current time (24 hr format) %d - will be replaced by the current date
Example> set cli prompt "%h %T" Done lb-ns1 15:16>
Related Commandsclear cli promptshow cli prompt
Command Reference Guide 8-9
clear cli prompt
clear cli prompt
Synopsisclear cli prompt
DescriptionUse this command to return the CLI prompt to the default, a single '>'
Related Commandsset cli promptshow cli prompt
8-10 Command Reference Guide
show cli prompt
show cli prompt
Synopsisshow cli prompt
DescriptionUse this command to display the current CLI prompt, with special values like '%h' unexpanded.
Example10.101.4.22 15:20> sh cli prompt CLI prompt is set to "%h %T" Done
Related Commandsset cli promptclear cli prompt
Command Reference Guide 8-11
@
@
Synopsis@
DescriptionUse this command to assign a value to a variable.
Example@ n=5
Related Commandsmanquitexitaliasbuiltinsendhistoryunaliaswhileconfig
8-12 Command Reference Guide
alias
alias
Synopsisalias <name> <commandName>
DescriptionUse this command to create a (shorter) alias for a (long) command.
Arguments
nameThe name of the alias.
commandNameThe name of the command to alias.
Examplealias s show ns info
Related Commandsmanquitexit@builtinsendhistoryunaliaswhileconfig
Command Reference Guide 8-13
builtins
builtins
Synopsisbuiltins
DescriptionUse this command to display the available tcsh builtins.
Related Commandsmanquitexit@aliasendhistoryunaliaswhileconfig
8-14 Command Reference Guide
end
end
Synopsisend
DescriptionUse this construct to end a tcsh command-loop statement.
Related Commandsmanquitexit@aliasbuiltinshistoryunaliaswhileconfig
Command Reference Guide 8-15
history
history
Synopsishistory
DescriptionUse this command to display the command history.
Related Commandsmanquitexit@aliasbuiltinsendunaliaswhileconfig
8-16 Command Reference Guide
unalias
unalias
Synopsisunalias <name>
DescriptionUse this command to remove an alias set by the 'alias' command.
Arguments
nameThe name of the alias to remove.
Examplealias s show ns info ; unalias s
Related Commandsmanquitexit@aliasbuiltinsendhistorywhileconfig
Command Reference Guide 8-17
while
while
Synopsiswhile
DescriptionUse this construct to begin a tcsh command loop.
Example@ n=5 ; while ($n) show stats @ n-- end
Related Commandsmanquitexit@aliasbuiltinsendhistoryunaliasconfig
8-18 Command Reference Guide
config
config
Synopsisconfig
Description
Related Commandsmanquitexit@aliasbuiltinsendhistoryunaliaswhile
Command Reference Guide 8-19
config
8-20 Command Reference Guide
Compression Commands
This chapter covers the compression commands.
Command Reference Guide 9-1
stat cmp
stat cmp
Synopsisstat cmp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays compression statistics
Counters
HTTP compression requestsNumber of compression requests done
Compressed bytes transmittedNumber of compressed bytes transmitted
Compressible bytes receivedNumber of compressible bytes received
Compressed packets transmittedNumber of compressed packets transmitted
Compressible packets receivedNumber of compressible packets received
HTTP compression success ratioRatio of compressible data received to compressed data transmitted expressed as percentage.
HTTP compression ratioRatio of total data received to total data transmitted expressed as percentage.
Compressed bytes transmitted (TCmpTxB)Number of compressed bytes transmitted
Compressible bytes recieved (TCmpRxB)Number of compressible bytes recieved
9-2 Command Reference Guide
stat cmp
Compressed packets transmitted (TCmpTxP)Number of compressed packets transmitted
Compressible packets recieved (TCmpRxP)Number of compressible packets recieved
Compression ratio (Uncmp:1) (TCmpRt)Compression ratio: transmitted data as fraction of received data.
Bandwidth saving (%) (BndSav)Bandwidth saving expressed as percentage.
Quantum compression (TCmpQuan)Number of times compression is done on recieveng quantum worth of data
Push flag compression (TCmpPush)Number of times compression is done on recieveng TCP PSH flag
End Of Input compression (TCmpEoi)Number of times compression is done on recieveng End Of Input (FIN packet)
Timer compression (TCmpTmr)Number of times compression is done on expiration of data accumulation timer
Decompressed bytes transmitted (DCmpTTxB)Number of decompressed bytes transmitted
Compressed bytes received (DCmpTRxB)Number of compressed bytes received
Decompressed packets transmitted (DCmpTTxP)Number of decompressed packets transmitted
Compressed packets received (DCmpTRxP)Total unmber of compressed packets received
Decompression ratio (Uncmp:1) (DTCmpRt)Compression ratio: received data as fraction of transmitted data.
Bandwidth saving (%) (DBndSav)Bandwidth saving expressed as percentage.
Command Reference Guide 9-3
stat cmp
Wrong data (DCmpErrD)Number of data errors encoutered while decompressing
Less Data (DCmpErrL)Received less data than declared by protocol
More Data (DCmpErrM)Received more data than declared by protocol
Memory failures (DCmpMem)Number of memory faiures
Unknown (DCmpErrU)Unknown errors encountered
Related Commands
9-4 Command Reference Guide
show cmp stats
show cmp stats
Synopsisshow cmp stats - alias for 'stat cmp'
Descriptionshow cmp stats is an alias for stat cmp
Related Commandsstat cmp
Command Reference Guide 9-5
add cmp action
add cmp action
Synopsisadd cmp action <name> <cmptype> [-deltatype ( PERURL | PERPOLICY )]
DescriptionUse this command to create a compression action. The action thus created can be associated with the compression policy by using the "add cmp policy" command. The built-in compression actions NOCOMPRESS/COMPRESS/GZIP/DEFLATE/RESET are always present on the Netscaler system. NOCOMPRESS action could be used to define a policy that disables compression the matching policy. COMPRESS action could be used to enable compression for a specific policy. This action will do either GZIP/DEFLATE based on the browser. GZIP action could be used to enable GZIP compression for a specific policy. With this action, GZIP compression will be performed if the browser supports GZIP, other wise compression is disabled. DEFLATE action could used to enable DEFLATE compression for a specific policy. With this action, DEFLATE compression will be performed if the browser supports DEFLATE, otherwise compression is disabled. DELTA action could used to enable DELTA compression for a specific policy. With this action, DELTA compression will be performed if the browser supports javascript, otherwise compression is disabled.
Arguments
nameThe name of the compression action being added. This name must not exceed 31 characters.
cmptypeThe compression action to be performed. The valid values are NOCOMPRESS/COMPRESS/GZIP/DEFLATE/DELTA. Possible values: compress, gzip, deflate, delta, nocompress
deltatypedelta type may be required if delta compression action is defined Possible values: PERURL, PERPOLICY Default value: PERURL
9-6 Command Reference Guide
add cmp action
Exampleadd cmp action nocmp NOCOMPRESS
Related Commandsrm cmp actionshow cmp action
Command Reference Guide 9-7
rm cmp action
rm cmp action
Synopsisrm cmp action <name>
DescriptionUse this command to remove a compression action that was created using the "add cmp action" command.
Arguments
nameThe name of the compression action being removed.
Examplerm cmp action cmp_action_name
Related Commandsadd cmp actionshow cmp action
9-8 Command Reference Guide
show cmp action
show cmp action
Synopsisshow cmp action
DescriptionUse this command to display the compression actions defined including the built-in actions. The information displayed includes the action name and action type.
Arguments
Output
name
cmptype
deltatype
ExampleExample 1 The following shows an example of the output of the show cmp action command when no custom cmp actions have been defined: > show cmp action 4 Compression actions: 1) Name: GZIP Compression Type: gzip 2) Name: NOCOMPRESS Compression Type: nocompress 3) Name: DEFLATE Compression Type: deflate 4) Name: DELTA Compression Type: delta 5) Name: COMPRESS Compression Type: compress Done Done Example 2 The following command creates a compression action: add cmp action nocmp NOCOMPRESS The following shows an example of the output of the show cmp action command after the previous command has been issued: > show cmp action 4 Compression actions: 1) Name: GZIP Compression Type: gzip 2) Name: NOCOMPRESS Compression Type: nocompress 3) Name: DEFLATE Compression Type: deflate 4) Name: DELTA Compression Type: delta 5) Name: COMPRESS Compression Type: compress 1 Compression action: 1) Name: nocmp Compression Type: nocompress Done
Command Reference Guide 9-9
show cmp action
Related Commandsadd cmp actionrm cmp action
9-10 Command Reference Guide
add cmp policy
add cmp policy
Synopsisadd cmp policy <name> -rule <expression> -resAction <string>
DescriptionUse this command to create a compression policy.
Arguments
nameThe name of the new compression policy.
ruleThe expression specifying the condition.
resActionThe name of the action to be performed. The string value can be a compression action created using the "add cmp action" command, or one of the following built-in actions: NOCOMPRESS action could be used to define a policy that disables compression the matching policy. COMPRESS action could be used to enable compression for a specific policy. This action will do either GZIP/DEFLATE based on the browser. GZIP action could be used to enable GZIP compression for a specific policy. With this action, GZIP compression will be performed if the browser supports GZIP, other wise compression is disabled. DEFLATE action could used to enable DEFLATE compression for a specific policy. With this action, DEFLATE compression will be performed if the browser supports DEFLATE, otherwise compression is disabled.
ExampleExample 1: add cmp policy pdf_cmp -rule "RES.HTTP.HEADER Content-Type CONTAINS application/pdf" -resAction COMPRESS After creating above compression policy, it can be activated by binding it globally: bind cmp global pdf_cmp With the configured pdf_cmp (name of the compression policy), the Netscaler system will perform compression for the pdf files. Example 2: The following compression disables compression for all the access from the specific subnet. add cmp policy local_sub_nocmp
Command Reference Guide 9-11
add cmp policy
-rule "SOURCEIP == 10.1.1.0 -netmask 255.255.255.0" -rspaction NOCOMPRESS bind cmp global local_sub_nocmp
Related Commandsrm cmp policyshow cmp policyset cmp policy
9-12 Command Reference Guide
rm cmp policy
rm cmp policy
Synopsisrm cmp policy <name>
DescriptionUse this command to remove a compression policy.
Arguments
nameThe name of the compression policy.
Examplerm cmp policy cmp_policy_name The "show cmp policy" command shows all cmp policies that are currently defined.
Related Commandsadd cmp policyshow cmp policyset cmp policy
Command Reference Guide 9-13
show cmp policy
show cmp policy
Synopsisshow cmp policy [<name>]
DescriptionUse this command to display the compression policies created using the "add compression policy" command. For each cmp policy, the command output shows the cmp policy name, associated rule, action and statistics.
Arguments
nameThe name of the cmp policy.
Output
name
rule
reqAction
resAction
hits
txbytes
rxbytes
9-14 Command Reference Guide
show cmp policy
Example> show cmp policy 4 Compression policies: 1) Name: ns_cmp_content_type Rule: ns_content_type Response action: COMPRESS Hits: 1 Bytes In:...4325 Bytes Out:... 1530 Bandwidth saving...64.62% Ratio 2.83:1 2) Name: ns_cmp_msapp Rule: (ns_msie && ns_msword || (ns_msexcel || ns_msppt)) Response action: COMPRESS Hits: 7 Bytes In:...796160 Bytes Out:... 197730 Bandwidth saving...75.16% Ratio 4.03:1 3) Name: ns_cmp_mscss Rule: (ns_msie && ns_css) Response action: COMPRESS Hits: 0 4) Name: ns_nocmp_mozilla_47 Rule: (ns_mozilla_47 && ns_css) Response action: NOCOMPRESS Hits: 0 Done Individual cmp policy can also be viewed by giving cmp policy name as argument: > show cmp policy ns_cmp_msapp Name: ns_cmp_msapp Rule: (ns_msie && ns_msword || (ns_msexcel || ns_msppt)) Response action: COMPRESS Hits: 7 Bytes In:...796160 Bytes Out:... 197730 Bandwidth saving...75.16% Ratio 4.03:1 Done
Related Commandsadd cmp policyrm cmp policyset cmp policy
Command Reference Guide 9-15
set cmp policy
set cmp policy
Synopsisset cmp policy <name> [-rule <expression>] [-resAction <string>]
DescriptionUse this command to modify the rule and/or action of an existing cmp policy, created using the "add cmp policy" command. Use the "show cmp policy" command to view all the configured cmp policies.
Arguments
nameThe name of the cmp policy.
ruleThe expression specifying the condition.
resActionThe response action.
ExampleExample 1: add cmp policy pdf_cmp -rule "RES.HTTP.HEADER Content-Type CONTAINS application/pdf" -resAction COMPRESS After creating above compression policy, it can be activated by binding it globally: bind cmp global pdf_cmp With the configured pdf_cmp compression policy, the Netscaler system will perform compression for the pdf files. Later, to disable the pdf compression for the Internet Explorer, above compression policy can be changed by issuing below command, to exclude msie: set cmp policy pdf_cmp -rule "RES.HTTP.HEADER Content-Type CONTAINS application/pdf && RES.HTTP.HEADER User-Agent NOTCONTAINS MSIE" Changed cmp policy can be viewed by using following command: >show cmp policy pdf_cmp Name: pdf_cmp Rule: (RES.HTTP.HEADER Content-Type CONTAINS application/pdf && REQ.HTTP.HEADER User-Agent NOTCONTAINS MSIE) Response action: COMPRESS Hits: 2 Bytes In:...609284 Bytes Out:... 443998 Bandwidth saving...27.13% Ratio 1.37:1 Done
9-16 Command Reference Guide
set cmp policy
Related Commandsadd cmp policyrm cmp policyshow cmp policy
Command Reference Guide 9-17
bind cmp global
bind cmp global
Synopsisbind cmp global (<policyName> [-priority <positive_integer>]) [-state ( ENABLED | DISABLED )]
DescriptionUse this command to activate the compression policy globally. The compression policies are created using the "add cmp policy" command. The command "show cmp policy" shows all the existing compression policies and the command "show cmp global" shows all the globally active compression policies. Note that the compression license is required for compression feature to work. Use the "enable ns feature cmp" command to activate the feature. All the built-in compression policies are bound globally on enabling compression feature.
Arguments
policyNameThe name of the compression policy.
stateThe current state of the binding. Possible values: ENABLED, DISABLED Default value: ENABLED
Exampleadd cmp policy pdf_cmp -rule "RES.HTTP.HEADER Content-Type CONTAINS application/pdf" -resAction COMPRESS After creating above compression policy, it can be activated by binding it globally: bind cmp global pdf_cmp After binding pdf_cmp compression policy globally, the policy gets activated and the Netscaler system will perform compression for the pdf files. Globally active compression policies can be seen using command: > show cmp global 5 Globally Active Compression Policies: 1) Policy Name: ns_cmp_content_type Priority: 0 2) Policy Name: ns_nocmp_mozilla_47 Priority: 0 3) Policy Name: ns_cmp_mscss Priority: 0 4) Policy Name: ns_cmp_msapp Priority: 0 5) Policy Name: pdf_cmp Priority: 0 Done
9-18 Command Reference Guide
bind cmp global
Related Commandsunbind cmp globalshow cmp global
Command Reference Guide 9-19
unbind cmp global
unbind cmp global
Synopsisunbind cmp global <policyName>
DescriptionUse this command to deactivate an active compression policy. Use command "show cmp global" to see all the globally active compression policies.
Arguments
policyNameThe name of the compression policy.
ExampleGlobally active compression policies can be seen using command: > show cmp global 5 Globally Active Compression Policies: 1) Policy Name: ns_cmp_content_type Priority: 0 2) Policy Name: ns_nocmp_mozilla_47 Priority: 0 3) Policy Name: ns_cmp_mscss Priority: 0 4) Policy Name: ns_cmp_msapp Priority: 0 5) Policy Name: pdf_cmp Priority: 0 Done This globally active compression policy can be deactivated on Netscaler system by giving command: unbind cmp global pdf_cmp
Related Commandsbind cmp globalshow cmp global
9-20 Command Reference Guide
show cmp global
show cmp global
Synopsisshow cmp global
DescriptionUse this command to display the globally active compression policies that have been activated.
Arguments
Output
policyName
priority
stateThe current state of the binding.
Example> show cmp global 4 Globally Active Compression Policies: 1) Policy Name: ns_cmp_content_type Priority: 0 2) Policy Name: ns_nocmp_mozilla_47 Priority: 0 3) Policy Name: ns_cmp_mscss Priority: 0 4) Policy Name: ns_cmp_msapp Priority: 0 Done
Related Commandsbind cmp globalunbind cmp global
Command Reference Guide 9-21
show cmp global
9-22 Command Reference Guide
Cache Redirection Commands
This chapter covers the cache redirection commands.
Command Reference Guide 10-1
add cr policy
add cr policy
Synopsisadd cr policy <policyName> -rule <expression>
DescriptionThis command adds a cache redirection policy. The policy created can be associated with a cache redirection virtual server using the bind cr vserver CLI command.
Arguments
policyNameSpecifies the name of the new cache redirection policy.
ruleSpecifies a condition defined by an expression. When the condition is valid, the request is directed to the origin server. Expression logic is expression names, separated by the logical operators || and &&, and possibly grouped using parenthesis. Note:If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following are valid expressions: lns_ext_cgi||ns_ext_asp 2ns_non_get && (ns_header_cookie||ns_header_pragma)
Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionadd cr vserverbind cr vserverset cr vservershow cr vserverunbind cr vserver
10-2 Command Reference Guide
add cr policy
unset cr vserverrm cr policyshow cr policy
Command Reference Guide 10-3
rm cr policy
rm cr policy
Synopsisrm cr policy <policyName>
DescriptionThis command removes the specified Integrated Cache policy. Removing a positive cachability policy is also equivalent to removing the associated Content Group. Removing a Content Group will also flush all objects of that group in the Integrated Cache. Adding back the policy immediately after removing it might not take the system back to the original state. This is because the order of policy configuration is significant.
Arguments
policyNameSpecifies the name of the cache policy that needs to be removed. A positive cacheability policy/content group cannot be removed if it has been configured as the target of a dynamic invalidation policy. To remove the policy, you have to remove the dynamic invalidation policy and the action associated with the dynamic invalidation policy. The procedure is as follows: a.Enter the show cache action CLI command at the NetScaler prompt. This will display all cache actions. b.Identify the action in which the contentGroupPolicy attribute matches the policy you want to remove) Enter the show cache policy CLI command at the NetScaler prompt. c.Identify the policies with which the action chosen in step(b) is associated. d.Remove the policies identified in step (d) using the rm cache policy CLI command. e.Remove the action identified in step(b) using the rm cache action CLI command.
Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionadd cr vserver
10-4 Command Reference Guide
rm cr policy
bind cr vserverset cr vservershow cr vserverunbind cr vserverunset cr vserveradd cr policyshow cr policy
Command Reference Guide 10-5
show cr policy
show cr policy
Synopsisshow cr policy
DescriptionThis command displays all existing cache redirection policies.
Arguments
Output
policyName
rule
domain
vstype
Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionadd cr vserverbind cr vserverset cr vservershow cr vserver
10-6 Command Reference Guide
show cr policy
unbind cr vserverunset cr vserveradd cr policyrm cr policy
Command Reference Guide 10-7
add cr vserver
add cr vserver
Synopsisadd cr vserver <vServerName> <serviceType> [<IPAddress> <port> [-range <positive_integer>]] [-cacheType <cacheType>] [-state ( ENABLED | DISABLED )]
DescriptionThis command adds a cache redirection virtual server.
Arguments
vServerNameSpecifies the name of the cache redirection virtual server being added.
serviceTypeSpecifies the type of service handled by the virtual server. The valid service types are: HTTP, SSL, NNTP and SSL_TCP. Note:Use service type HTTP to configure content switching on this virtual server. Possible values: HTTP, SSL, NNTP
IPAddressSpecifies the IP address of the cache redirection virtual server. 1.To specify a specific virtual server address, type its numeric value. 2.To specify a wildcard virtual server address, type an asterisk (*). Default value: *
cacheTypeSpecifies the supported cache server type. Valid cache server types are: TRANSPARENT, REVERSE, FORWARD. Note:For this command to work you must select one of the cache type. Possible values: TRANSPARENT, REVERSE, FORWARD Default value: TRANSPARENT
redirectSpecifies the redirect policies: The valid redirect policies are: l.CACHE - Directs all requests to the cache. 2.POLICY - Applies cache redirection policy to determine whether the request should be directed to the cache or origin. This is the default setting. 3.ORIGIN - Directs all requests to the origin server. Possible values: CACHE, POLICY, ORIGIN Default value: POLICY
10-8 Command Reference Guide
add cr vserver
precedenceThis argument is used only when configuring content switching on the specified virtual server. This is applicable only if both the URL and RULE-based policies have been configured on the same virtual server. It specifies the type of policy (URL or RULE) that takes precedence on the content switching virtual server. The default setting is RULE. lURL - In this case, the incoming request is matched against the URL-based policies before the rule-based policies. lRULE - In this case, the incoming request is matched against the rule-based policies before the URL-based policies. For all URL-based policies, the precedence hierarchy is: 1.Domain and exact URL 2.Domain, prefix and suffix 3.Domain and suffix 4.Domain and prefix 5.Domain only 6.Exact URL 7.Prefix and suffix 8.Suffix only 9.Prefix only 10.Default Possible values: RULE, URL Default value: RULE
arp
ghost
map
format
viaDetermines whether the NetScaler 9000 system inserts a Via: header in the HTTP requests. The default setting is ON. Possible values: ON, OFF Default value: ON
cacheVserverSpecifies the name of the default target cache virtual server to which requests are redirected.
dnsVserverNameSpecifies the name of the DNS virtual server used for resolving domain names coming to the forward proxy virtual server. Note:This parameter is applicable only to forward proxy virtual servers, not reverse and transparent.
destinationVServerSpecifies the destination virtual server for transparent or forward proxy cache redirection virtual server. All requests to the transparent or forward proxy cache redirection virtual server are directed to this destination virtual server.
domainSpecifies the default domain for reverse proxies. Domains are configured in the NetScaler 9000 system to direct the incoming request from a particular configured source domain to
Command Reference Guide 10-9
add cr vserver
a particular configured target domain. There may be several configured pairs of source and target domains. You can select one of these pairs to be the default. This way, for an incoming request if a source domain is not present in host header or URL, the request is sent to the target domain of the selected default pair.
soPersistenceTimeOut
soThreshold
reuseSpecifies whether TCP connections to cache or origin servers are reused across client connections. Note:Specify this argument only if the service type argument is set to HTTP. The default setting is ON. If this argument is set to OFF and: -redirect is set to CACHE, TCP connections to the cache servers are not reused. -redirect is set to ORIGIN, TCP connections to the origin servers are not reused. -redirect is set to POLICY, TCP connections to the origin servers are not reused. If this argument is set to ON, connections are reused to both origin and cache servers. Possible values: ON, OFF Default value: ON
stateWhether the cache redirection virtual server is enabled or disabled. Possible values: ENABLED, DISABLED Default value: ENABLED
Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionset cr vservershow cr vserverunset cr vserver
10-10 Command Reference Guide
bind cr vserver
bind cr vserver
Synopsisbind cr vserver <vServerName> -policyName <string> [<targetVserver>]
DescriptionFor the NetScaler 9000 system's cache redirection feature, this command binds the cache redirection policy to the cache redirection virtual server.
Arguments
vServerNameSpecifies the name of the cache redirection virtual server to which the cache redirection policy will be bound.
policyNameSpecifies the name of the cache redirection policy. This policy needs to be of the type map or cache redirection policy (created using the add policy map or add cr policy CLI commands).
targetVserverSpecifies an address-based virtual server that can only be specified for a map policy created using the add policy map command when the cache redirection virtual server is of the type REVERSE.
Related Commandsunbind cr vserver
Command Reference Guide 10-11
set cr vserver
set cr vserver
Synopsisset cr vserver <vServerName> [-redirect <redirect>] [-precedence ( RULE | URL )] [-via ( ON | OFF )] [-cacheVserver <string>] [-dnsVserverName <string>] [-destinationVServer <string>] [-domain <string>] [-reuse ( ON | OFF )] [-backupVServerName <string>] [-redirectURL <URL>] [-cltTimeout <secs>]
DescriptionThis command changes the attributes of a configured cache redirection vserver.
Arguments
vServerNameSpecifies the name of the cache redirection virtual server being added.
redirectSpecifies the redirect policies: The valid redirect policies are: l.CACHE - Directs all requests to the cache. 2.POLICY - Applies cache redirection policy to determine whether the request should be directed to the cache or origin. This is the default setting. 3.ORIGIN - Directs all requests to the origin server. Possible values: CACHE, POLICY, ORIGIN Default value: POLICY
precedenceThis argument is used only when configuring content switching on the specified virtual server. This is applicable only if both the URL and RULE-based policies have been configured on the same virtual server. It specifies the type of policy (URL or RULE) that takes precedence on the content switching virtual server. The default setting is RULE. lURL - In this case, the incoming request is matched against the URL-based policies before the rule-based policies. lRULE - In this case, the incoming request is matched against the rule-based policies before the URL-based policies. For all URL-based policies, the precedence hierarchy is: 1.Domain and exact URL 2.Domain, prefix and suffix 3.Domain and suffix 4.Domain and prefix 5.Domain only 6.Exact URL 7.Prefix and suffix 8.Suffix only 9.Prefix only 10.Default Possible values: RULE, URL Default value: RULE
10-12 Command Reference Guide
set cr vserver
viaDetermines whether the NetScaler 9000 system inserts a Via: header in the HTTP requests. The default setting is ON. Possible values: ON, OFF Default value: ON
cacheVserverSpecifies the name of the default target cache virtual server to which requests are redirected.
dnsVserverNameSpecifies the name of the DNS virtual server used for resolving domain names coming to the forward proxy virtual server. Note:This parameter is applicable only to forward proxy virtual servers, not reverse and transparent.
destinationVServerSpecifies the destination virtual server for transparent or forward proxy cache redirection virtual server. All requests to the transparent or forward proxy cache redirection virtual server are directed to this destination virtual server.
domainSpecifies the default domain for reverse proxies. Domains are configured in the NetScaler 9000 system to direct the incoming request from a particular configured source domain to a particular configured target domain. There may be several configured pairs of source and target domains. You can select one of these pairs to be the default. This way, for an incoming request if a source domain is not present in host header or URL, the request is sent to the target domain of the selected default pair.
reuseSpecifies whether TCP connections to cache or origin servers are reused across client connections. Note:Specify this argument only if the service type argument is set to HTTP. The default setting is ON. If this argument is set to OFF and: -redirect is set to CACHE, TCP connections to the cache servers are not reused. -redirect is set to ORIGIN, TCP connections to the origin servers are not reused. -redirect is set to POLICY, TCP connections to the origin servers are not reused. If this argument is set to ON, connections are reused to both origin and cache servers. Possible values: ON, OFF Default value: ON
Command Reference Guide 10-13
set cr vserver
backupVServerName
redirectURL
cltTimeout
Related Commandsadd cr vservershow cr vserverunset cr vserver
10-14 Command Reference Guide
rm cr vserver
rm cr vserver
Synopsisrm cr vserver <name>@ ...
DescriptionUse this command to remove a virtual server.
Arguments
nameThe name of the virtual server to be removed.
Examplerm vserver lb_vip
Related Commandsenable cr vserverdisable cr vserver
Command Reference Guide 10-15
enable cr vserver
enable cr vserver
Synopsisenable cr vserver <name>@
DescriptionUse this command to enable a virtual server. Note:Virtual servers, when added, are enabled by default.
Arguments
nameThe name of the virtual server to be enabled.
Exampleenable vserver lb_vip
Related Commandsrm cr vserverdisable cr vserver
10-16 Command Reference Guide
disable cr vserver
disable cr vserver
Synopsisdisable cr vserver <name>@
DescriptionUse this command to disable (makes out of service) a virtual server.
Arguments
nameThe name of the virtual server to be disabled. Notes: 1.The NetScaler 9000 system still responds to ARP and/or ping requests for the IP address of this virtual server. 2.As the virtual server is still configured in the NetScaler 9000 system, you can enable the virtual server using enable vserver CLI command.
Exampledisable vserver lb_vip
Related Commandsrm cr vserverenable cr vserver
Command Reference Guide 10-17
show cr vserver
show cr vserver
Synopsisshow cr vserver [<name>]
DescriptionThis command displays the specified cache redirection virtual server or all the configured cache redirection virtual servers.
Arguments
nameThe name of the cache redirection virtual server to be shown.
Output
IPAddress
value
port
range
serviceType
type
state
10-18 Command Reference Guide
show cr vserver
status
cacheType
redirect
precedence
redirectURL
authentication
homePage
dnsVserverName
domain
rule
policyName
serviceName
weight
cacheVserver
Command Reference Guide 10-19
show cr vserver
backupVServerName
priority
cltTimeout
soMethod
soPersistence
soPersistenceTimeOut
soThreshold
reuse
destinationVServer
via
Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionshow cs policyadd cr vserver
10-20 Command Reference Guide
show cr vserver
set cr vserverunset cr vserver
Command Reference Guide 10-21
unbind cr vserver
unbind cr vserver
Synopsisunbind cr vserver <vServerName> -policyName <string>
DescriptionThis command unbinds the specified cache redirection policy from the specified cache redirection virtual server.
Arguments
vServerNameSpecifies the name of the cache redirection virtual server from which you want the policy unbound.
policyNameSpecifies the name of the policy (that was previously created using the add cr policy or add policy map command).
Related Commandsrm policy mapshow policy maprm policy expressionshow policy expressionrm cr policyshow cr policybind cr vserver
10-22 Command Reference Guide
unset cr vserver
unset cr vserver
Synopsisunset cr vserver <vServerName> [-cacheVserver] [-dnsVserver] [-destinationVServer] [-domainName]
DescriptionThis command unsets the attributes of the configured Cache Redirection virtual server. The Cache Redirection virtual server attributes can be set using either the add cr vserver or the set cr vserver command.
Arguments
vServerNameSpecifies the name of the Cache Redirection virtual server whose attributes need to be unset
cacheVserverSpecifies that the configured load balancing cache virtual server needs to be unset
dnsVserverSpecifies that the configured DNS virtual server needs to be unset. Note:This option is used only for Froward Proxy and hence not supported as the 4.0.2 release does not support Forward proxy.
destinationVServerSpecifies that the configured destination virtual server needs to be unset.
domainNameSpecifies that the configured default domain name for the Cache redirection virtual server.
Related Commandsrm policy mapshow policy maprm policy expressionshow policy expression
Command Reference Guide 10-23
unset cr vserver
rm cr policyshow cr policyadd cr vserverset cr vservershow cr vserver
10-24 Command Reference Guide
Content Switching Commands
This chapter covers the content switching commands.
Command Reference Guide 11-1
add cs policy
add cs policy
Synopsisadd cs policy <policyName> [-url <string> | -rule <expression>] [-domain <string>]
DescriptionThis command creates a content switching policy. The policy created can be associated with a content switching virtual server using the bind cs vserver CLI command
Arguments
policyNameSpecifies the name of the new content switching policy.
urlSpecifies the URL with wildcards. Specify the string value in this format: // [[prefix ] [*]] [.suffix]
ruleSpecifies the condition for applying this policy. Expression logic consists of expression names, separated by the logical operators || and &&, and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following shows valid expression logic: ns_ext_cgi||ns_ext_asp "ns_non_get && (ns_header_cookie||ns_header_pragma)"
domainSpecifies the domain name. The string value can range to 63 characters.
ExampleTo match the requests that have URL "/", you would enter the following command: add cs policy <policyName> -url / To match with all URLs starting with "/sports/", you would enter the following command: add cs policy <policyName> -url /sports/* To match the requests that have URLs starting with "/sports", you would enter the following command: add cs policy <policyName> -url /sports* To match the requests that have the URL "/sports/tennis/index.html", you would enter the following command: add cs policy
11-2 Command Reference Guide
add cs policy
<policyName> -url /sports/tennis/index.html To match the requests that have the URLs with the extension "jsp", you would enter the following command: add cs policy <policyName> -url /*.jsp To match the requests that have URLs starting with "/sports/" and the file extension "jsp", you would enter the following command: add cs policy <policyName> -url /sports/*.jsp To match the requests that have URLs containing "sports", you would enter the following commands: add pol expression sports_url "URL contains sports" add cs policy <policyName> -rule sports_url To match the requests with the URL queries containing "gold" or Cookie Header containing "gold", you would enter the following commands: add pol expression gold_query "URLQUERY contains gold" add pol expression gold_cookie "Header COOKIE contains gold" add cs policy <policyName> -rule "(gold_query ||gold_cookie)" To match the requests that have the domain name of www.domainxyz.com, you enter the following command: add cs policy <policyName> -domain "www.domainxyz.com" To match the requests that have the domain name of www.domainxyz.com and URLs containing the extension "jsp", you would enter the following command: add cs policy <policyName> -url /*.jsp -domain "www.domainxyz.com" To match the requests with the domain name of www.domainxyz.com and URLs containing "sports", you would enter the following commands: add pol expression sports_url "URL contains sports" add cs policy <policyName> -rule sports_url -domain "www.domainxyz.com"
Related Commandsrm cs policyshow cs policyset cs policy
Command Reference Guide 11-3
rm cs policy
rm cs policy
Synopsisrm cs policy <policyName>
DescriptionThis command removes the specified content switching policy. Note:The policy must be unbound from the content switching virtual server before it is removed.
Arguments
policyNameThe name of the content switching policy to be removed.
Related Commandsadd cs policyshow cs policyset cs policy
11-4 Command Reference Guide
show cs policy
show cs policy
Synopsisshow cs policy [<policyName>]
DescriptionThis command displays all of the content switching policies.
Arguments
policyNameSpecifies the name of the policy to be displayed. if no name is given then all policies will be displayed.
Output
policyName
url
rule
domain
vstype
hits
Related Commandsshow cs vserveradd cs policy
Command Reference Guide 11-5
show cs policy
rm cs policyset cs policy
11-6 Command Reference Guide
set cs policy
set cs policy
Synopsisset cs policy <policyName> [-rule <expression>]
DescriptionThis command changes a previously configured content switching policy.
Arguments
policyNameSpecifies the name of the new content switching policy.
ruleSpecifies the condition for applying this policy. Expression logic consists of expression names, separated by the logical operators || and &&, and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following shows valid expression logic: ns_ext_cgi||ns_ext_asp "ns_non_get && (ns_header_cookie||ns_header_pragma)"
Related Commandsadd cs policyrm cs policyshow cs policy
Command Reference Guide 11-7
add cs vserver
add cs vserver
Synopsisadd cs vserver <vServerName> <serviceType> (<IPAddress> [-range <positive_integer>]) <port> [-state ( ENABLED | DISABLED )]
DescriptionThis command adds a content switching virtual server.
Arguments
vServerNameSpecifies the virtual server name. The name can be a maximum of 31 characters long.
serviceTypeSpecifies the service of the virtual server as HTTP or SSL. Possible values: HTTP, SSL
IPAddressSpecifies the IP address of the virtual server.
portSpecifies a port number for the virtual server.
stateSpecifies whether the virtual server is enabled or disabled. Possible values: ENABLED, DISABLED Default value: ENABLED
precedenceIdentifies the precedence on the content switching virtual server between RULE-based and URL-based policies. The default precedence is set to RULE. If the precedence is configured as RULE, the incoming request is applied against the content switching policies created with -rule argument using the add cs policy CLI command. If none of the rules match, the URL in the request is applied against the content switching policies created with -url argument using the add cs policy CLI command. Possible values: RULE, URL Default value: RULE
11-8 Command Reference Guide
add cs vserver
casesensitiveIdentifies the URL lookup case option on the content switching vserver. If case sensitivity of a Content switching virtual server is set to 'ON' URL's /a/1.html and /A/1.HTML are treated differently and can have different targets set through content switching policies. On setting case sensitivity to 'OFF' URL's /a/1.html and /A/1.HTML are treated same and will be switched to the same target. Possible values: ON, OFF Default value: ON
soPersistenceTimeOut
soThreshold
Example1.Precedence can be used if certain client attributes (such as a specific type of browser) need to be served with different content and all other clients can be served from the content distributed among servers. If the precedence is configured as URL, the incoming request URL is applied against the content switching policies created with -url argument. If none of the policies match, then the request is applied against the content switching policies created with -rule argument. 2.Precedence can be used if some content (such as images) is the same for all clients but other content (such as text) is different for different clients. In this case the images will be served to all clients but the text served to specific clients based on the attributes, such as Accept-Language.
Related Commandsadd cs policyset cs vservershow cs vserverstat cs vserver
Command Reference Guide 11-9
bind cs vserver
bind cs vserver
Synopsisbind cs vserver <vServerName> [<targetVserver>] [-policyName <string> [-priority <positive_integer>]]
DescriptionThis command binds a content switching policy between a content-based virtual server and an address-based virtual server. Multiple policies can be assigned to the virtual server pair. Do not specify the optional policyName when adding a default policy on the content switch virtual server.
Arguments
vServerNameIdentifies the virtual server name (created with the add cs vserver or add cr vserver command) for which the content switching policy will be set.
targetVserverSpecifies the virtual server name (created with the add lb vserver command) to which content will be switched.
policyNameSpecifies the content switch policy name (created with the add cs policy command).
Related Commandsadd cs policyshow cs policyunbind cs vserver
11-10 Command Reference Guide
set cs vserver
set cs vserver
Synopsisset cs vserver <vServerName> [-precedence ( RULE | URL )] [-casesensitive ( ON | OFF )] [-backupVServerName <string>] [-redirectURL <URL>] [-cacheable ( YES | NO )] [-cltTimeout <secs>] [-soMethod <soMethod>] [-soPersistence ( ENABLED | DISABLED )] [-soPersistenceTimeOut <positive_integer>] [-soThreshold <positive_integer>]
DescriptionThis command changes or adds the parameters of a content switching virtual server.
Arguments
vServerNameIdentifies the virtual server name (created with the add cs vserver).
precedenceIdentifies the precedence on the content switching virtual server between rule-based and URL-based policies. The default precedence is set to RULE. If the precedence is configured as RULE, the incoming request is applied against the content switching policies created with -rule argument. If none of the rules match, then the URL in the request is applied against the content switching policies created with -url option. For example, this precedence can be used if certain client attributes (such as a specific type of browser) need to be served different content and all other clients can be served from the content distributed among servers. If the precedence is configured as URL, the incoming request URL is applied against the content switching policies created with -url option. If none of the policies match, then the request is applied against the content switching policies created with -rule option. Also, this precedence can be used if some content (such as images) is the same for all clients but other content (such as text) is different for different clients. In this case the images will be served to all clients but the text served to specific clients based on the attributes, such as Accept-Language. Possible values: RULE, URL
Command Reference Guide 11-11
set cs vserver
casesensitiveIdentifies the URL lookup case option on the content switching vserver. If case sensitivity of a Content switching virtual server is set to 'ON' URL's /a/1.html and /A/1.HTML are treated differently and can have different targets set through content switching policies. On setting case sensitivity to 'OFF' URL's /a/1.html and /A/1.HTML are treated same and will be switched to the same target. Possible values: ON, OFF Default value: ON
backupVServerName
redirectURL
cacheable
cltTimeout
soMethod
soPersistence
soPersistenceTimeOut
soThreshold
Related Commandsadd cs policyshow cs policyadd cs vservershow cs vserverstat cs vserver
11-12 Command Reference Guide
rm cs vserver
rm cs vserver
Synopsisrm cs vserver <name>@ ...
DescriptionUse this command to remove a virtual server.
Arguments
nameThe name of the virtual server to be removed.
Examplerm vserver lb_vip
Related Commandsenable cs vserverdisable cs vserver
Command Reference Guide 11-13
enable cs vserver
enable cs vserver
Synopsisenable cs vserver <name>@
DescriptionUse this command to enable a virtual server. Note:Virtual servers, when added, are enabled by default.
Arguments
nameThe name of the virtual server to be enabled.
Exampleenable vserver lb_vip
Related Commandsrm cs vserverdisable cs vserver
11-14 Command Reference Guide
disable cs vserver
disable cs vserver
Synopsisdisable cs vserver <name>@
DescriptionUse this command to disable (makes out of service) a virtual server.
Arguments
nameThe name of the virtual server to be disabled. Notes: 1.The NetScaler 9000 system still responds to ARP and/or ping requests for the IP address of this virtual server. 2.As the virtual server is still configured in the NetScaler 9000 system, you can enable the virtual server using enable vserver CLI command.
Exampledisable vserver lb_vip
Related Commandsrm cs vserverenable cs vserver
Command Reference Guide 11-15
show cs vserver
show cs vserver
Synopsisshow cs vserver [<name>] show cs vserver stats - alias for 'stat cs vserver'
DescriptionThis command displays the list of content switching virtual servers configured in the NetScaler 9000 system. To show the information for a particular virtual server and the content policies bound to that virtual server, enter the name of the content switching virtual server.
Arguments
nameSpecifies the content switching virtual server for which information is to be displayed.
Output
IPAddress
value
port
range
serviceType
type
11-16 Command Reference Guide
show cs vserver
state
status
cacheType
redirect
precedence
redirectURL
authentication
casesensitive
homePage
dnsVserverName
domain
rule
policyName
hits
Command Reference Guide 11-17
show cs vserver
serviceName
weight
cacheVserver
backupVServerName
priority
cltTimeout
soMethod
soPersistence
soPersistenceTimeOut
soThreshold
redirectURL
url
Related Commandsshow cs policyadd cs vserverset cs vserver
11-18 Command Reference Guide
show cs vserver
stat cs vserver
Command Reference Guide 11-19
stat cs vserver
stat cs vserver
Synopsisstat cs vserver [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays content switch vserver statistics
Arguments
nameThe name of the vserver for which statistics will be displayed. If not given statistics are shown for all cs vservers.
Output
Counters
Vserver protocol (Protocol)Protocol associated with the vserver
IP address (IP)The ip address at which the service is running.
Port (port)The port at which the service is running.
StateCurrent state
Requests (Req)The total number of requests.
Responses (Rsp)Number of responses
11-20 Command Reference Guide
stat cs vserver
Request bytes (Reqb)The total number of request bytes.
Response bytes (Rspb)Number of response bytes
Related Commandsadd cs vserverset cs vservershow cs vserver
Command Reference Guide 11-21
unbind cs vserver
unbind cs vserver
Synopsisunbind cs vserver <vServerName> [-policyName <string>]
DescriptionThis command removes the content switching policies for the specified content switching virtual server. To remove the default policy, do not specify the optional policy name.
Arguments
vServerNameIdentifies the virtual server name (created with the add cs vserver or add cr vserver command) for which the content switching policy will be set.
policyNameSpecifies the content switch policy name (created with the add cs policy command).
Related Commandsbind cs vserver
11-22 Command Reference Guide
DNS Commands
This chapter covers the DNS commands.
Command Reference Guide 12-1
stat dns
stat dns
Synopsisstat dns [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays the dns statistics.
Counters
Dns queries (Q)Total number of DNS queries received.
A queries (AQ)Total number of A queries received.
NS queries (NSQ)Total number of NS queries received.
CNAME queries (CNQ)Total number of CNAME queries received.
SOA queries (SOAQ)Total number of SOA queries received.
MX queries (MXQ)Total number of MX queries received.
Dns responses (Rsp)Total number of DNS responses received
A responses (ARsp)Total number of A responses received.
NS responses (NSRsp)Total number of NS responses received.
12-2 Command Reference Guide
stat dns
CNAME responses (CNRsp)Total number of CNAME responses received.
SOA responses (SOARsp)Total number of SOA responses received.
MX responses (MXRsp)Total number of MX responses received.
Server queries (SvrQ)Total number of Server queries sent.
Server responses (SvrRsp)Total number of Server responses received.
A updates (AUp)Total number of A record updates.
NS updates (NSUp)Total number of NS record updates.
MX updates (MXUp)Total number of MX record updates.
SOA updates (SOAUp)Total number of SOA record updates.
CNAME updates (CNUp)Total number of CNAME record updates.
Record updates (Up)Total number of record updates.
Cache flush called (CaFsh)Total number of times cache was flushed.
Cache entries flushed (CaEntFsh)Total number of cache entries flushed.
A records (ARec)Total number of A records.
Command Reference Guide 12-3
stat dns
NS records (NSRec)Total number of NS records.
MX records (MXRec)Total number of MX records.
SOA records (SOARec)Total number of SOA records.
CNAME records (CNRec)Total number of CNAME records.
Authoritative entries (AthEnt)Total number of authoritative entries.
Non-authoritative entries (PxyEnt)Total number of non-authoritative entries.
No A records (NoARec)Total number of times A record lookup failed.
No NS records (NoNSRec)Total number of times NS record lookup failed.
No MX records (NoMXRec)Total number of times MX record lookup failed.
No CNAME records (NoCNRec)Total number of times CNAME record lookup failed.
Unsupported queries (NotSupQ)Total number of requests for which query type requested was unsupported.
Response type unsupported (RspNoSup)Total number of responses for which response type requested was unsupported.
Response class unsupported (RspClsEr)Total number of responses for which response types were unsupported.
Query class unsupported (QClsEr)Total number of queries for which query class was unsupported.
12-4 Command Reference Guide
stat dns
Invalid query format (InQFmt)Total number of queries whose format was invalid.
Invalid response format (InRspFmt)Total number of responses for which there was a format error.
Stray answers (StryRsp)Total number of stray answers.
Multi queries (MtQ)Total number of Multi Query request received.
Multi queries disabled (MtQErr)Total number of times a multi query was disabled and received a multi query.
Related Commands
Command Reference Guide 12-5
show dns stats
show dns stats
Synopsisshow dns stats - alias for 'stat dns'
Descriptionshow dns stats is an alias for stat dns
Related Commandsstat dns
12-6 Command Reference Guide
add dns addRec
add dns addRec
Synopsisadd dns addRec <hostname> <IPAddress> ... [-TTL <secs>]
DescriptionUse this command to add an address record for the specified domain name.
Arguments
hostnameThe domain name for which the address record is added.
IPAddressUse this parameter to specify one or more IP addresses for the domain name.
TTLUse this parameter to specify the time to live, in seconds.
Exampleadd dns addrec www.mynw.com 65.200.211.139 -ttl 10
Related Commandsrm dns addRecshow dns addRec
Command Reference Guide 12-7
rm dns addRec
rm dns addRec
Synopsisrm dns addRec <hostname> [<IPAddress> ...]
DescriptionThis command removes the specified ipaddress from the address record for the given domain name. If IP address is not specified, the entire address record for the given domain name is removed.
Arguments
hostnameThe host name for which the address record has to be removed.
IPAddressUse this parameter to specify one or more IP addresses for the address record to be removed. If all address records within a domain are removed, the domain name entry is also removed.
Examplerm dns addrec www.mynw.com
Related Commandsadd dns addRecshow dns addRec
12-8 Command Reference Guide
show dns addRec
show dns addRec
Synopsisshow dns addRec [<hostname> | -type <type>]
DescriptionUse this command to show the address record for the specified host name. If a host name is not specified, all address records are displayed.
Arguments
hostnameThe domain name for which the address records to be displayed.
typeUse this parameter to specify the address record type. Type can take 3 values : ADNS - if this is specified all the authoritative address records will be displayed PROXY - if this is specified all the proxy address records will be displayed ALL - if this is specified all the address records will be displayed Possible values: ALL, ADNS, PROXY
Output
IPAddress
TTL
vServerName
Related Commandsadd dns addRecrm dns addRec
Command Reference Guide 12-9
add dns cnameRec
add dns cnameRec
Synopsisadd dns cnameRec <aliasName> <canonicalName> [-TTL <secs>]
DescriptionUse this command to add the canonical name record
Arguments
aliasNameAlias name for the specified domain.
canonicalNameThe domain for which cnamerec is created.
TTLUse this parameter to specify time to live, in seconds.
Exampleadd dns cnameRec www.mynw.org www.mynw.com -ttl 20
Related Commandsrm dns cnameRecshow dns cnameRec
12-10 Command Reference Guide
rm dns cnameRec
rm dns cnameRec
Synopsisrm dns cnameRec <aliasName>
DescriptionUse this command to remove the canonical name record.
Arguments
aliasNameThe alias name to be removed.
Examplerm dns cnamerec www.mynw.org
Related Commandsadd dns cnameRecshow dns cnameRec
Command Reference Guide 12-11
show dns cnameRec
show dns cnameRec
Synopsisshow dns cnameRec [<aliasName> | -type <type>]
DescriptionUse this command to display the cname records. If no alias name is specified, all "cname" records are displayed.
Arguments
aliasNameThe alias name. If an alias name is not specified, all "cname" records are displayed.
typeUse this parameter to specify the cname record type. Type can take 3 values : ADNS - if this is specified all the authoritative cname records will be displayed PROXY - if this is specified all the proxy cname records will be displayed ALL - if this is specified all the cname records will be displayed Possible values: ALL, ADNS, PROXY Default value: ADNS
Output
canonicalName
TTL
Exampleshow dns cnameRec www.mynw.org
Related Commandsadd dns cnameRecrm dns cnameRec
12-12 Command Reference Guide
add dns mxRec
add dns mxRec
Synopsisadd dns mxRec <domain> -mx <string> -pref <positive_integer>
DescriptionUse this command to add the DNS mail exchange (MX) record. The parameters are:
Arguments
domainThe domain for which the added MX record is added.
mxSpecifies the MX record name.
prefThe route priority number. Note:A domain name can have multiple mail routes, each assigned a priority number. The mail route with the lowest number identifies the server responsible for the domain. Other mail servers listed are used as backups.
TTLUse this parameter to specify the time to live, in seconds.
Related Commandsrm dns mxRecset dns mxRecshow dns mxRec
Command Reference Guide 12-13
rm dns mxRec
rm dns mxRec
Synopsisrm dns mxRec <domain> <mx>
DescriptionUse this command to remove the DNS mail exchange record.
Arguments
domainThe domain for the mail exchange record to be removed.
mxThe mail exchange record name.
Related Commandsadd dns mxRecset dns mxRecshow dns mxRec
12-14 Command Reference Guide
set dns mxRec
set dns mxRec
Synopsisset dns mxRec <domain> -mx <string> [-pref <positive_integer>] [-TTL <secs>]
DescriptionUse this parameter to set the DNS MX (mail exchange) record parameters.
Arguments
domainThe domain to be associated with the MX record.
mxThe name of the MX record.
prefThe priority number of the domain's mail route. Since one domain name can have multiple mail routes, you must specify a priority number for each of the domain's route. The mail route with the lowest number identifies the server responsible for the domain. Other mail servers listed are used as backups.
TTLUse this parameter to specify the time to live, in seconds.
Related Commandsadd dns mxRecrm dns mxRecshow dns mxRec
Command Reference Guide 12-15
show dns mxRec
show dns mxRec
Synopsisshow dns mxRec [<domain> | -type <type>]
DescriptionUse this command to show the mail exchange (MX) record for the specified domain. If a domain name is not specified, all mail exchange records are displayed.
Arguments
domainThe domain name for which the MX record will be displayed.
typeUse this parameter to specify the MX record type. Type can take 3 values : ADNS - if this is specified all the authoritative MX records will be displayed PROXY - if this is specified all the proxy MX records will be displayed ALL - if this is specified all the MX records will be displayed Possible values: ALL, ADNS, PROXY Default value: ADNS
Output
domain
mx
pref
TTL
Related Commandsadd dns mxRecrm dns mxRec
12-16 Command Reference Guide
show dns mxRec
set dns mxRec
Command Reference Guide 12-17
add dns nsRec
add dns nsRec
Synopsisadd dns nsRec <domain> <nameServer> [-TTL <secs>]
DescriptionUse this command to add the Name Server record for a given domain name.
Arguments
domainThe domain name for which Name Server record is added.
nameServerThe nameserver for the domain.
TTLUse this parameter to specify the time to live, in seconds.
Related Commandsrm dns nsRecshow dns nsRec
12-18 Command Reference Guide
rm dns nsRec
rm dns nsRec
Synopsisrm dns nsRec <domain> <nameServer>
DescriptionUse this command to remove the Name Server record for the given domain.
Arguments
domainThe domain name for which the Name Server record is to be removed.
nameServerThe nameserver for the domain to be removed.
Related Commandsadd dns nsRecshow dns nsRec
Command Reference Guide 12-19
show dns nsRec
show dns nsRec
Synopsisshow dns nsRec [<domain> | -type <type>]
DescriptionUse this command to display the name server record for this domain. If no domain name is specified, all the name server records are displayed.
Arguments
domainThe domain name for the name server record.
typeUse this parameter to specify the Name Server record type. Type can take 3 values : ADNS - if this is specified all the authoritative Name Server records will be displayed PROXY - if this is specified all the proxy Name Server records will be displayed ALL - if this is specified all the Name Server records will be displayed Possible values: ALL, ADNS, PROXY
Output
domain
nameServer
TTL
Related Commandsadd dns nsRecrm dns nsRec
12-20 Command Reference Guide
set dns parameter
set dns parameter
Synopsisset dns parameter [-retries <positive_integer>] [-minTTL <secs>] [-maxTTL <secs>] [-namelookuppriority ( WINS | DNS )]
DescriptionThis command sets TTL parameters.
Arguments
retriesThe DNS resolver request retry count.
minTTLThe minimum time to live value allowed, in seconds. If any DNS entry has a time to live value of less than the minimum time to live value, it is saved as the minimum time to live value.
maxTTLThe maximum time to live value allowed, in seconds. If the DNS entry has a time to live value of more than the maximum time to live value, it is saved as the maximum time to live value.
namelookuppriorityThe name lookup priority as DNS or WINS. Possible values: WINS, DNS Default value: WINS
Related Commandsshow dns parameter
Command Reference Guide 12-21
show dns parameter
show dns parameter
Synopsisshow dns parameter
DescriptionUse this command to display the following values: DNS Retries - The DNS resolver request timeout. minTTL - The minimum time to live value allowed. If any DNS entry has a time to live value less than the minimum time to live, it is saved as minimum time to live. maxTTL - The maximum time to live value allowed. If any DNS entry has a time to live value less than the maximum time to live, it is saved as maximum time to live.
Arguments
Output
retries
minTTL
maxTTL
namelookuppriority
Related Commandsset dns parameter
12-22 Command Reference Guide
add dns soaRec
add dns soaRec
Synopsisadd dns soaRec <domain> -originServer <string> -contact <string> -serial <positive_integer> -refresh <secs> -retry <secs> -expire <secs> -minimum <secs> -TTL <secs>
DescriptionUse this command to add the Start of Authority (SOA) record.
Arguments
domainThe domain name for which the SOA record is added.
originServerThe name of origin server for the given domain.
contactThe contact person for this ADNS, typically this is an email address in which the at sign (@) has been replaced by a period (.).
serialThis parameter is used by the secondary server to determine if it requires a zone transfer from the primary server. If the secondary's number is lower than the primary's number, then the secondary server knows that its records are out of date. This is not used by a primary server.
refreshUse this parameter to determine the number of seconds between a successful check on the serial number on the zone of the primary, and the next attempt. This is usually 2 - 24 hours. This is not used by a primary server.
retryIf a refresh attempt fails, a server retries after the specified number of seconds. This is not used by a primary server.
Command Reference Guide 12-23
add dns soaRec
expireMeasured in seconds. If the refresh and retry attempts fail after that many seconds the server will stop serving the zone. The typical value is 1 week. Not used by a primary server.
minimumThe default TTL for every record in the zone. Can be overridden for any particular record. Typical values range from eight hours to four days. When changes are being made to a zone, often set at ten minutes or less.
TTLThe time to live, in seconds.
Related Commandsset dns soaRecrm dns soaRecshow dns soaRec
12-24 Command Reference Guide
set dns soaRec
set dns soaRec
Synopsisset dns soaRec <domain> [-originServer <string>] [-contact <string>] [-serial <positive_integer>] [-refresh <secs>] [-retry <secs>] [-expire <secs>] [-minimum <secs>] [-TTL <secs>]
DescriptionUse this command to set the DNS Start Of Authority (SOA) record attributes.
Arguments
domainThe domain name for which the SOA record attributes are set.
originServerThe origin server name for the given domain.
contactThe contact person for this ADNS. Typically it is the email address of which the at (@) sign is replaced with a period (.).
serialThis is used by a secondary server to determine if it requires a zone transfer from the primary server. If the secondary's number is lower than the primary's number, then the secondary server determines that its records are out of date. Not used by a primary server.
refreshRefresh determines the number of seconds between a successful check on the serial number on the zone of the primary, and the next attempt (usually 2 - 24 hours). Not used by a primary server.
retryIf a refresh attempt fails, a server will retry after this many seconds. Not used by a primary server.
Command Reference Guide 12-25
set dns soaRec
expireMeasured in seconds. If the refresh and retry attempts fail after that many seconds the server will stop serving the zone. The typical value is 1 week. Not used by a primary server.
minimumThe default TTL for every record in the zone. Can be overridden for any particular record. Typical values range from eight hours to four days. When changes are being made to a zone, often set at ten minutes or less.
TTLThe time to live, measured in seconds.
Related Commandsadd dns soaRecrm dns soaRecshow dns soaRec
12-26 Command Reference Guide
rm dns soaRec
rm dns soaRec
Synopsisrm dns soaRec <domain>
DescriptionUse this command to remove the Start of Authority (SOA) record for a given domain name.
Arguments
domainThe domain name for the SOA record to be removed.
Related Commandsadd dns soaRecset dns soaRecshow dns soaRec
Command Reference Guide 12-27
show dns soaRec
show dns soaRec
Synopsisshow dns soaRec [<domain> | -type <type>]
DescriptionUse this command to show the specified Start of Authority record. If the domain name is not specified, all the SOA records are displayed.
Arguments
domainThe domain name for which the SOA record will be displayed.
typeUse this parameter to specify the SOA record type. Type can take 3 values : ADNS - if this is specified all the authoritative SOA records will be displayed PROXY - if this is specified all the proxy SOA records will be displayed ALL - if this is specified all the SOA records will be displayed Possible values: ALL, ADNS, PROXY
Output
domain
originServer
contact
serial
refresh
12-28 Command Reference Guide
show dns soaRec
retry
expire
minimum
TTL
Related Commandsadd dns soaRecset dns soaRecrm dns soaRec
Command Reference Guide 12-29
add dns suffix
add dns suffix
Synopsisadd dns suffix <dnsSuffix>
DescriptionUse this command to append suffixes while resolving the domain names.
Arguments
dnsSuffixSuffix to be appended while resloving the Domain name.
Exampleadd dns suffix netscaler.com If the incoming domain name "engineering" is not resolved by itself, then Netscaler will append the suffix netscaler.com and attempt to resolve the name engineering.netscaler.com
Related Commandsrm dns suffixshow dns suffix
12-30 Command Reference Guide
rm dns suffix
rm dns suffix
Synopsisrm dns suffix <dnsSuffix>
DescriptionUse this command to remove the DNS suffixes configured in NetScaler system
Arguments
dnsSuffixSuffix name to be removed.
Related Commandsadd dns suffixshow dns suffix
Command Reference Guide 12-31
show dns suffix
show dns suffix
Synopsisshow dns suffix
DescriptionUse this command to show all the configured DNS suffixes.
Output
dnsSuffix
Related Commandsadd dns suffixrm dns suffix
12-32 Command Reference Guide
add dns nameserver
add dns nameserver
Synopsisadd dns nameserver (<dnsVserverName> | <IP>)
DescriptionUse this command to add a NameServer in NetScaler System. 2 types of name servers can be added. 1.IP Address based name server. In this case, the user has to specify the Ipaddress of the name server to be contacted 2.Vserver based name server. In this case, the user has to specify the name of the DNS vserver configured in the Netscaler System
Arguments
dnsVserverNameThe name of the dns vserver
IPThe IP address of the name server.
ExampleAdding an IP based nameserver IP: add nameserver 10.102.4.1, Adding a vserver based name server: add nameserver dns_vsvr where dns_vsvr is name of a DNS vserver created in NetScaler system
Related Commandsrm dns nameservershow dns nameserver
Command Reference Guide 12-33
rm dns nameserver
rm dns nameserver
Synopsisrm dns nameserver (<dnsVserverName> | <IP>)
DescriptionUse this command to remove the NameServer.
Arguments
dnsVserverNameThe name of the dns vserver.
IPThe IP address of the name server.
ExampleDeleting an IP based nameserver : rm nameserver 10.102.4.1, Deleting a vserver based nameserver: rm nameserver dns_vsvr
Related Commandsadd dns nameservershow dns nameserver
12-34 Command Reference Guide
show dns nameserver
show dns nameserver
Synopsisshow dns nameserver [<dnsVserverName> | <IP>]
DescriptionUse this command to display the name servers configured in Netscaler System and state of the nameservers.
Arguments
dnsVserverNameThe name of the dns vserver
IPThe IP address of the name server to be displayed.
Output
serviceNameSpecifies the name of the dns vserver
IPAddressip address of the service
portport of the service
state
Related Commandsadd dns nameserverrm dns nameserver
Command Reference Guide 12-35
flush dns proxyRecords
flush dns proxyRecords
Synopsisflush dns proxyRecords
DescriptionUse this command to flush all the DNS proxy records.
Related Commands
12-36 Command Reference Guide
DoS Commands
This chapter covers the DoS commands.
Command Reference Guide 13-1
add dos policy
add dos policy
Synopsisadd dos policy <name> -qDepth <positive_integer>
DescriptionUse this command to add a DoS protection policy to the NetScaler 9000 system.
Arguments
nameThe name of the DoS protection policy to be added to a NetScaler 9000 system.
qDepthThe queue size (the number of outstanding service requests on the NetScaler 9000 system) that must be reached before DoS protection is activated on the service to which the DoS protection policy is bound.The minimum value you can specify is 21. Note:For the DoS protection to be applied on a service, it must have a DoS policy bound to it. This is done with the bind service CLI command.
cltDetectRateThe client detect rate is the percentage of traffic to apply the DOS policy. The value can vary from 1 to 100.
Exampleadd dos policy dospol -qdepth 100 -cltDetectRate 90
Related Commandsrm dos policyset dos policyshow dos policy
13-2 Command Reference Guide
rm dos policy
rm dos policy
Synopsisrm dos policy <name>
DescriptionUse this command to remove the specified DoS protection policy <name>. The DoS protection policy is set in the NetScaler 9000 system using the add dos policy command.
Arguments
nameThe name of the DoS protection policy to be removed.
Examplerm dos policy dospol
Related Commandsadd dos policyset dos policyshow dos policy
Command Reference Guide 13-3
set dos policy
set dos policy
Synopsisset dos policy <name> [-qDepth <positive_integer>] [-cltDetectRate <positive_integer>]
DescriptionUse this command to modify the parameters for the specified DoS protection policy.
Arguments
nameThe name of the DoS protection policy to be modified.
qDepthThe queue size (the outstanding requests on this service queued in the NetScaler 9000 system, waiting to be sent to the server) that must be reached before DoS protection is activated on the service. The minimum queue size that you can specify is 21. For DoS protection to be activated on a service, this policy needs to be bound to that service using the bind service CLI command.
cltDetectRateThe client detect rate is the percentage of traffic to apply the DOS policy. The value can vary from 1 to 100.
Exampleset dos policy dospol -qdepth 1000
Related Commandsadd dos policyrm dos policyshow dos policy
13-4 Command Reference Guide
show dos policy
show dos policy
Synopsisshow dos policy
DescriptionUse this command to display the configured DoS protection policy.
Arguments
Output
nameThe DoS policy that needs to be displayed
qDepthThe queue size (the outstanding requests on this service queued in the NetScaler 9000 system, waiting to be sent to the server) that must be reached before DoS protection is activated on the service. The minimum queue size that you can specify is 21. For DoS protection to be activated on a service, this policy needs to be bound to that service using the bind service CLI command.
cltDetectRateThe client detect rate is the percentage of traffic to apply the DOS policy. The value can vary from 1 to 100.
Example> show dos policy 1 configured DoS policy: 1) Policy: dospol QDepth: 100 ClientDetectRate: 90 Done
Related Commandsadd dos policyrm dos policyset dos policy
Command Reference Guide 13-5
show dos policy
13-6 Command Reference Guide
Filter Commands
This chapter covers the filter commands.
Command Reference Guide 14-1
add filter action
add filter action
Synopsisadd filter action <name> <qual> [<serviceName>] [<value>] [<respcode>] [<page>]
DescriptionThis command creates a content filtering action. The action thus created can be associated with the content filtering policy by using the "add filter policy" command. The two built-in filter actions RESET and DROP are always present on the Netscaler system. Use the RESET filter action to send a TCP reset for the HTTP requests. Use the DROP filter action to drop the HTTP requests silently without sending a TCP FIN for closing the connection.
Arguments
nameThe name for the filter action being added. This name may not exceed 31 characters.
qualThe filter action to be performed. The valid values are add, forward, errorcode, reset, and drop. Possible values: reset, add, corrupt, forward, errorcode, drop
serviceNameThe service to which HTTP requests are forwarded. This parameter is required when the qualifier is FORWARD.
valueThe string containing the header_name and header_value. When the qualifier is ADD use this option as header_name:header_value. When the qualifier is Corrupt use this option to specify only the header_name.
respcodeThe response code to be returned for HTTP requests. Use this parameter when the qualifier is ERRORCODE.
14-2 Command Reference Guide
add filter action
pageThe HTML page that will be returned for the HTTP requests. Use this parameter when the qualifier is ERRORCODE.
Exampleadd filter action bad_url_action errorcode 400 "<HTML>Bad URL.</HTML>" add filter action forw_action FORWARD service1 add filter action add_header_action add "HEADER:value"
Related Commandsrm filter actionshow filter action
Command Reference Guide 14-3
rm filter action
rm filter action
Synopsisrm filter action <name>
DescriptionUse this command to remove a filter action that was created using the "add filter action" command.
Arguments
nameThe name of the filter action to be removed.
Examplerm filter action filter_action_name
Related Commandsadd filter actionshow filter action
14-4 Command Reference Guide
show filter action
show filter action
Synopsisshow filter action
DescriptionUse this command to display the filter actions defined using the "add filter action" command. The information displayed includes the action name, qualifier, and operands. The filter actions RESET and DROP are always displayed, irrespective of whether an action has been defined. They are built-in actions and cannot be modified.
Arguments
Output
name
qual
serviceName
value
respcode
page
ExampleExample 1 The following shows an example of the output of the show filter action command when no filter actions have been defined: 1) Name: RESET Filter Type: reset 2) Name: DROP Filter Type: drop Done Example 2 The following command
Command Reference Guide 14-5
show filter action
creates a filter action: add filter action bad_url_action errorcode 400 "<HTML>Bad URL.</HTML>" The following shows an example of the output of the show filter action command after the previous command has been issued: Name: bad_url_action Filter Type: errorcode StatusCode: 400 Response Page: <HTML>Bad URL.</HTML> Done
Related Commandsadd filter actionrm filter action
14-6 Command Reference Guide
add filter policy
add filter policy
Synopsisadd filter policy <name> -rule <expression>
DescriptionUse this command to create a content filtering policy.
Arguments
nameThe name of the new filter policy.
ruleThe expression which sets the condition for application of the policy.
reqActionThe name of the action to be performed on the request. The string value can be a filter action created using the "add filter action" command, or one of the following built-in actions: RESET - Sends the TCP reset and closes the connection to the peer. DROP - Silently closes the connection to the peer without sending the TCP FIN. Note that the request action can not be specified if the rule has some condition to be evaluated for response.
resActionThe action to be performed on the response. The string value can be a filter action created using the "add filter action" command or a built-in action.
ExampleExample 1: add policy expression e1 "sourceip == 66.33.22.0 -netmask 255.255.255.0" add policy expression e2 "URL == /admin/account.asp" add filter policy ip_filter -rule "e1 && e2" -reqAction RESET After creating above filter policy, it can be activated by binding it globally: bind filter global ip_filter With the configured ip_filter (name of the filter policy), the NetScaler system sends a TCP reset to all HTTP requests for the /admin/account.asp URL from 66.33.22.0 Class C network. This action is applied at the HTTP request time. Example 2: To silently drop (without sending FIN) all the HTTP requests in which the URL has root.exe or cmd.exe, below filter policy can be configured: add filter
Command Reference Guide 14-7
add filter policy
policy nimda_filter -rule "URL contains root.exe || URL contains cmd.exe" -reqAction DROP bind filter global nimda_filter Example 3: add filter policy url_filter -rule "url == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP != 65.202.35.0 -netmask 255.255.255.0" -reqaction RESET bind filter global url_filter With the above configured filter policy named url_filter, the NetScaler system sends RESET to all HTTP requests for the URL /foo/secure.asp from all the networks except from 65.186.55.0 and 65.202.35.0 Class C networks. This action is applied at the HTTP request time. Note: In above examples, the RESET and DROP are built-in actions in the Netscaler system. "show filter action" and "show filter policy" CLI commands show the configured filter actions and policies in Netscaler system respectively. "show filter global" command shows all the globallyactive filter policies.
Related Commandsrm filter policyshow filter policyset filter policy
14-8 Command Reference Guide
rm filter policy
rm filter policy
Synopsisrm filter policy <name>
DescriptionUse this command to remove a filter policy.
Arguments
nameThe filter policy to be removed.
Examplerm filter policy filter_policy_name The "show filter policy" command shows all filter policies that are currently defined.
Related Commandsadd filter policyshow filter policyset filter policy
Command Reference Guide 14-9
show filter policy
show filter policy
Synopsisshow filter policy [<name>]
DescriptionUse this command to display the filter policies created using the "add filter policy" command. For each filter policy, the command output shows the filter policy name, associated rule, and request action or response action.
Arguments
nameThe name of the filter policy to be displayed.
Output
name
rule
reqAction
resAction
hits
Exampleshow filter policy 1) Name: nimda_filter Rule: (URL CONTAINS root.exe || URL CONTAINS cmd.exe) Request action: RESET Response action: Hits: 0 2) Name: ip_filter Rule: (src_ips && URL == /admin/account.asp) Request action: RESET Response action: Hits: 0 Done Individual filter policy can also be
14-10 Command Reference Guide
show filter policy
viewed by giving filter policy name as argument: show filter policy ip_filter Name: ip_filter Rule: (src_ips && URL == /admin/account.asp) Request action: RESET Response action: Hits: 0 Done
Related Commandsadd filter policyrm filter policyset filter policy
Command Reference Guide 14-11
set filter policy
set filter policy
Synopsisset filter policy <name> [-rule <expression>] [-reqAction <string> | -resAction <string>]
DescriptionUse this command to modify the rule and/or action of an existing filter policy, created using the "add filter policy" command. Use the "show filter policy" command to view all the configured filter policies.
Arguments
nameThe name of the filter policy to be modified.
ruleThe new expression to associate with the policy.
reqActionThe new request action to be applied by the policy.
resActionThe new response action to be applied by the policy.
ExampleExample 1: A filter policy to allow access of URL /foo/secure.asp only from 65.186.55.0 network can be created using below command: add filter policy url_filter -rule "URL == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0" -reqAction RESET This policy is activated using: bind filter global url_filter Later, to allow access of this url from second network 65.202.35.0 too, above filter policy can be changed by issuing below command: set filter policy url_filter -rule "URL == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP != 65.202.35.0 -netmask 255.255.255.0" Changed filter policy can be viewed by using following command: show filter policy url_filter Name: url_filter Rule: (URL == /foo/secure.asp && (SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP !=
14-12 Command Reference Guide
set filter policy
65.202.35.0 -netmask 255.255.255.0)) Request action: RESET Response action: Hits: 0 Done
Related Commandsadd filter policyrm filter policyshow filter policy
Command Reference Guide 14-13
bind filter global
bind filter global
Synopsisbind filter global (<policyName> [-priority <positive_integer>]) [-state ( ENABLED | DISABLED )]
DescriptionUse this command to activate the filter policy globally. The filter policies are created using the "add filter policy" command. The command "show filter policy" shows all the existing filter policies and the command "show filter global" shows all the globally active filter policies. Note that the content filtering license is required for filtering. Use the "enable ns feature cf" command to activate the feature.
Arguments
policyNameThe name of the filter policy to be bound.
stateSets the state of the binding. Possible values: ENABLED, DISABLED Default value: ENABLED
ExampleTo send RESET for all the HTTP requests which are not get or head type, following filter policy can be created: add filter policy reset_invalid_req -rule "METHOD != GET && METHOD != HEAD" -reqAction RESET This filter policy can be activated globally for Netscaler system by giving command: bind filter global reset_invalid_req Globally active filter policies can be seen using command: show filter global 1) Policy Name: reset_invalid_req Priority: 0 Done
Related Commandsunbind filter globalshow filter global
14-14 Command Reference Guide
unbind filter global
unbind filter global
Synopsisunbind filter global <policyName>
DescriptionUse this command to deactivate a filter policy globally. Use command "show filter global" to see all the globally active filter policies.
Arguments
policyNameThe name of the filter policy to be unbound.
ExampleGlobally active filter policies can be seen using command: show filter global 1) Policy Name: reset_invalid_req Priority: 0 Done This globally active filter policy can be deactivated on Netscaler system by giving command: unbind filter global reset_invalid_req
Related Commandsbind filter globalshow filter global
Command Reference Guide 14-15
show filter global
show filter global
Synopsisshow filter global
DescriptionUse this command to display the globally active filter policies that have been activated using the "bind filter global" command.
Arguments
Output
policyName
priority
stateThe state of the binding.
Exampleshow filter global 1) Policy Name: url_filter Priority: 0 2) Policy Name: reset_invalid_req Priority: 0 Done
Related Commandsbind filter globalunbind filter global
14-16 Command Reference Guide
GSLB Commands
This chapter covers the GSLB commands.
Command Reference Guide 15-1
add gslb site
add gslb site
Synopsisadd gslb site <siteName> <siteType> <siteIPAddress> [-publicIP <ip_addr>]
DescriptionUse this command to add the site entity participating in GSLB in NetScaler 9000 system
Arguments
siteNameThe name of the site that is participating in the GSLB
siteTypeUse this parameter to specify whether the site is LOCAL or REMOTE Possible values: REMOTE, LOCAL
siteIPAddressThe IP address of the site. This IP address will be a NetScaler owned IP address. SNIP or MIP can be used as Site IP address
publicIPThe Public IP. This parameter can be specified only for a LOCAL site. This parameter is required only if the local NetScaler is in a private address space and has a public IP hosted on an external FW or NAT device.
metricExchangeUse this parameter to specify whether MEP should be enabled or disabled. When metric exchange is DISABLED, then the site does not exchange metrics with other sites. When this option is disabled, a simple ROUNDROBIN method will be used for Global Server Load Balancing Possible values: ENABLED, DISABLED Default value: ENABLED
Exampleadd site new_york LOCAL 192.168.100.12 -publicIP 65.200.211.139
15-2 Command Reference Guide
add gslb site
Related Commandsset gslb siterm gslb siteshow gslb site
Command Reference Guide 15-3
set gslb site
set gslb site
Synopsisset gslb site <siteName> [-metricExchange ( ENABLED | DISABLED )]
DescriptionUse this command to enable or disable the Metric Exchange between sites
Arguments
siteNameThe name of the site to be modified
metricExchangeUse this parameter to specify whether the metric exchange for the site is enabled or disabled. If metric exchange is disabled, a simple ROUNDROBIN method is used to perform Global Server load balancing Possible values: ENABLED, DISABLED
Exampleset gslb site new_york - metricExchange DISABLED
Related Commandsadd gslb siterm gslb siteshow gslb site
15-4 Command Reference Guide
rm gslb site
rm gslb site
Synopsisrm gslb site <siteName>
DescriptionUse this command to remove the site entity configured in Netscaler 9000 system
Arguments
siteNameThe name of the site entity to be removed. When the site is removed, all the services created under that site will be removed.
Examplerm gslb site new_york
Related Commandsadd gslb siteset gslb siteshow gslb site
Command Reference Guide 15-5
show gslb site
show gslb site
Synopsisshow gslb site [<siteName>]
DescriptionUse this command to display the configured site entities in NetScaler 9000 system
Arguments
siteNameThe name of the site to be displayed. If sitename is specified, all the services created under that site will be displayed.
Output
siteName
siteType
siteIPAddress
publicIP
metricExchange
serviceName
IPAddress
15-6 Command Reference Guide
show gslb site
port
state
status
serviceType
Exampleshow site new_york
Related Commandsadd gslb siteset gslb siterm gslb site
Command Reference Guide 15-7
add gslb service
add gslb service
Synopsisadd gslb service <serviceName> (<serverName> | <IP>) <serviceType> <port> [-siteName <string>] [-state ( ENABLED | DISABLED )]
DescriptionUse this command to add a GSLB service in the NetScaler 9000 system.
Arguments
serviceNameThe name of the service . Enter a maximum of 31 characters
serverNameThe name of the server for which the service will be added
IPThe IP address of the server for which the service will be added
serviceTypeThe type of service that is being added Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, ANY
portThe port on which the service is running
publicIPThe IP address on a NAT box in front of the NetScaler 9000 system to which a private IP of the service maps. This is applicable to GSLB local services. This is optional
publicPortThe port on a NAT box in front of the NetScaler 9000 system to which the private port of service maps. This is applicable to GSLB local services.This is optional
maxClientThe maximum number of open connections to the service. This argument is optional
15-8 Command Reference Guide
add gslb service
siteNameThe GSLB site name. This parameter is mandatory. This option specifies whether the service is a local GSLB service or remote GSLB service
stateUse this parameter to specify whether the service(s) being added will initially be enabled. This parameter is optional. This is not applicable to the local GSLB services Possible values: ENABLED, DISABLED Default value: ENABLED
cipUse this parameter to enable insertion of the Client IP header for the service. This parameter is used while connection proxy based Site persistency is enabled, and it inserts real client's IP address in the HTTP request Possible values: ENABLED, DISABLED Default value: DISABLED
cipHeaderThe client IP header to be used in the HTTP request. If client IP insertion is enabled and the client IP header is not specified then the value that has been set by the set ns config CLI command will be used as the Client IP header.
sitePersistenceUse this parameter to specify whether cookie based Site persistency is enabled or disabled Possible values: ConnectionProxy, HTTPRedirect, NONE Default value: NONE
cookieTimeoutThe timeout value in minutes for the cookie when cookie based Site persistency is enabled Default value: 0
sitePrefixSpecify the siteprefix string. When the service is bound to a GSLB vserver, then for each bound service-domain pair, a GSLB Site domain will be generated internally by concatenating the service's siteprefix and the domain's name. If a special string "NONE" is specified, the siteprefix string will be unset
cltTimeout
svrTimeout
maxBandwidthA positive integer to identify the maximum bandwidth allowed for the service
Command Reference Guide 15-9
add gslb service
Exampleadd gslb service sj_svc 203.12.123.12 http 80 -site san_jos
Related Commandsset gslb servicerm gslb serviceshow gslb service
15-10 Command Reference Guide
set gslb service
set gslb service
Synopsisset gslb service <serviceName> [-publicIP <ip_addr>] [-publicPort <port>] [-cip ( ENABLED | DISABLED ) [<cipHeader>]] [-sitePersistence <sitePersistence>] [-sitePrefix <string>] [-maxClient <positive_integer>] [-maxBandwidth <positive_integer>]
DescriptionUse this command to set parameters in the gslb service
Arguments
serviceNameThe name of the service for which the attributes needs to be changed
publicIPThe IP address on a NAT box in front of the NetScaler 9000 system to which a private IP service maps. This is optional. It is only valid for LOCAL GSLB service
publicPortThe port on a NAT box in front of the NetScaler 9000 system to which the private port of service maps. This is optional. It is only valid for local service
cipUse this parameter to enable insertion of the Client IP header for the service. This option is used while connection proxy based Site persistency is enabled Possible values: ENABLED, DISABLED
cipHeaderThe client IP header to be used in the HTTP request. If client IP insertion is enabled and the client IP header is not specified then the value that has been set by the set ns config CLI command will be used as the Client IP header.
Command Reference Guide 15-11
set gslb service
sitePersistenceUse this parameter to specify whether cookie based Site persistency is enabled or disabled Possible values: ConnectionProxy, HTTPRedirect, NONE
sitePrefixSpecify the siteprefix string. When the service is bound to a GSLB vserver, then for each bound service-domain pair, a GSLB Site domain will be generated internally by concatenating the service's siteprefix and the domain's name. If a special string "NONE" is specified, the siteprefix string will be unset
maxClientThe maximum number of open connections to the service. This argument is optional
maxBandwidthA positive integer to identify the maximum bandwidth allowed for the service
Exampleset gslb service sj_svc -sitePersistence ConnectionProxy
Related Commandsadd gslb servicerm gslb serviceshow gslb service
15-12 Command Reference Guide
rm gslb service
rm gslb service
Synopsisrm gslb service <serviceName>
DescriptionUse this command to remove a gslb service configured in NetScaler 9000 system.
Arguments
serviceNameThe name of the service entity to be removed
Examplerm gslb service sj_svc
Related Commandsadd gslb serviceset gslb serviceshow gslb service
Command Reference Guide 15-13
show gslb service
show gslb service
Synopsisshow gslb service [<serviceName>]
DescriptionUse this command to display the gslb services configured in the NetScaler 9000 system.
Arguments
serviceNameThe name of the gslb service to be displayed
Output
serviceName
IPAddress
serviceType
port
publicIP
publicPort
maxClient
siteName
15-14 Command Reference Guide
show gslb service
svrState
state
monitorName
monState
cip
cipHeader
sitePersistence
sitePrefix
cltTimeout
svrTimeout
preferredlocation
maxBandwidth
Exampleshow gslb service sj_svc
Related Commandsadd gslb service
Command Reference Guide 15-15
show gslb service
set gslb servicerm gslb service
15-16 Command Reference Guide
add gslb vserver
add gslb vserver
Synopsisadd gslb vserver <vServerName> <serviceType> [-state ( ENABLED | DISABLED )]
DescriptionUse this command to add a GSLB vserver in the NetScaler 9000 system.
Arguments
vServerNameThe virtual server name, which can be a maximum of 31 characters
serviceTypeThe servicetype of the virtual server Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, ANY
lbmethodThe load balancing method for the virtual server.The valid options for this parameter are: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, SOURCEIPHASH, LEASTBANDWIDTH, LEASTPACKETS, STATICPROXIMITY, RTT Possible values: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, SOURCEIPHASH, LEASTBANDWIDTH, LEASTPACKETS, STATICPROXIMITY, RTT Default value: LEASTCONNECTION
netmaskThe netmask to be used in the SOURCEIPHASH policy. The default is 255.255.255.255 Default value: 255.255.255.255
toleranceThe Site selection tolerance is the maximum deviation (in milliseconds) in the RTT value, which the NetScaler system can tolerate, while deciding the best site for a domain. This value enables the NetScaler system to implement the Round Robin method of GSLB between sites that have RTT values within this permissible limit. The tolerance value is required only if the LB method is RTT. The default tolerance value is 0
Command Reference Guide 15-17
add gslb vserver
persistenceTypeThe persistence type for the virtual server. This has 2 options: SOURCEIP and NONE Possible values: SOURCEIP, NONE Default value: NONE
persistenceIdThe Persistence Id. This parameter is a positive integer which is used to identify the GSLB VIP on all sites. This is a required argument if SOURCEIP based persistency is enabled.
persistmaskThe netmask to be used while SOURCEIP based persistency is ENABLED.This is an optional argument. Default value: 255.255.255.255
timeoutThe idle time out in minutes for the persistence entries Default value: 2
EDRUse this parameter to specify whether NetScaler will send empty DNS response when all the sites participating in GSLB are down Possible values: ENABLED, DISABLED Default value: DISABLED
MIRUse this parameter to specify whether NetScaler can send Multiple IP addresses in the DNS response or not. Possible values: ENABLED, DISABLED Default value: DISABLED
dynamicWeightSpecifies whether we want to consider the svc count or the svc weights or ignore both Possible values: SERVICECOUNT, SERVICEWEIGHT, DISABLED Default value: DISABLED
stateUse this parameter to specify whether the virtual server is enabled or disabled Possible values: ENABLED, DISABLED Default value: ENABLED
Exampleadd gslb vserver gvip http
Related Commandsset gslb vserver
15-18 Command Reference Guide
add gslb vserver
rm gslb vservershow gslb vserverbind gslb vserverunbind gslb vserver
Command Reference Guide 15-19
set gslb vserver
set gslb vserver
Synopsisset gslb vserver <vServerName> [-backupVServerName <string>] [-lbmethod <lbmethod>] [-netmask <netmask>] [-tolerance <positive_integer>] [-persistenceType ( SOURCEIP | NONE )] [-persistenceId <positive_integer>] [-persistmask <netmask>] [-timeout <mins>] [-EDR ( ENABLED | DISABLED )] [-MIR ( ENABLED | DISABLED )] [-dynamicWeight <dynamicWeight>] [-serviceName <string> -weight <positive_integer>] [-domainName <string> [-TTL <secs>] [-backupIP <ip_addr>] [-cookieDomain <string>] [-cookieTimeout <mins>] [-sitedomainTTL <secs>]]
DescriptionUse this command to specify different settings on GSLB vserver
Arguments
vServerNameThe virtual server name for which attributes are set.
backupVServerName
lbmethodThe load balancing method for the virtual server.The valid options for this parameter are: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, SOURCEIPHASH, LEASTBANDWIDTH, LEASTPACKETS, STATICPROXIMITY, RTT Possible values: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, SOURCEIPHASH, LEASTBANDWIDTH, LEASTPACKETS, STATICPROXIMITY, RTT
netmaskThe netmask to be used in the SOURCEIPHASH policy.The default is 255.255.255.255
15-20 Command Reference Guide
set gslb vserver
toleranceThe Site selection tolerance is the maximum deviation (in milliseconds) in the RTT value, which the NetScaler system can tolerate, while deciding the best site for a domain. This value enables the NetScaler system to implement the Round Robin method of GSLB between sites that have RTT values within this permissible limit. The tolerance value is required only if the LB method is RTT. The default tolerance value is 0
persistenceTypeThe persistence type for the virtual server. This has 2 options: SOURCEIP and NONE Possible values: SOURCEIP, NONE
persistenceIdThe Persistence Id. This parameter is a positive integer which is used to identify the GSLB VIP on all sites
persistmaskThe netmask to be used while SOURCEIP based persistency is ENABLED.This is an optional argument. Default is 255.255.255.255
timeoutThe idle time out in minutes for the persistence entries
EDRUse this parameter to specify whether NetScaler will send empty DNS response when all the sites participating in GSLB are down Possible values: ENABLED, DISABLED
MIRUse this parameter to specify whether NetScaler can send Multiple IP addresses in the DNS response or not Possible values: ENABLED, DISABLED
dynamicWeightSpecifies whether we want to consider the svc count or the svc weights or ignore both Possible values: SERVICECOUNT, SERVICEWEIGHT, DISABLED Default value: DISABLED
serviceNameUse this parameter to specify the service for which the weight needs to be changed
Command Reference Guide 15-21
set gslb vserver
domainNameUse this parameter to specify the name of the domain for which TTL and/or backupIP needs to be changed
Exampleset gslb vserver gvip -persistenceType SOURCEIP
Related Commandsadd gslb vserverrm gslb vservershow gslb vserverbind gslb vserverunbind gslb vserver
15-22 Command Reference Guide
rm gslb vserver
rm gslb vserver
Synopsisrm gslb vserver <vServerName>
DescriptionUse this command to remove a GSLB vserver configured in NetScaler 9000 system.
Arguments
vServerNameThe name of the GSLB virtual server to be removed
Examplerm gslb vserver gvip
Related Commandsadd gslb vserverset gslb vservershow gslb vserverbind gslb vserverunbind gslb vserver
Command Reference Guide 15-23
enable gslb vserver
enable gslb vserver
Synopsisenable gslb vserver <name>@
DescriptionUse this command to enable a virtual server. Note:Virtual servers, when added, are enabled by default.
Arguments
nameThe name of the virtual server to be enabled.
Exampleenable vserver lb_vip
Related Commandsdisable gslb vserver
15-24 Command Reference Guide
disable gslb vserver
disable gslb vserver
Synopsisdisable gslb vserver <name>@
DescriptionUse this command to disable (makes out of service) a virtual server.
Arguments
nameThe name of the virtual server to be disabled. Notes: 1.The NetScaler 9000 system still responds to ARP and/or ping requests for the IP address of this virtual server. 2.As the virtual server is still configured in the NetScaler 9000 system, you can enable the virtual server using enable vserver CLI command.
Exampledisable vserver lb_vip
Related Commandsenable gslb vserver
Command Reference Guide 15-25
show gslb vserver
show gslb vserver
Synopsisshow gslb vserver [<vServerName>]
DescriptionUse this command to display the GSLB virtual server attributes
Arguments
vServerNameThe name of the GSLB virtual server to be displayed
Output
vServerName
serviceType
persistenceType
persistenceId
lbmethod
tolerance
timeout
state
15-26 Command Reference Guide
show gslb vserver
netmask
persistmask
serviceName
weight
domainName
TTL
backupIP
cookieDomain
cookieTimeout
sitedomainTTL
IPAddress
port
status
preferredlocation
Command Reference Guide 15-27
show gslb vserver
backupVServerName
EDR
MIR
dynamicWeightSpecifies whether we want to consider the svc count or the svc weights or ignore both
cumulativeWeightNSA_DYNAMIC_CONF_WT * NSA_WEIGHT
dynamicConfWtweight obtained by the virtue of bound service count or weight
Exampleshow gslb vserver gvip
Related Commandsadd gslb vserverset gslb vserverrm gslb vserverbind gslb vserverunbind gslb vserver
15-28 Command Reference Guide
bind gslb vserver
bind gslb vserver
Synopsisbind gslb vserver <vServerName> [(-serviceName <string> [-weight <positive_integer>]) | (-domainName <string> [-TTL <secs>] [-backupIP <ip_addr>] [-cookieDomain <string>] [-cookieTimeout <mins>] [-sitedomainTTL <secs>])]
DescriptionUse this command to bind a domain or service to a GSLB vserver
Arguments
vServerNameThe vserver for which the binding operation is to be done
serviceNameThe name of the service to be bound with the gslb vserver
domainNameThe domain to be bound with this vserver
Examplebind gslb vserver gvip -domainName www.mynw.com
Related Commandsadd gslb vserverset gslb vserverrm gslb vservershow gslb vserverunbind gslb vserver
Command Reference Guide 15-29
unbind gslb vserver
unbind gslb vserver
Synopsisunbind gslb vserver <vServerName> [-serviceName <string> | (-domainName <string> [-backupIP] [-cookieDomain])]
DescriptionUse this command to unbind the domain or service from the gslb vserver
Arguments
vServerNameThe vserver for which the unbinding operation is to be performed
serviceNameThe service to be unbound from the gslb vserver
domainNameThe domain to be unbound from this vserver
Exampleunbind gslb vserver gvip -domainName www.mynw.com
Related Commandsadd gslb vserverset gslb vserverrm gslb vservershow gslb vserverbind gslb vserver
15-30 Command Reference Guide
set gslb parameter
set gslb parameter
Synopsisset gslb parameter [-ldnsEntryTimeout <positive_integer>] [-RTTtolerance <positive_integer>] [-ldnsMask <netmask>]
DescriptionUse this command to set different GSLB parameters
Arguments
ldnsEntryTimeoutThe idle timeout in seconds of the learnt LDNS entry. If no new DNS request is made within this interval, then the LDNS entry is aged out. The minimum value is 30 seconds
jitterThe RTT Tolerance in milli seconds. When the RTT is calculated for an LDNS entry, and if the difference between the old RTT and the newly computed one is less than or equal to the RTT Tolerance value, the network metric table is not updated with the new value for this LDNS entry. This is done to prevent exchange of metric when there is small variation in RTT. Value should be between 1 to 100
ldnsMaskThe Netmask specified here is used to store the LDNS IP addresses in the hash table and these are used in dynamic proximity-based GSLB
Exampleset gslb parameter -ldnsMask 255.255.0.0
Related Commandsshow gslb parameter
Command Reference Guide 15-31
show gslb parameter
show gslb parameter
Synopsisshow gslb parameter
DescriptionUse this command to display the GSLB parameters
Arguments
Output
flags
ldnsEntryTimeout
jitter
ldnsMask
Exampleshow gslb parameter
Related Commandsset gslb parameter
15-32 Command Reference Guide
add gslb policy
add gslb policy
Synopsisadd gslb policy <name> -reqRule <expression> -action <string>
DescriptionUse this command to add GSLB policy
Arguments
nameThe name of the GSLB policy
reqRuleThe expression rule
actionThe GSLB action to be used when the reqrule is matched
Exampleadd gslb policy gslb_redirect -reqRule client_Japan -action pref_site
Related Commandsrm gslb policyset gslb policyshow gslb policy
Command Reference Guide 15-33
rm gslb policy
rm gslb policy
Synopsisrm gslb policy <name>
DescriptionUse this command to remove the gslb policy configured in the NetScaler system
Arguments
nameThe name of the policy to be removed
Examplerm gslb policy gslb_redirect
Related Commandsadd gslb policyset gslb policyshow gslb policy
15-34 Command Reference Guide
set gslb policy
set gslb policy
Synopsisset gslb policy <name> -action <string>
DescriptionUse this command to change the action for the given gslb policy
Arguments
nameThe name of the policy for which the action to be changed
actionThe action to be taken for the given gslb policy
Exampleset gslb policy gslb_redirect -action redirect_asia
Related Commandsadd gslb policyrm gslb policyshow gslb policy
Command Reference Guide 15-35
show gslb policy
show gslb policy
Synopsisshow gslb policy [<name>]
DescriptionUse this command to display the configured GSLB policy
Arguments
nameThe name of the GSLB policy to be displayed
Output
name
reqRule
action
hits
Exampleshow gslb policy
Related Commandsadd gslb policyrm gslb policyset gslb policy
15-36 Command Reference Guide
add gslb action
add gslb action
Synopsisadd gslb action <name> -preferredlocation <string>
DescriptionUse this command to add GSLB action used in the GSLB policy
Arguments
nameThe name of the GSLB action
preferredlocationThe target site to be returned in the DNS response when a policy is successfully evaluated against the incoming DNS request. Target site is specified in dotted notation with up to 6 qualifiers. Wildcard `*' is accepted as a valid qualifier token. Maximum length of the -preferredlocation string allowed is 197 bytes
Exampleadd gslb action pref_site -preferredlocation NorthAmerica.US.*.*.*.*
Related Commandsrm gslb actionset gslb actionshow gslb action
Command Reference Guide 15-37
rm gslb action
rm gslb action
Synopsisrm gslb action <name>
DescriptionUse this command to remove the gslb action configured in the NetScaler system
Arguments
nameThe name of the action to be removed
Examplerm gslb action redirect_asia
Related Commandsadd gslb actionset gslb actionshow gslb action
15-38 Command Reference Guide
set gslb action
set gslb action
Synopsisset gslb action <name> -preferredlocation <string>
DescriptionUse this command to change the preferredlocation of the given gslb action
Arguments
nameThe name of the GSLB action
preferredlocationThe target site to be returned in the DNS response when a policy is successfully evaluated against the incoming DNS request. Target site is specified in dotted notation with up to 6 qualifiers. Wildcard `*' is accepted as a valid qualifier token. Maximum length of the -preferredlocation string allowed is 197 bytes
Exampleset gslb action pref_site -preferredlocation NorthAmerica.US.*.*.*.*
Related Commandsadd gslb actionrm gslb actionshow gslb action
Command Reference Guide 15-39
show gslb action
show gslb action
Synopsisshow gslb action [<name>]
DescriptionUse this command to display the GSLB actions configured
Arguments
nameThe name of the action to be displayed
Output
name
preferredlocation
Exampleshow gslb action
Related Commandsadd gslb actionrm gslb actionset gslb action
15-40 Command Reference Guide
Load Balancing Commands
This chapter covers the load balancing commands.
Command Reference Guide 16-1
bind lb group
bind lb group
Synopsisbind lb group <name>@ <vServerName>@ ...
DescriptionUse this command to create a group of virtual servers in the NetScaler 9000 system. This group supports server persistence. Only address-based (not content-based) virtual servers can be added to a group. Each virtual server can only be assigned to one group. When moving a virtual server from one group to another, the virtual server must be removed from the original group with the unbind lb group command.
Arguments
nameThe name of the group. A maximum of 31 characters can be used to specify a new name to a group of virtual servers that you are creating (or to specify an existing group name if you are adding the virtual server to an existing group of virtual servers.
vServerNameThe name of the virtual server that will belong to the named group.
Examplebind lb group webgrp http_vip
Related Commandsshow lb groupset lb groupunbind lb group
16-2 Command Reference Guide
show lb group
show lb group
Synopsisshow lb group [<groupName>]
DescriptionUse this command to display the names of the virtual servers associated to the specified group. The virtual servers were created using the add vserver CLI command.
Arguments
groupNameThe name of the group to be displayed.
Output
name
vServerName
persistenceType
persistenceBackup
persistmask
cookieDomain
timeout
Command Reference Guide 16-3
show lb group
Exampleshow lb group webgrp
Related Commandsadd vserverbind lb groupset lb groupunbind lb group
16-4 Command Reference Guide
set lb group
set lb group
Synopsisset lb group <name>@ [-persistenceType <persistenceType>] [-persistenceBackup ( SOURCEIP | NONE )] [-persistmask <netmask>] [-cookieDomain <string>] [-timeout <mins>]
DescriptionUse this command to set the persistence for the group (used in the NetScaler 9000 system's load balancing feature). Persistence is set for the connections between a client and a server that is being load balanced by the NetScaler 9000 system. The client will be directed to the same server until client's transactions have completed (or until the time period that you have specified has passed). Before using this command, the group must be created. The group is created implicitly when binding a load balancing virtual server to a group using the bind lb group CLI command. Similarly a group is removed when the last load balancing virtual server is unbound from it using the unbind lb group CLI command.
Arguments
nameThe name of the group for which the persistence type need to be set.
persistenceTypeThe type of the persistence to be set for the group. The valid options are: SOURCEIP or COOKIEINSERT or NONE. Select SOURCEIP - This option is used to maintain persistency based on the client IP. COOKIEINSERT- This option is used to maintain persistency based on the cookie in the client request.This cookie is inserted by the NetScaler 9000 system in the first response to the client. NONE - To disable the persistency. Possible values: SOURCEIP, COOKIEINSERT, NONE
persistenceBackupThe type of the backup persistence to be set for the group.The valid options are SOURCEIP or NONE. Possible values: SOURCEIP, NONE
persistmaskThe netmask to be applied when the persistency type is SOURCEIP.
Command Reference Guide 16-5
set lb group
cookieDomainThe domain attribute of the HTTP cookie.
timeoutUse this parameter to specify the maximum time that persistence is in effect for a specific client. The value ranges from 2 to 1440 minutes. Default value: 2
Exampleset lb group webgrp -persistenceType COOKIEINSERT
Related Commandsbind lb groupshow lb groupunbind lb group
16-6 Command Reference Guide
unbind lb group
unbind lb group
Synopsisunbind lb group <name> <vServerName>@ ...
DescriptionUse this command to unbind the virtual server from a group. When the last vserver is unbound, the group is deleted from Netscaler system.
Arguments
nameThe name of the group.
vServerNameThe name of the virtual server to be removed from the group. Multiple names can be specified.
Exampleunbind lb group webgroup http_vip
Related Commandsbind lb groupshow lb groupset lb group
Command Reference Guide 16-7
add lb vserver
add lb vserver
Synopsisadd lb vserver <vServerName>@ <serviceType> [<IPAddress>@ <port> [-range <positive_integer>]] [-state ( ENABLED | DISABLED )]
DescriptionUse this command to add a load balancing virtual server.
Arguments
vServerNameThe name of the load balancing virtual server being added. The virtual server name can be up to 31 characters long.
serviceTypeThe service type. Valid service types are: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, DNS and ANY. Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, DNS, DHCPRA, ANY
IPAddressThe IP address of the virtual server.
persistenceTypeUse this parameter to specify a persistence type for the virtual server. Note: The <persistenceType> parameter can take one of the following options: SOURCEIP - When configured, the NetScaler 9000 system selects a physical service based on the Load Balancing method, and then directs all the subsequent requests arriving from the same IP as the first request to the same physical service. COOKIEINSERT - When configured, the NetScaler 9000 system inserts an HTTP cookie into the client responses. The cookie is inserted into the "Cookie" header field of the HTTP response. The client stores the cookie (if enabled) and includes it in all the subsequent requests, which then match the cookie criteria. The cookie contains information about the service where the requests have to be sent. SSLSESSION ID - When configured, the NetScaler 9000 system creates a persistence that is session based on the arriving SSL Session ID, which is part of the SSL
16-8 Command Reference Guide
add lb vserver
handshake process. All requests with the same SSL session ID are directed to the initially selected physical service. CUSTOM SERVER ID -This mode of Persistence requires the server to provide its Server-ID in such a way that it can be extracted from subsequent requests. The NetScaler 9000 system extracts the Server-ID from subsequent client requests and uses it to select a server. The server embeds the Server-ID into the URL query of the HTML links, accessible from the initial page that has to generate persistent HTTP requests. RULE - When configured, the NetScaler 9000 system maintains persistence based on the contents of the matched rule. This persistence requires an expression to be configured. The expression is created using the add expression CLI command and is configured on a virtual server, using the -rule option of the add lb vserver or set lb vserver CLI command.After successful evaluation of the expression, a persistence session is created and all subsequent matching client requests are directed to the previously selected server. URLPASSIVE - This mode of Persistence requires the server to provide its Server-ID in such a way that it can be extracted from subsequent requests.The NetScaler 9000 system extracts the Server-ID from subsequent client requests and uses it to select a server. The servers which require persistence, embed the Server-ID into the URL query of the HTML links, accessible from the initial page. The Server-ID is its IP address and port specified as a hexadecimal number.URL Passive persistence type requires an expression to be configured that specifies the location of the Server-ID in the client's requests. The expression is created using the CLI command add expression. This expression is configured on a virtual server, using option -rule of the add lb vserver or set lb vserver CLI command. DESTIP -When configured, the NetScaler 9000 system selects a physical service based on the Load Balancing method, and then directs all the subsequent requests with the same destination as the first packet to the same physical service. This will be used in LLB deployment scenarios. SRCIPDESTIP - When configured, the NetScaler 9000 system selects a physical service based on the Load Balancing method, and then directs all the subsequent requests with the same Source IP and Destination IP as the first packet to the same physical service. This will be used in IDS LB depolyments. Possible values: SOURCEIP, COOKIEINSERT, SSLSESSION, RULE, URLPASSIVE, CUSTOMSERVERID, DESTIP, SRCIPDESTIP, NONE Default value: NONE
persistenceBackupUse this parameter to specify a backup persistence type for the virtual server. The Backup persistence option is used when the primary configured persistence mechanism on virtual server fails. The <persistenceBacup> parameter can take one of the following options: lSOURCEIP lNONE Possible values: SOURCEIP, NONE Default value: NONE
Command Reference Guide 16-9
add lb vserver
lbmethodThe load balancing method for the virtual server. The valid options for this parameter are: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, URLHASH, DOMAINHASH, DESTINATIONIPHASH, SOURCEIPHASH, SRCIPDESTIPHASH,LEASTBANDWIDTH, LEASTPACKETS, TOKEN, SRCIPDESTIPHASH. When the load balancing policy is configured as: ROUNDROBIN - When configured, the NetScaler 9000 system distributes incoming requests to each server in rotation, regardless of the load. When different weights are assigned to services then weighted round robin occurs and requests go to services according to how much weighting has been set. LEASTCONNECTION (default value)- When configured, the NetScaler 9000 system selects the service that has the least number of connections. For TCP, HTTP, HTTPS and SSL_TCP services the least number of connections includes: Established, active connections to a service. Connection reuse applies to HTTP and HTTPS. Hence the count includes only those connections which have outstanding HTTP or HTTPS requests, and does not include inactive, reusable connections. Connections to a service waiting in the Surge Queue, which exists only if the Surge Protection feature is enabled. For UDP services the least number of connections includes: The number of sessions between client and a physical service. These sessions are the logical, time-based entities, created on first arriving UDP packet. If configured, weights are taken into account when server selection is performed. LEASTRESPONSETIME - When configured, the NetScaler 9000 system selects the service with the minimum average response time. The response time is the time interval taken when a request is sent to a service and first response packet comes back from the service, that is Time to First Byte (TTFB). URLHASH - The NetScaler 9000 system selects the service based on the hashed value of the incoming URL.To specify the number of bytes of the URL that is used to calculate the hash value use the optional argument [-hashLength <positive_integer>] in either the add lb vserver or set lb vserver CLI command. The default value is 80. DOMAINHASH - When configured with this load balancing method, the NetScaler 9000 system selects the service based on the hashed value of the domain name in the HTTP request. The domain name is taken either from the incoming URL or from the Host header of the HTTP request. Note:The NetScaler 9000 system defaults to LEASTCONNECTION if the request does not contain a domain name. If the domain name appears in both the URL and the host header, the NetScaler 9000 system gives preference to the URL domain. DESTINATIONIPHASH - The NetScaler 9000 system selects the service based on the hashed value of the destination IP address in the TCP IP header. SOURCEIPHASH - The NetScaler 9000 system selects the service based on the hashed value of the client's IP address in the TCP IP header. LEASTBANDWIDTH - The NetScaler 9000 system selects the service that is currently serving the least traffic, measured in megabits per second.
16-10 Command Reference Guide
add lb vserver
LEASTPACKETS - The NetScaler 9000 system selects the service that is currently serving the lowest number of packets per second. Token -The NetScaler 9000 system selects the service based on the value, calculated from a token, extracted from the client's request (location and size of the token is configurable). For subsequent requests with the same token, the NetScaler 9000 systems will select the same physical server. SRCIPDESTIPHASH - The NetScaler 9000 system selects the service based on the hashed value of the client's SOURCE IP and DESTINATION IP address in the TCP IP header. Possible values: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, URLHASH, DOMAINHASH, DESTINATIONIPHASH, SOURCEIPHASH, SRCIPDESTIPHASH, LEASTBANDWIDTH, LEASTPACKETS, TOKEN, STATICPROXIMITY, RTT, SRCIPSRCPORTHASH, LRTM Default value: LEASTCONNECTION
ruleUse this parameter to specify the string value used to set the RULE persistence type. The string can be either an existing rule name (configured using add rule command) or else it can be an in-line expression with a maximum of 256 characters.
persistmaskUse this parameter to specify if the persistency is IP based. This parameter is Optional. Default value: 255.255.255.255
pqUse this parameter to enable priority queuing on the specified virtual server. Possible values: ON, OFF Default value: OFF
scUse this parameter to enable SureConnect on the specified virtual server. Possible values: ON, OFF Default value: OFF
mUse this parameter to specify the LB mode. If the value is specified as IP then the traffic is sent to the physical servers by changing the destination IP address to that of the physical server. If the value is MAC then the traffic is sent to the physical servers , by changing the destination MAC address to that of one of the physical servers, the destination IP is not changed. MAC mode is used mostly in Firewall Load Balancing scenario. Possible values: IP, MAC Default value: IP
Command Reference Guide 16-11
add lb vserver
datalengthUse this parameter to specify the length of the token in bytes. Applicable to TCP virtual servers, when Token Load Balancing method is selected. The datalength should not be more than 24k.
dataoffsetUse this parameter to specifies offset of the data to be taken as token. Applicable to the TCP type virtual servers, when Token load balancing method is used. Must be within the first 24k of the client TCP data.
sessionlessUse this parameter to enable sessionless load balancing. Possible values: ENABLED, DISABLED Default value: DISABLED
soPersistenceTimeOut
soThreshold
stateUse this parameter to specify the state of the load balancing virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED
timeoutThe time period for which the persistence is in effect for a specific client. The value ranges from 2 to 1440 minutes. Default value: 2
connfailoverSpecifies whether connection failover is enabled on the virtual server Possible values: ENABLED, DISABLED Default value: DISABLED
Exampleadd lb vserver http_vsvr http 10.102.1.10 80
Related Commandsset lb vservershow lb vserverstat lb vserver
16-12 Command Reference Guide
bind lb vserver
bind lb vserver
Synopsisbind lb vserver <vServerName>@ ((<serviceName>@ [-weight <positive_integer>]) | (-policyName <string> [-priority <positive_integer>]))
DescriptionUse this command to bind a physical service to a virtual server.
Arguments
vServerNameThe virtual server name to which the service is bound.
serviceNameThe name of the service that is bound.
policyNameThe SureConnect or priority queuing policy that needs to be bound to the specified load balancing virtual server for SureConnect or priority queuing to be activated on a load balancing virtual server.
Examplebind lb vserver http_vip http_svc
Related Commandsunbind lb vserver
Command Reference Guide 16-13
enable lb vserver
enable lb vserver
Synopsisenable lb vserver <name>@
DescriptionUse this command to enable a virtual server. Note:Virtual servers, when added, are enabled by default.
Arguments
nameThe name of the virtual server to be enabled.
Exampleenable vserver lb_vip
Related Commandsdisable lb vserverrm lb vserver
16-14 Command Reference Guide
disable lb vserver
disable lb vserver
Synopsisdisable lb vserver <name>@
DescriptionUse this command to disable (makes out of service) a virtual server.
Arguments
nameThe name of the virtual server to be disabled. Notes: 1.The NetScaler 9000 system still responds to ARP and/or ping requests for the IP address of this virtual server. 2.As the virtual server is still configured in the NetScaler 9000 system, you can enable the virtual server using enable vserver CLI command.
Exampledisable vserver lb_vip
Related Commandsenable lb vserverrm lb vserver
Command Reference Guide 16-15
set lb vserver
set lb vserver
Synopsisset lb vserver <vServerName>@ [-weight <positive_integer> <serviceName>@] [-persistenceType <persistenceType>] [-persistenceBackup <persistenceBackup>] [-lbmethod <lbmethod>] [-hashLength <positive_integer>] [-netmask <netmask>] [-rule <expression>] [-persistmask <netmask>] [-pq ( ON | OFF )] [-sc ( ON | OFF )] [-m ( IP | MAC )] [-datalength <positive_integer>] [-dataoffset <positive_integer>] [-sessionless ( ENABLED | DISABLED )] [-timeout <mins>] [-connfailover ( ENABLED | DISABLED )] [-backupVServerName <string>] [-redirectURL <URL>] [-cacheable ( YES | NO )] [-cltTimeout <secs>] [-soMethod <soMethod>] [-soPersistence ( ENABLED | DISABLED )] [-soPersistenceTimeOut <positive_integer>] [-soThreshold <positive_integer>]
DescriptionUse this command to set load balancing virtual server attributes.
Arguments
vServerNameThe name of the load balancing virtual server.
weightThe weight for the specified service.
persistenceTypeThe persistence type for the specified virtual server: SOURCEIP - Specify a server that can use any or all protocols. COOKIEINSERT - The NetScaler 9000 system inserts a cookie when a cookie is being sent from the server. Each subsequent client request lwill have that cookie. The NetScaler 9000 system extracts the cookie and sends the client request to the same server. In this mode, the NetScaler 9000 system inserts and reads the inserted cookie. SSLSESSION - Specify for an SSL server. RULE - Specify this when the
16-16 Command Reference Guide
set lb vserver
persistence is based on a rule. URLPASSIVE - Specify this when the destination server is selected from the URL. CUSTOMSERVERID - Specify this when the destination server is selected based on the server ID configured using set service or add service command. NONE - Disables session persistence. This setting is the default. Possible values: SOURCEIP, COOKIEINSERT, SSLSESSION, RULE, URLPASSIVE, CUSTOMSERVERID, DESTIP, SRCIPDESTIP, NONE
persistenceBackupThe backup persistency to be used when the primary persistency fails. For the backup persistency to be active the primary persistency must be COOKIEINSERT. The valid options are - SOURCEIP and NONE Possible values: SOURCEIP, NONE
lbmethodThe load balancing method to be in effect: ROUNDROBIN: When selected, determines the destination of a request based on the performance weight (configured by the -weight argument of the set lb vserver command). LEASTCONNECTION: When selected, determines the destination of a request based on the least number of active connections from the NetScaler 9000 system to each physical service bound to the virtual server. LEASTRESPONSETIME: When selected, determines the destination of a request based on the average response time. URLHASH: When selected, determines the destination of a request by hashing the URL. DOMAINHASH: When selected, determines the destination of a request by hashing the domain name DESTINATIONHASH: When selected, determines the destination of a request by hashing the destination IP address or destination network. SOURCEIPHASH: When selected, determines the destination of a request by hashing the source IP address or source network. LEASTBANDWIDTH: When selected, determines the destination of a request based on the bandwidth utilization. LEASTPACKETS: When selected, determines the destination of a request based on number of packets. Token: When selected, determines the destination of a request based on the value, calculated from a token, extracted from the client's request (location and size of the token is configurable). Possible values: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, URLHASH, DOMAINHASH, DESTINATIONIPHASH, SOURCEIPHASH, SRCIPDESTIPHASH, LEASTBANDWIDTH, LEASTPACKETS, TOKEN, STATICPROXIMITY, RTT, SRCIPSRCPORTHASH, LRTM
ruleUse this parameter when setting RULE persistence type. The string can be either a existing rule name (configured using add rule command) or else it could it be an inline expression with a maximum of 256 characters.
Command Reference Guide 16-17
set lb vserver
persistmaskUse this parameter if you are using IP based persistence type.
pqUse this parameter to specify whether priority queuing needs to be enabled on the specified virtual server. Possible values: ON, OFF
scUse this parameter to specify whether SureConnect is enabled on the specified virtual server. Possible values: ON, OFF
mUse this parameter to specify the LB mode. This option is designed for firewall load balancing and cache redirection. IP - Communicate to the server using server's IP address. MAC - Communicate to the server using server's MAC address. Possible values: IP, MAC
datalengthUse this parameter to specify the data length when TOKEN load balancing method is selected.
dataoffsetUse this parameter to specify the data offset length when TOKEN load balancing method is selected.
sessionlessUse this parameter to enable sessionless load balancing. Possible values: ENABLED, DISABLED
timeoutThe maximum time persistence is in effect for a specific client. Enter a value from 2 to 1440 minutes.
connfailoverSpecifies whether connection failover is enabled on the virtual server Possible values: ENABLED, DISABLED Default value: DISABLED
16-18 Command Reference Guide
set lb vserver
backupVServerName
redirectURL
cacheable
cltTimeout
soMethod
soPersistence
soPersistenceTimeOut
soThreshold
Exampleset lb vserver http_vip -lbmethod LEASTRESPONSETIME
Related Commandsadd lb vservershow lb vserverstat lb vserver
Command Reference Guide 16-19
rm lb vserver
rm lb vserver
Synopsisrm lb vserver <name>@ ...
DescriptionUse this command to remove a virtual server.
Arguments
nameThe name of the virtual server to be removed.
Examplerm vserver lb_vip
Related Commandsenable lb vserverdisable lb vserver
16-20 Command Reference Guide
show lb vserver
show lb vserver
Synopsisshow lb vserver [<name>] show lb vserver stats - alias for 'stat lb vserver'
DescriptionUse this command to display load balancing virtual servers information.
Arguments
nameThe name of the load balancing server whose properties will be displayed. If no load balancing virtual server name is entered, a list of all configured load balancing virtual servers is displayed. All the services and priority queuing/SureConnect policies that are bound to this virtual server are also displayed.
Output
value
IPAddress
port
range
serviceType
type
Command Reference Guide 16-21
show lb vserver
state
effectiveState
status
cacheType
redirect
precedence
redirectURL
authentication
homePage
dnsVserverName
domain
rule
policyName
serviceName
16-22 Command Reference Guide
show lb vserver
weight
cacheVserver
backupVServerName
priority
cltTimeout
soMethod
soPersistence
soPersistenceTimeOut
soThreshold
soDynamicThreshold
lbmethod
hashLength
dataoffset
datalength
Command Reference Guide 16-23
show lb vserver
netmask
rule
groupName
m
persistenceType
cookieDomain
persistmask
persistenceBackup
timeout
cacheable
pq
sc
sessionlessTo enable sessionless load balancing, enable this option
map
16-24 Command Reference Guide
show lb vserver
connfailover
Related Commandsadd lb vserverset lb vserverstat lb vserver
Command Reference Guide 16-25
stat lb vserver
stat lb vserver
Synopsisstat lb vserver [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionUse this command to display load-balancing vserver statistics.
Arguments
nameThe name of the vserver for which statistics will be displayed. If not given statistics are shown for all vservers.
Output
Counters
Vserver protocol (Protocol)Protocol associated with the vserver
IP address (IP)The ip address at which the service is running.
Port (port)The port at which the service is running.
StateCurrent state
Current client connections (ClntConn)The number of current client connections to the vserver
Current server connections (SvrConn)The number of current connections to the real servers behind the vserver.
16-26 Command Reference Guide
stat lb vserver
Requests (Req)The total number of requests.
Responses (Rsp)Number of responses
Request bytes (Reqb)The total number of request bytes.
Response bytes (Rspb)Number of response bytes
Spill Over Threshold (SOThresh)Spill Over Threshold set on the VServer.
Related Commandsadd lb vserverset lb vservershow lb vserver
Command Reference Guide 16-27
unbind lb vserver
unbind lb vserver
Synopsisunbind lb vserver <vServerName>@ (<serviceName>@ | -policyName <string>)
DescriptionUse this command to unbind a service or policy from a virtual server that has been configured for use in NetScaler 9000 system's load balancing.
Arguments
vServerNameThe virtual server name from which the service will be unbound.
serviceNameThe service name (created with the addService command) that will be unbound.
policyNameThe SureConnect or priority queuing policy that has been bound to this load balancing virtual server, using the bind lb vserver CLI command.
Exampleunbind lb vserver http_vip http_svc
Related Commandsbind lb vserver
16-28 Command Reference Guide
show lb route
show lb route
Synopsisshow lb route
DescriptionUse this command to display the names of the routes associated to the route structure using the add lb route CLI command.
Arguments
Output
network
netmask
gatewayname
flags
Related Commandsadd lb routerm lb route
Command Reference Guide 16-29
add lb route
add lb route
Synopsisadd lb route <network> <netmask> <gatewayname>
DescriptionUse this command to bind the route VIP to the route structure.
Arguments
networkThe IP address of the network to which the route belongs.
netmaskThe netmask to which the route belongs.
gatewaynameThe name of the route.
Related Commandsshow lb routerm lb route
16-30 Command Reference Guide
rm lb route
rm lb route
Synopsisrm lb route <network> <netmask>
DescriptionUse this command to remove the route VIP from the route structure.
Arguments
networkThe IP address of the network to which the route VIP belongs.
netmaskThe netmask of the destination network.
Related Commandsshow lb routeadd lb route
Command Reference Guide 16-31
rm lb route
16-32 Command Reference Guide
NetScaler Commands
This chapter covers the NetScaler commands.
Command Reference Guide 17-1
stat ns
stat ns
Synopsisstat ns [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays general system statistics
Counters
Up time (UP)Seconds since the system started
Up since (Since)Time when the system last started
System state (HAstate)High-availability system state
Master state (mastate)HA Master state
Independent Network Config (incstate)Independent network configuration state
HA over L3 (haoverl3)HA over L3
BPDU packet drop (dropBPDU)Flag to drop BPDU packets
CPU Usage (CPU)CPU utilization percentage
System memory (MB) (Memory)Total amount of system memory, in megabytes
17-2 Command Reference Guide
stat ns
Memory usage (MB) (MemUseMB)Amount of memory currently is use, in megabytes
GETs (HTGETs)Number of HTTP GET requests received
POSTs (HTPOSTs)Number of HTTP POST requests received
Other methods (HTOthers)Number of non-GET/POST HTTP methods received
Total requests (HTReqRx)Total number HTTP requests received from clients
Total responses (HTRspRx)Number of HTTP responses received from servers
Request bytes received (HTReqbRx)Data received in request including headers (in bytes)
Response bytes received (HTRspbRx)Data received in the response including headers (in bytes)
Request bytes transmitted (HTReqbTx)Data transmitted in request including headers(in bytes)
Response bytes transmitted (HTRspbTx)Data transmitted in response including headers (in bytes)
HTTP/1.0 requests (HT10ReqRx)Number of HTTP/1.0 requests received from clients
HTTP/1.1 requests (HT11ReqRx)Number of HTTP/1.1 requests received from clients
Content-length requests (HTCLnReq)Number of content-length requests received
Chunked requests (HTChkReq)Number of chunked requests received
Command Reference Guide 17-3
stat ns
HTTP/1.0 responses (HT10RspRx)Number of HTTP/1.0 responses received from servers
HTTP/1.1 responses (HT11RspRx)Number of HTTP/1.1 responses received from servers
Content-length responses (HTCLnRsp)Number of HTTP requests/responses received with content-length headers
Chunked responses (HTChunk)Number of HTTP requests/responses received with chunked encoding
FIN-terminated responses (HTNoCLnChunk)Number of FIN-terminated responses
Multi-part responses (HTMPrtHd)Number of HTTP multi-part header requests/responses received
Incomplete headers (HTIncHd)Number of incomplete header reassembly failures
Incomplete request headers (HTIncReqHd)Number of incomplete request headers received
Incomplete response headers (HTIncRspHd)Number of incomplete response headers received
Large/Invalid messages (HTInvReq)Number of large/invalid requests/responses received
Large/Invalid chunk requests (HTInvChkRx)Number of large/invalid requests/responses received
Large/Invalid content-length (HTInvCLn)Number of large/invalid content-length requests/responses received
All server connections (SvrCx)Number of server connections in NetScaler
Closing server connections (SvrCxCl)Number of server connections in NetScaler in closing states
17-4 Command Reference Guide
stat ns
Established server connections (SvrCxE)Number of server connections in NetScaler in established state
Opening server connections (SvrCxO)Number of server connections in NetScaler in opening states
Opened server connections (TotSvrO)Total number of opened server connections
Closed server connections (TotSvrC)Total number of closed server connections
All client connections (CltCx)Number of client connections in NetScaler
Closing client connections (CltCxCl)Number of client connections in NetScaler in closing states
Established client connections (CltCxE)Number of client connections in NetScaler in established state
Opening client connections (CltCxO)Number of client connections in NetScaler in opening states
Opened client connections (TotCltO)Total number of opened client connections
Closed client connections (TotCltC)Total number of closed client connections
Surge queue (SQlen)Number of connections in surge queue
Spare connections (SpConn)Number of spare connections ready to be used
Server active connections (ActSvrCo)Number of connections currently serving requests
Server out of order packets (SvrOOO)Number of out of order TCP packets, received from servers
Command Reference Guide 17-5
stat ns
Client out of order packets (CltOOO)Number of out of order TCP packets, received from clients
TCP packets received (TCPPktRx)Number of TCP packets received
TCP bytes received (TCPbRx)Number TCP bytes received
TCP packets transmitted (TCPPktTx)Number TCP packets transmitted
TCP bytes transmitted (TCPbTx)Number TCP bytes transmitted
Current rate threshold (UDPThs)This contains the value set for 10ms rate threshold for udp packets. This implies that within 10ms range , NetScaler can allow (receive or pass through ) the set number of UDP packets
Packets received (UDPPktRx)Number of UDP packets received
Bytes received (UDPbRx)Number of UDP bytes received
Packets transmitted (UDPPktTx)Number of UDP packets transmitted
Bytes transmitted (UDPbTx)Number of UDP bytes transmitted
Unknown service (UDPUnSvc)Number of UDP packets to unconfigured services
Bad UDP checksum (UDPBadCkSum)Number of packets with bad UDP checksum received.
Rate threshold exceeded (UDPRtEx)Number of time UDP rate threshold was exceeded.
17-6 Command Reference Guide
stat ns
IP packets received (IPPktRx)Number of IP packets received by NetScaler
IP bytes received (IPbRx)Number of IP bytes received by NetScaler.
IP packets transmitted (IPPktTx)Number of IP packets transmitted by NetScaler.
ICMP packets received (ICPktRx)Number of ICMP packets received by NetScaler.
ICMP bytes received (ICbRx)Number of ICMP bytes received by NetScaler.
ICMP packets transmitted (ICPktTx)Number of ICMP packets transmitted by NetScaler.
ICMP bytes transmitted (ICbTx)Number of ICMP bytes transmitted by NetScaler.
ICMP echo replies received (ECORepRx)Number of ICMP echo replies received by NetScaler.
ICMP echo replies transmitted (ECORepTx)Number of ICMP echo replies transmitted by NetScaler.
ICMP echos received (ECORx)Number of ICMP echos received by NetScaler.
ICMP packets dropped (ICPktDr)Number of ICMP packets dropped by NetScaler.
SYN packets received (TCPSYN)Number of SYN packets received
Server probes (SYNProbe)Number of times auto-discovered servers were probed
FIN packets from server (SvrFin)Number of FIN packet was received from a server
Command Reference Guide 17-7
stat ns
FIN packets from client (CltFin)Number of FIN packet was received from a client
Time wait to SYN (WaToSyn)Number of times SYN packet received on a connection in TIME_WAIT state
Data in TIME_WAIT (WaDat)Number of times data was received on a connection in TIME_WAIT state
Client idle flushed (ZomCltF)Number of idle client connections flushed
Server idle connections flushed (ZSvrF)Number of idle server flushed
Client half opened flushed (ZCltFHo)Number of half opened client connections flushed
Server half opened flushed (ZSvrFHo)Number of half opened server connections flushed
Client active half closed flushed (ZCltFAhc)Number of active half closed client connections flushed
Server active half closed flushed (ZSvrFAhc)Number of active half closed server connections flushed
Client passive half closed flushed (ZCltFPhc)Number of passive half closed client connections flushed
Server passive half closed flushed (ZSrvFPhc)Number of passive half closed server connections flushed
Bad TCP checksum (TCPBadCk)Number of bad TCP checksums received
SYN in SYN_RCVD state (TCPSYNRv)Number of SYN packets was received on a connection in SYN_RCVD state
SYN in ESTABLISHED state (TCPSYNEs)Number of SYN packets received on a connection in ESTABLISHED state
17-8 Command Reference Guide
stat ns
SYN packets timeout (TCPSYNG)Number of times connection establishment timed out
SYN_SENT incorrect ACK packet (TCPBadAk)Number incorrect ACK packets received on a connection in SYN_SENT state
SYN packet retries (TCPSYNRe)Number of times SYN packet was retried
FIN packet retries (TCPFINRe)Number of times FIN packet was retried
FIN packets timeout (TCPFING)Number of times connection closing timed out
RST packets received (TCPRST)Number of RST packets recieved
RST on not ESTABLISHED (TCPRSTNE)Number of RST packets recieved on a connection in not ESTABLISHED state
RST out of window (TCPRSTOW)Number of RST packets recieved on a connection out of current TCP window
RST in TIME_WAIT (TCPRSTTi)Number of RST packets recieved on a connection in TIME_WAIT state
Server retransmissions (TCPSvrRe)Number of retransmission packets from servers
Client retransmissions (TCPCltRe)Number of retransmission packets from clients
Full packet retransmissions (TCPFulRe)Number of full retransmission packets
Partial packet retransmissions (TCPParRe)Number of full retransmission packets
Server out of order packets (SvrOOO)Number of out of order TCP packets, received from servers
Command Reference Guide 17-9
stat ns
Client out of order packets (CltOOO)Number of out of order TCP packets, received from clients
TCP hole on client connection (CltHole)Number of TCP holes on client connnections
TCP hole on server connection (SvrHole)Number of TCP holes on server connnections
Seq number SYN cookie reject (CSeqRej)Number of TCP SYN cookie packets rejected due to incorrect sequence number
Signature SYN cookie reject (CSigRej)Number of TCP SYN cookie packets rejected due to incorrect signature
Seq number SYN cookie drop (CSigDrp)Number of TCP SYN cookie packets dropped due to out of window sequence number
MSS SYN cookie reject (CMssRej)Number of TCP SYN cookie packets rejected due to incorrect MSS
TCP retransmission (Retr)Number of TCP retransmissions sent
TCP retransmission giveup (RetrG)Number of times TCP retransmission giveups
Zombie cleanup calls (ZmbCall)Number times Zombie cleanup is called
SYN packets held (SYNHeld)Number of SYN packets held, waiting for server connection
SYN packets flushed (SYNFlush)Number of held SYN packets flushed due to no server response
TIME_WAIT connections closed (FinWaitC)Number of connections closed because there were too many connections in TIME_WAIT state
17-10 Command Reference Guide
stat ns
Any IP port allocation failure (PortFal)Number of port allocation failure on any IP address
IP port allocation failure (PortFalI)Number of port allocation failure on a specific IP address
Stray packets (StrayPkt)Number of packets received on non existant connection
RST packets sent (SentRst)Number of RST packets sent
Bad state connections (BadConn)Number of connections in non of known TCP states
Fast retransmits (FastRetr)Number of fast TCP restransmissions done
1st retransmission (1stRetr)Number of first restransmissions done
2nd retransmission (2ndRetr)Number of second restransmissions done
3rd retransmission (3rdRetr)Number of third restransmissions done
4th retransmission (4thRetr)Number of forth restransmissions done
5th retransmission (5thRetr)Number of fifth restransmissions done
6th retransmission (6thRetr)Number of sixth restransmissions done
7th retransmission (7thRetr)Number of seventh restransmissions done
Data after FIN (TCPDtFin)Number of times data was received after FIN packet
Command Reference Guide 17-11
stat ns
RST threshold dropped (RstThre)Number of RST packets dropped dor to RST threshold
Packets out of window (OOWPkt)Number of packets out of TCP advertised window
SYNs dropped (Congestion) (SynCng)Number of SYN packets dropped because of network congestion
Heartbeats received (HApktrx)Number of HA heartbeats received
BPDU packets dropped (BPDUdrop)Number of BPDU packets dropped
Master claims (HAclaim)Number of Master claims
Master state changes (masterch)This represents the total number of master state changes that the NetScaler has made from primary to secondary and vice-versa
State Fail (HAstfail)Number of times state changed to PARTIAL_FAIL/PARTIAL_FAIL_SSL/ROUTEMONITOR_FAIL/COMPLETE_FAIL
State UP (HAstup)Number of times state changed to UP
State INIT (HAstinit)Number of times state changed to INIT
Recovers (HArecnum)Number of Recovers
Heartbeats sent (HApkttx)Number of packets sent
REQ_INIT packets received (reqinit)Number of REQ_INIT packets received
17-12 Command Reference Guide
stat ns
Config sync (HAsync)Number of config sync
Mac updates (macupd)Number of MAC updates
Propagated commands (propioc)Number of ioctls extracted from the queue for propagation
Config flush (clrconf)Number of times config is flushed
NSB allocation failures (memfail)Number of nsb allocation failures
sw monitor fail (swmnfail)Number of times heartbeat was not seen over the links
Pkts rx on non-monitored links (rxnoswmn)Number of packets received on not monitored links
Pkts rx with wrong dst mac (rxdstmac)Number of packets received with wrong destination MAC
Pkts rx not from the peer (rxnode)Number of packets received not from a HA node
Pkts rx with wrong signature (rxsig)Number of packets received with wrong signature
Version mismatch (rxver)Number of packets received with wrong version
Pkts rx with the same seq num (rxseqno)Number of packets received with the same seq number
Propagation mem alloc failures (propmemf)Number of times memory allocation failed during propagation
Propagation timeouts (ptimeout)Number of times propagation timed out
Command Reference Guide 17-13
stat ns
Master disputes (mastdisp)Number of HA master dispute
Node DOWN (nodedown)Number of times a node is detected as DOWN
non-INIT pkts from DOWN node (rxnoinit)Number of non-INIT packets received from a DOWN node
Port silent (silent)Number of times heartbeats were not received on a link for dead interval
Heartbeat rx after dead intvl (heartbeat)Number of times heartbeats seen after loosing them for deadinterval
Sync failure (syncfail)Recent sync operation failed
Heartbeats with invalid app id (hbappid)Number of times HA heart beat seen with invalid app_id
Heartbeats with invalid type (hbtype)Number of times HA heart beat seen with invalid type
Heartbeats with invalid state (hbstate)Number of times HA heart beat seen with invalid state
Heartbeat with bad masterstate (hbmasst)Number of times HA heart beat seen with invalid master state
Heartbeats with bad pkt length (hbpktlen)Number of times HA heart beat seen with different packet size
Number of peer nodes (nodenum)Number of peer nodes
Initialization time (inittime)The time until end of initialization
hw monitor (hwmon)The nics that are monitored
17-14 Command Reference Guide
stat ns
sw monitor (swmon)The nics that are monitored by heartbeat
Derived incarnation number (derinc)Derived incarnation based on ioctls received
Peer incarnation number (peerinc)The peer's incarnation seen from heartbeats
Time left for synchronization (synctime)The time at which the next sync starts
Hello interval in 10ms (helloint)HA Hello Interval in 10ms
Dead interval in 10ms (deadint)HA Dead Interval in 10ms
Bad IP checksums (badCksum)Number of packets reveived with bad IP checksums.
IP packets received (IPPktRx)Number of IP packets received by NetScaler
IP bytes received (IPbRx)Number of IP bytes received by NetScaler.
IP packets transmitted (IPPktTx)Number of IP packets transmitted by NetScaler.
IP bytes transmitted (IPbTx)Number of IP bytes transmitted by NetScaler.
Megabits received (IPMbRx)Number of IP bits received by the NetScaler, in megabits.
Megabits transmitted (IPMbTx)Number of IP bits transmitted by the NetScaler, in megabits.
IP fragments received (IPFragRx)Number of IP fragments received.
Command Reference Guide 17-15
stat ns
Successful reassembly (reasSucc)Number of IP packets for which successful reassembly was done.
Unsuccessful reassembly (reasFail)Number of IP packets for which reassembly failed.
Reassembled data too big (reasBig)Number of IP packets for which reassembled data was too big.
Reassembly attempted (reasAtmp)Number of IP packets for which reassembly was attempted.
Zero fragment length received (zeroLen)Number of IP packets received with fragment length zero.
Duplicate fragments received (dupFrag)Number of duplicate IP fragments received.
Out of order fragment received (oooFrag)Number of out of order fragments received.
Unknown destination received (UnkDst)Number of unknown destinations received, cannot route packet to NSIP.
Bad Transport (badTran)Number of packets for which the service handler is unknown.
VIP down (vipDown)Number of packets received for which the VIP down for natpcb sessions.
Fix header failure (hdrFail)Number of IP packets in which there is an error in the IP header.
IP address lookups (IpLkUp)Number of IP address lookups done
IP address lookup failure (IpLkFail)Number of IP address lookups which failed.
17-16 Command Reference Guide
stat ns
max non-TCP clients (maxClt)Number of times one tries to open a new connection to a service having maximum number of allowed open client connections
Unknown services (UnkSvc)Number of packets received for a NetScaler owned IP, but an un-configured port/service
land-attacks (LndAtk)Number of land attack packets received by NetScaler
UDP fragments forwarded (udpFgFwd)Total number of UDP fragments forwarded.
TCP fragments forwarded (tcpFgFwd)Total number TCP fragments forwarded.
Fragmentation packets created (frgPktCr)Total number of fragmentation packets created by NS applications.
Invalid IP header size (errHdrSz)Number of packets with invalid IP header size.
Invalid IP packet size (errPktLen)Number of packets with invalid IP packet size.
Truncated IP packet (trIP)Total number of truncated IP packets
Truncated non-IP packet (trNonIp)truncated non-IP packet
ZERO next hop (zrNxtHop)Total number of IP packets with ZERO next hop.
Packets with bad MAC sent (BadMacTx)The total number of transmitted ip packets with bad MAC addresseses.
Packets with len > 1514 rcvd (BadLenTx)The total number of ip packets received with length > 1514.
Command Reference Guide 17-17
stat ns
TTL expired during transit (ttlExp)Number of IP packets for which TTL expired during transit.
ICMP port unreachable received (PortUnRx)Number of ICMP port unreachable packets received.
ICMP packets received (ICPktRx)Number of ICMP packets received by NetScaler.
ICMP bytes received (ICbRx)Number of ICMP bytes received by NetScaler.
ICMP packets transmitted (ICPktTx)Number of ICMP packets transmitted by NetScaler.
ICMP bytes transmitted (ICbTx)Number of ICMP bytes transmitted by NetScaler.
ICMP echo replies received (ECORepRx)Number of ICMP echo replies received by NetScaler.
ICMP echo replies transmitted (ECORepTx)Number of ICMP echo replies transmitted by NetScaler.
ICMP echos received (ECORx)Number of ICMP echos received by NetScaler.
ICMP rate threshold exceeded (ICRtEx)Number of time ICMP rate threshold was exceeded.
ICMP packets dropped (ICPktDr)Number of ICMP packets dropped by NetScaler.
Bad ICMP checksum (BadCkSum)Number of packets with bad ICMP checksum received.
Need fragmentation received (NeedFrag)Number of ICMP error message: need fragmentation received.
PMTU non-first IP fragments (PMTUerr)Number of non-first IP fragments resulting in path MTU error.
17-18 Command Reference Guide
stat ns
PMTU Invalid body len received (IvBdyLen)Number of invalid body length received on a need fragmentation ICMP error message.
PMTU no tcp connection (NoTcpCon)Number of packets with no tcp connection on src/dst, ip/port information received on a need fragmentation ICMP error message.
PMTU no udp conection (NoUdpCon)Number of packets with no udp connection on src/dst, ip/port information received on a need fragmentation ICMP error message.
PMTU invalid tcp seqno recvd (InvSeqNo)Invalid tcp seqno received on need fragmentation ICMP error message.
Invalid next MTU value recvd (IvNxtMTU)Inval (576|>1500) next MTU value received on a need fragmentation ICMP error message.
Next MTU > Current MTU (BigNxMTU)Next MTU information received on a need fragmentation ICMP error message greater than current MTU.
PMTU Invalid protocol recvd (IvPrtRx)Invalid protocol type received on a need fragmentation ICMP error message.
PMTU IP check sum error (CkSumErr)IP checksum error on the IP fragment in the need fragmentation ICMP error message body.
PMTU pcb with no link (NoLnkErr)Need fragmentation ICMP error message received on a pcb with no link.
PMTU Discovery not enabled (PMTUdis)PMTU Discovery mode is not enabled.
ICMP rate threshold (ICThs)This contains the value set for 10ms rate threshold for icmp packets. This implies that within 10ms range , NetScaler can allow (receive or pass through ) the set number of ICMP packets
Command Reference Guide 17-19
stat ns
ICMP port unreachable generated (PortUnTx)Number of ICMP port unreachable packets generated by NetScaler.
LoopsThe number of bridge loops
Collisions (Collisns)The number of bridge collisions
Interface mutes (Mutes)The number of bridge mutes
SSL crypto card status (SSLCard)Status of the SSL card (1=UP, 0=DOWN)
SSL engine statusStatus of the SSL Engine (1=UP, 0=DOWN)
SSL transactions (SSLTrn)Number of SSL transactions
SSLv2 transactions (SSL2Trn)Number of SSLv2 transactions
SSLv3 transactions (SSL3Trn) Total number of SSLv3 Transactions.
TLSv1 transactions (TLS1Trn)Number of TLSv1 transactions
SSL sessions (SSLSe)Number of SSL sessions
SSLv3 sessions (SSL3Se)Number of SSLv3 sessions
TLSv1 sessions (TLS1Se)Number of TLSv1 sessions
new SSL sessions (NewSe)Number of new SSL sessions
17-20 Command Reference Guide
stat ns
SSL session hits (SeHit)Number of SSL session reuse hits
SSL session misses (SeMiss)Number of SSL session reuse misses
Export sessions (40-bit) (ExpSe)Total number of Expired SSL Sessions.
SSL session renegotiations (SSLRn)Number of SSL session renegotiations
SSLv3 session renegotiations (SSL3Rn)Number of session renegotiations done on SSLv3
TLSv1 session renegotiations (TLS1Rn)Number of SSL session renegotiations done on TLSv1
SSLv2 sessions (SSL2Se)Number of SSLv2 sessions
SSLv2 SSL handshakes (SSL2Hs)Number of handshakes on SSLv2
SSLv3 SSL handshakes (SSL3Hs)Number of handshakes on SSLv3
TLSv1 SSL handshakes (TLS1Hs)Number of SSL handshakes on TLSv1
RSA 1024-bit key exchanges (RSAKx1)Number of RSA 1024-bit key exchanges
RSA 512-bit key exchanges (RSAKx5)Number of RSA 512-bit key exchanges
RSA 2048-bit key exchanges (RSAKx2)Number of RSA 2048-bit key exchanges
DH 512-bit key exchanges (DHKx5)Number of Diffie-Helman 512-bit key exchanges
Command Reference Guide 17-21
stat ns
DH 1024-bit key exchanges (DHKx1)Number of Diffie-Helman 1024-bit key exchanges
DH 2048-bit key exchanges (DHKx2)Number of Diffie-Helman 2048-bit key exchanges
RSA authentications (RSAAt)Number of RSA authentications
DH authentications (DHAt)Number of Diffie-Helman authentications
DSS (DSA) authentications (DSSAt) Total number of times DSS authorization used.
Null authentications (NullAt)Number of Null authentications
RC4 40-bit encryptions (RC4En4)Number of RC4 40-bit cipher encryptions
RC4 56-bit encryptions (RC4En5)Number of RC4 56-bit cipher encryptions
RC4 64-bit encryptions (RC4En6)Number of RC4 64-bit cipher encryptions
RC4 128-bit encryptions (RC4En1)Number of RC4 128-bit cipher encryptions
DES 40-bit encryptions (DESEn4)Number of DES 40-bit cipher encryptions
DES 56-bit encryptions (DESEn5)Number of DES 56-bit cipher encryptions
DES 168-bit encryptions (3DESEn1)Number of DES 168-bit cipher encryptions
RC2 40-bit encryptions (RC2En4)Number of RC2 40-bit cipher encryptions
17-22 Command Reference Guide
stat ns
RC2 56-bit encryptions (RC2En5)Number of RC2 56-bit cipher encryptions
RC2 128-bit encryptions (RC2En1)Number of RC2 128-bit cipher encryptions
IDEA 128-bit encryptions (IDEAEn1)Number of IDEA 128-bit cipher encryptions
AES 128-bit encryptions (AESEn1)Number of AES 128-bit cipher encryptions
AES 256-bit encryptions (AESEn2)Number of AES 256-bit cipher encryptions
Null cipher encryptions (NullEn)Number of Null cipher encryptions
MD5 hashes (MD5Hsh)Number of MD5 hashes
SHA hashes (SHAHsh)Number of SHA hashes
SSLv2 client authentications (SSL2CAt)Number of client authentications done on SSLv2
SSLv3 client authentications (SSL3CAt)Number of client authentications done on SSLv3
TLSv1 client authentications (TLS1CAt)Number of client authentications done on TLSv1
Backend SSL sessions (BSSLSe)Number of Backend SSL sessions
Backend SSLv3 sessions (BSSL3Se)Number of Backend SSLv3 sessions
Backend TLSv1 sessions (BTLS1Se)Number of Backend TLSv1 sessions
Command Reference Guide 17-23
stat ns
Backend SSL sessions reused (BSeRe)Number of Backend SSL sessions reused
Backend session multiplex attempts (BSeMx)Number of Backend SSL session multiplex attempts
Backend session multiplex successes (BSeMxS)Number of Backend SSL session multiplex successes
Backend SSL multiplex failures (BSeMxF)Number of Backend SSL session multiplex failures
Backend SSL session renegotiations (BSSLRn)Number of Backend SSL session renegotiations
Backend SSLv3 session renegotiations (BSSL3Rn)Number of Backend SSLv3 session renegotiations
Backend TLSv1 session renegotiations (BTLS1Rn)Number of Backend TLSv1 session renegotiations
Backend RSA 512-bit key exchanges (BRSAKx5)Number of Backend RSA 512-bit key exchanges
Backend RSA 1024-bit key exchanges (BRSAKx1)Number of Backend RSA 1024-bit key exchanges
Backend RSA 2048-bit key exchanges (BRSAKx2)Number of Backend RSA 2048-bit key exchanges
Backend DH 512-bit key exchanges (BDHKx5)Number of Backend DH 512-bit key exchanges
Backend DH 1024-bit key exchanges (BDHKx1)Number of Backend DH 1024-bit key exchanges
Backend DH 2048-bit key exchanges (BDHKx2)Number of Backend DH 2048-bit key exchanges
Backend RC4 40-bit encryptions (BRC4En4)Number of Backend RC4 40-bit cipher encryptions
17-24 Command Reference Guide
stat ns
Backend RC4 56-bit encryptions (BRC4En5)Number of Backend RC4 56-bit cipher encryptions
Backend RC4 64-bit encryptions (BRC4En6)Number of Backend RC4 64-bit cipher encryptions
Backend RC4 128-bit encryptions (BRC4En1)Number of Backend RC4 128-bit cipher encryptions
Backend DES 40-bit encryptions (BDESEn4)Number of Backend DES 40-bit cipher encryptions
Backend DES 56-bit encryptions (BDESEn5)Number of Backend DES 56-bit cipher encryptions
Backend 3DES 168-bit encryptions (B3DESE1n)Number of Backend 3DES 168-bit cipher encryptions
Backend AES 128-bit encryptions (BAESEn1)Backend AES 128-bit cipher encryptions
Backend AES 256-bit encryptions (BAESEn2)Backend AES 256-bit cipher encryptions
Backend RC2 40-bit encryptions (BRC2En4)Number of Backend RC2 40-bit cipher encryptions
Backend RC2 56-bit encryptions (BRC2En5)Number of Backend RC2 56-bit cipher encryptions
Backend RC2 128-bit encryptions (BRC2En1)Number of Backend RC2 128-bit cipher encryptions
Backend IDEA 128-bit encryptions (BIDEAEn1)Number of Backend IDEA 128-bit cipher encryptions
Backend null encryptions (BNullEn)Number of Backend null cipher encryptions
Backend MD5 hashes (BMD5Hsh)Number of Backend MD5 hashes
Command Reference Guide 17-25
stat ns
Backend SHA hashes (BSHAHsh)Number of Backend SHA hashes
SSLv2 SSL handshakes (SSL2Hs)Number of handshakes on SSLv2
SSLv3 SSL handshakes (SSL3Hs)Number of handshakes on SSLv3
TLSv1 SSL handshakes (TLS1Hs)Number of SSL handshakes on TLSv1
Backend SSLv3 handshakes (BSSL3Hs)Number of Backend SSLv3 handshakes
Backend TLSv1 handshakes (BTLS1Hs)Number of Backend TLSv1 handshakes
Backend SSLv3 client authentications (BSSL3CAt)Number of Backend SSLv3 client authentications
Backend TLSv1 client authentications (BTLS1CAt)Number of Backend TLSv1 client authentications
Backend RSA authentications (BRSAAt)Number of Backend RSA authentications
Backend DH authentications (BDHAt)Number of Backend DH authentications
Backend DSS authentications (BDSSAt)Number of Backend DSS authentications
Backend Null authentications (BNullAt)Number of Backend null authentications
Related Commands
17-26 Command Reference Guide
stat ns bridge
stat ns bridge
Synopsisstat ns bridge [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplay bridge statistics
Counters
LoopsThe number of bridge loops
Collisions (Collisns)The number of bridge collisions
Interface mutes (Mutes)The number of bridge mutes
Related Commands
Command Reference Guide 17-27
stat ns node
stat ns node
Synopsisstat ns node [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplay high-availability protocol statistics
Counters
System state (HAstate)High-availability system state
Master state (mastate)HA Master state
Independent Network Config (incstate)Independent network configuration state
HA over L3 (haoverl3)HA over L3
BPDU packet drop (dropBPDU)Flag to drop BPDU packets
Heartbeats received (HApktrx)Number of HA heartbeats received
BPDU packets dropped (BPDUdrop)Number of BPDU packets dropped
Master claims (HAclaim)Number of Master claims
Master state changes (masterch)This represents the total number of master state changes that the NetScaler has made from primary to secondary and vice-versa
17-28 Command Reference Guide
stat ns node
State Fail (HAstfail)Number of times state changed to PARTIAL_FAIL/PARTIAL_FAIL_SSL/ROUTEMONITOR_FAIL/COMPLETE_FAIL
State UP (HAstup)Number of times state changed to UP
State INIT (HAstinit)Number of times state changed to INIT
Heartbeats sent (HApkttx)Number of packets sent
REQ_INIT packets received (reqinit)Number of REQ_INIT packets received
Config sync (HAsync)Number of config sync
Mac updates (macupd)Number of MAC updates
Propagated commands (propioc)Number of ioctls extracted from the queue for propagation
Config flush (clrconf)Number of times config is flushed
NSB allocation failures (memfail)Number of nsb allocation failures
sw monitor fail (swmnfail)Number of times heartbeat was not seen over the links
Pkts rx on non-monitored links (rxnoswmn)Number of packets received on not monitored links
Pkts rx with wrong dst mac (rxdstmac)Number of packets received with wrong destination MAC
Command Reference Guide 17-29
stat ns node
Pkts rx not from the peer (rxnode)Number of packets received not from a HA node
Pkts rx with wrong signature (rxsig)Number of packets received with wrong signature
Version mismatch (rxver)Number of packets received with wrong version
Pkts rx with the same seq num (rxseqno)Number of packets received with the same seq number
Propagation mem alloc failures (propmemf)Number of times memory allocation failed during propagation
Propagation timeouts (ptimeout)Number of times propagation timed out
Master disputes (mastdisp)Number of HA master dispute
Node DOWN (nodedown)Number of times a node is detected as DOWN
non-INIT pkts from DOWN node (rxnoinit)Number of non-INIT packets received from a DOWN node
Port silent (silent)Number of times heartbeats were not received on a link for dead interval
Heartbeat rx after dead intvl (heartbeat)Number of times heartbeats seen after loosing them for deadinterval
Sync failure (syncfail)Recent sync operation failed
Heartbeats with invalid app id (hbappid)Number of times HA heart beat seen with invalid app_id
Heartbeats with invalid type (hbtype)Number of times HA heart beat seen with invalid type
17-30 Command Reference Guide
stat ns node
Heartbeats with invalid state (hbstate)Number of times HA heart beat seen with invalid state
Heartbeat with bad masterstate (hbmasst)Number of times HA heart beat seen with invalid master state
Heartbeats with bad pkt length (hbpktlen)Number of times HA heart beat seen with different packet size
Number of peer nodes (nodenum)Number of peer nodes
Initialization time (inittime)The time until end of initialization
hw monitor (hwmon)The nics that are monitored
sw monitor (swmon)The nics that are monitored by heartbeat
Derived incarnation number (derinc)Derived incarnation based on ioctls received
Peer incarnation number (peerinc)The peer's incarnation seen from heartbeats
Time left for synchronization (synctime)The time at which the next sync starts
Hello interval in 10ms (helloint)HA Hello Interval in 10ms
Dead interval in 10ms (deadint)HA Dead Interval in 10ms
Related Commandsbind ns nodeunbind ns nodeadd ns node
Command Reference Guide 17-31
stat ns node
set ns noderm ns nodeshow ns node
17-32 Command Reference Guide
show ns stats
show ns stats
Synopsisshow ns stats - alias for 'stat ns'
Descriptionshow ns stats is an alias for stat ns
Related Commandsstat ns
Command Reference Guide 17-33
add ns arp
add ns arp
Synopsisadd ns arp -IPAddress <ip_addr> -mac <mac_addr> -ifnum <interface_name>
DescriptionUse this command to add a static entry to the NetScaler system's ARP table. This ARP entry never times out.
Arguments
IPAddressThe IP address of the server.
macThe MAC address of the server. Enter the MAC address with the colons (:) as the example shows.
ifnumThe physical interface for the ARP entry. Use the show interface command to view the valid interface names.
Exampleadd ns arp -ip 10.100.0.48 -mac 00:a0:cc:5f:76:3a -ifnum 1/1
Related Commandsdisable ns arpenable ns arprm ns arpsend ns arpshow ns arp
17-34 Command Reference Guide
disable ns arp
disable ns arp
Synopsisdisable ns arp <IPAddress>
DescriptionUse this command to configure the NetScaler system so that it does not respond to ARP requests for the specified IP address. This is beneficial in topologies where the IP address is shared across multiple devices - for example, in authoritative server load balancing (ASLB) configuration.
Arguments
IPAddressThe IP address of the NetScaler system ARP to be disabled.
Related Commandsadd ns arpenable ns arprm ns arpsend ns arpshow ns arp
Command Reference Guide 17-35
enable ns arp
enable ns arp
Synopsisenable ns arp <IPAddress>
DescriptionUse this command to configure the NetScaler system to respond to an ARP request for the specified IP address. This IP address must be an address owned by the NetScaler system.
Arguments
IPAddressThe IP address for which the ARP response is to be enabled.
Related Commandsadd ns arpdisable ns arprm ns arpsend ns arpshow ns arp
17-36 Command Reference Guide
rm ns arp
rm ns arp
Synopsisrm ns arp (<IPAddress> | -all)
DescriptionUse this command to remove an entry from the NetScaler system's ARP table.
Arguments
IPAddressThe IP address whose entry is to be removed.
allUse this option to remove all entries from the NetScaler system's ARP table.
Related Commandsadd ns arpdisable ns arpenable ns arpsend ns arpshow ns arp
Command Reference Guide 17-37
send ns arp
send ns arp
Synopsissend ns arp (<IPAddress> | -all)
DescriptionUse this command to send out an ARP for an IP address or for all IP addresses.
Arguments
IPAddressThe IP address for which the ARP needs to be sent.
allUse this option to send an ARP out for all NetScaler-owned IP addresses for which ARP is enabled.
Examplesend arp 10.10.10.10
Related Commandsadd ns arpdisable ns arpenable ns arprm ns arpshow ns arp
17-38 Command Reference Guide
show ns arp
show ns arp
Synopsisshow ns arp
DescriptionUse this command to display all the entries in the NetScaler system's ARP table: lIP shows the server's IP address. lMAC shows the server's MAC address. lInterface shows which NetScaler system interface is being used. lOrigin shows whether the entry is static or dynamic. lVLAN shows the VLAN to which this IP address belongs.
Arguments
Output
IPAddressThe IP address corresponding to an ARP entry.
macThe MAC address corresponding to an ARP entry.
ifnumThe interface on which this MAC address resides.
timeoutThe time when this entry will timeout.
stateThe state of this ARP entry.
flagsThe flags for this entry.
vlanThe VLAN for this ARP entry.
Command Reference Guide 17-39
show ns arp
ExampleThe output of the sh ns arp command is as follows: 5 configured arps: IP MAC Inface VLAN Origin ------- ------- ------- ------ ------- 1) 10.250.11.1 00:04:76:dc:f1:b9 1/2 2 dynamic 2) 10.11.0.254 00:30:19:c1:7e:f4 1/1 1 dynamic 3) 10.11.0.41 00:d0:a8:00:7c:e4 0/1 1 dynamic 4) 10.11.222.2 00:ee:ff:22:00:01 0/1 1 dynamic 5) 10.11.201.12 00:30:48:31:23:49 0/1 1 dynamic
Related Commandsadd ns arpdisable ns arpenable ns arprm ns arpsend ns arp
17-40 Command Reference Guide
show ns bridgetable
show ns bridgetable
Synopsisshow ns bridgetable
DescriptionUse this command to display the bridge ageing time and bridging table.
Output
bridgeAgeThe bridge ageing time in seconds.
macThe MAC address of target.
ifnumThe interface on which the address was learnt.
vlanThe VLAN in which this MAC address lies.
Exampleshow bridgetable
Related Commandsset ns bridgetable
Command Reference Guide 17-41
set ns bridgetable
set ns bridgetable
Synopsisset ns bridgetable [-bridgeAge <positive_integer>]
DescriptionUse this command to set the ageing time for bridge table entries. Dynamic bridge entries are automatically removed after a specified time, the ageing time, has elapsed since the entry was created or last updated.
Arguments
bridgeAgeThe bridge ageing time in seconds. Default value: 300
Exampleset ns bridgetable -bridgeAge 200
Related Commandsshow ns bridgetable
17-42 Command Reference Guide
save ns config
save ns config
Synopsissave ns config
DescriptionUse this command to save the NetScaler system configuration to the NetScaler system's FLASH. In a high availability setup, the command is sent to the primary NetScaler system. The primary NetScaler system then forwards the command to the secondary NetScaler system. The entire NetScaler system configuration is saved to the ns.conf file located in the /nsconfig directory. Backup configuration files are named ns.conf.n. The most recent backup file has the smallest value for n.
Output
Related Commandsset ns configunset ns configshow ns configclear ns config
Command Reference Guide 17-43
set ns config
set ns config
Synopsisset ns config [-IPAddress <ip_addr> -netmask <netmask>] [-nsvlan <positive_integer> -ifnum <interface_name> ...] [-httpPort <port> ...] [-maxConn <positive_integer>] [-maxReq <positive_integer>] [-cip ( ENABLED | DISABLED ) <cipHeader>] [-cookieversion ( 0 | 1 )] [-pmtuMin <positive_integer>] [-pmtuTimeout <mins>]
DescriptionUse this command to set the NetScaler system parameters.
Arguments
IPAddressThe IP address of the NetScaler system.
nsvlanThe VLAN (NSVLAN) for the subnet on which the NetScaler IP resides
httpPortThe HTTP ports on the Web server. This allows the NetScaler system to perform connection off-load for any client request that has a destination port matching one of these configured ports.
maxConnThe maximum number of connections that will be made from the NetScaler system to the web server(s) attached to it. The value entered here is applied globally to all attached servers.
maxReqThe maximum number of requests that the NetScaler system can pass on a particular connection between the NetScaler system and a server attached to it. Setting this value to 0 allows an unlimited number of requests to be passed.
17-44 Command Reference Guide
set ns config
cipUse this option to control (enable or disable) the insertion of the actual client IP address into the HTTP header request passed from the client to one, some, or all servers attached to the NetScaler system. The passed address can then be accessed through a minor modification to the server. lIf cipHeader is specified, it will be used as the client IP header. lIf it is not specified, then the value that has been set by the set ns config CLI command will be used as the client IP header. Possible values: ENABLED, DISABLED
cipHeaderThe text that will be used as the client IP header.
cookieversionThe version of the cookie inserted by Netscaler system. Possible values: 0, 1
pmtuMinThe minimum Path MTU.
pmtuTimeoutThe timeout value in minutes.
Related Commandssave ns configunset ns configshow ns configclear ns config
Command Reference Guide 17-45
unset ns config
unset ns config
Synopsisunset ns config [-nsvlan]
DescriptionUse this command to unset the NetScaler system parameters.
Arguments
nsvlanunset The VLAN (NSVLAN) for the subnet on which the NetScaler IP resides
Related Commandssave ns configset ns configshow ns configclear ns config
17-46 Command Reference Guide
show ns config
show ns config
Synopsisshow ns config
DescriptionUse this command to display the version, build, and feature information of the NetScaler system. Note:If you want to see the complete configuration parameters that have been set for the NetScaler 9000 system, use the show ns runningconfig CLI command.
Arguments
Output
IPAddress
netmask
mappedIP
range
nsvlan
ifnum
httpPort
maxConn
Command Reference Guide 17-47
show ns config
maxReq
cip
cipHeader
cookieversion
failover
primaryIP
pmtuMinThe minimum Path MTU.
pmtuTimeoutThe timeout value in minutes.
flags
Related Commandssave ns configset ns configunset ns configclear ns config
17-48 Command Reference Guide
show ns ns.conf
show ns ns.conf
Synopsisshow ns ns.conf
DescriptionUse this command to display the last saved configuration.
Arguments
Output
Related Commandssave config, show runningconfig
Command Reference Guide 17-49
clear ns config
clear ns config
Synopsisclear ns config [-force] [<level>]
Description
Arguments
force
confirm
level
Related Commandssave ns configset ns configunset ns configshow ns config
17-50 Command Reference Guide
config ns
config ns
Synopsisconfig ns
DescriptionUse this command to display the NetScaler system's configuration menu. By choosing items from the menu and following the instructions on the screen, each of the configuration parameters can be modified. On entering the config CLI command, the following menu is displayed: Note:The values inside the square brackets indicate the current value of the parameters. > config ns NSCONFIG NS6.1. Reading the NetScaler configuration from the file /etc/ns.conf REVIEW CONFIGURATION PARAMETERS MENU ------------------------------------ This menu allows you to view and/or modify the NetScaler's configuration. Each configuration parameter displays its current value within brackets if it has been set. To change a value, enter the number that is displayed next to it. ------------------------------------ 1. NetScaler's IP address: [10.102.7.101] 2. Netmask: [255.255.255.0] 3. Advanced Network Configuration. 4. Time zone. 5. Cancel all the changes and exit. 6. Apply changes and exit. Select a menu item from 1 to 6 [6]: NetScaler is running. Writing the NetScaler configuration into the file /etc/ns.conf NetScaler must be rebooted to apply configuration changes. Do you want to reboot NetScaler now? [NO]: Done Notes: 1.The NetScaler 9000 system needs to be rebooted every time an item on this menu is changed and the changes saved. 2.This command only modifies and saves the basic configuration set in the ns.conf file (using the set ns config command). It does not save the running configuration changes applied after the last invocation of the save ns config command. If you have applied changes to your running configuration, then you should save them with save ns config command before using the config ns command. See the note on the reboot ns command.
Arguments
Related Commandsreboot nsshutdown
Command Reference Guide 17-51
show ns runningconfig
show ns runningconfig
Synopsisshow ns runningconfig
DescriptionUse this command to print the information pertaining to all the configuration that has been applied to the NetScaler system, including settings that have not yet been saved to the NetScaler system's ns.conf file using the save config command.
Arguments
Related Commandsshow ns.conf
17-52 Command Reference Guide
add ns acl
add ns acl
Synopsisadd ns acl <aclname> <aclaction> [-established]
DescriptionUse this command to add an ACL to the NetScaler configuration. Each inbound packet is matched against configured ACLs and the specified action is applied to the packet. The action could be ALLOW, DENY or BRIDGE. This command adds the acl to the configuration space. To commit this ACL, use 'apply acls' command.
Arguments
aclnameThe alphanumeric name of the ACL.
aclactionThe action associated with the ACL. Possible values: BRIDGE, DENY, ALLOW
srcIPThe source IP address (range).
srcPortThe source Port (range).
destIPThe destination IP address (range).
destPortThe destination Port (range).
srcMacThe source MAC address.
protocolThe IP protocol name. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS
Command Reference Guide 17-53
add ns acl
protocolNumberThe IP protocol number (decimal).
vlanThe VLAN number.
interfaceThe physical interface.
establishedThis argument indicates that the ACL should be used for TCP response traffic only.
priorityThe priority of the ACL.
stateThe state of the ACL. Possible values: ENABLED, DISABLED Default value: ENABLED
Exampleadd ns acl restrict DENY -srcport 45-1024 -destIP 192.168.1.1 -protocol TCP
Related Commandsclear aclsapply aclsrm ns aclenable ns acldisable ns aclset ns aclshow ns aclstat ns acl
17-54 Command Reference Guide
rm ns acl
rm ns acl
Synopsisrm ns acl <aclname> ...
DescriptionUse this command to remove an ACL. To commit this operation, use the 'apply acls' command.
Arguments
aclnameThe name of the ACL to be deleted.
Examplerm ns acl restrict
Related Commandsapply aclsclear aclsadd ns aclenable ns acldisable ns aclset ns aclshow ns aclstat ns acl
Command Reference Guide 17-55
enable ns acl
enable ns acl
Synopsisenable ns acl <aclname> ...
DescriptionUse this command to enable an ACL. To commit this operation, use the 'apply acls' command.
Arguments
aclnameThe name of the ACL to be enabled.
Exampleenable ns acl foo
Related Commandsapply aclsclear aclsadd ns aclrm ns acldisable ns aclset ns aclshow ns aclstat ns acl
17-56 Command Reference Guide
disable ns acl
disable ns acl
Synopsisdisable ns acl <aclname> ...
DescriptionUse this command to disable an ACL. To commit this operation, use the 'apply acls' command.
Arguments
aclnameThe name of the ACL to be disabled.
Exampledisable ns acl foo
Related Commandsapply aclsclear aclsadd ns aclrm ns aclenable ns aclset ns aclshow ns aclstat ns acl
Command Reference Guide 17-57
set ns acl
set ns acl
Synopsisset ns acl <aclname> [-aclaction <aclaction>] [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] [-srcMac <mac_addr>] [-protocol <protocol> | -protocolNumber <positive_integer>] [-vlan <positive_integer>] [-interface <interface_name>] [-priority <positive_integer>] [-state <state>]
DescriptionUse this command to modify an ACL. To commit this modified ACL, use the 'apply acls' command.
Arguments
aclnameThe alphanumeric name of the ACL.
aclactionThe action associated with the ACL. Possible values: BRIDGE, DENY, ALLOW
srcIPThe source IP address (range).
srcPortThe source Port (range).
destIPThe destination IP address (range).
destPortThe destination Port (range).
srcMacThe source MAC address.
17-58 Command Reference Guide
set ns acl
protocolThe IP protocol name. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS
protocolNumberThe IP protocol numbe (decimal).
vlanThe VLAN number.
interfaceThe physical interface.
priorityThe priority of the ACL.
stateThe state of the ACL. Possible values: ENABLED, DISABLED
Exampleset ns acl restrict -srcPort 50
Related Commandsclear aclsapply aclsadd ns aclrm ns aclenable ns acldisable ns aclshow ns aclstat ns acl
Command Reference Guide 17-59
show ns acl
show ns acl
Synopsisshow ns acl [<aclname>]
DescriptionUse this command to list the ACLs. If a name is specified, then only that ACL is shown.
Arguments
aclnameThe name of the ACL.
Output
aclactionThe action associated with the ACL.
srcMacThe source MAC address.
protocolThe protocol number in IP header or name
protocolNumberThe protocol number in IP header or name
srcPortValThe source Port (range).
destPortValThe destination Port (range).
srcIPValThe source IP address (range).
destIPValThe destination IP address (range).
17-60 Command Reference Guide
show ns acl
vlanThe VLAN number.
stateThe state of the ACL.
kernelstateThe commit status of the ACL
interfaceThe physical interface.
hitsThe hits of this ACL.
establishedThis flag indicates that the ACL should be used for TCP response traffic only.
priorityThe priority of the ACL.
Examplesh acl foo Name: foo Action: ALLOW Hits: 0 srcIP = 10.102.1.150 destIP = 202.54.12.47 srcMac: Protocol: TCP srcPort destPort = 110 Vlan: Interface: Active Status: ENABLED Applied Status: NOTAPPLIED Priority: 1027
Related Commandsadd ns aclrm ns aclenable ns acldisable ns aclset ns aclstat ns acl
Command Reference Guide 17-61
clear ns acls
clear ns acls
Synopsisclear ns acls
DescriptionUse this command to clear all configured ACLs. This operation does not require an explicit apply.
Exampleclear ns acls
Related Commandsadd ns aclrm ns aclapply ns acls
17-62 Command Reference Guide
apply ns acls
apply ns acls
Synopsisapply ns acls
DescriptionUse this command to commit the ACL in the configuration space to the NetScaler system. This is required after you add ACLs or modify the ACLs.
Exampleapply ns acls
Related Commandsadd ns aclrm ns aclset ns aclenable ns acldisable ns aclclear ns acls
Command Reference Guide 17-63
stat ns acl
stat ns acl
Synopsisstat ns acl [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays the ACL statistics
Counters
Bridge ACL hits (ACLBdg)Total packets that matched an ACL with action BRIDGE and got bridged by NetScaler.
Deny ACL hits (ACLDeny)Total packets that matched an ACL with action DENY and got dropped by NetScaler.
Allow ACL hits (ACLAllow)Total packets that matched the an ACL with action ALLOW and got consumed by NetScaler.
NAT ACL hits (ACLNAT)Total packets that matched the an ACL with action ALLOW NAT and got consumed by NetScaler.
ACL hits (ACLHits)Total packets that matched any ACL
ACL misses (ACLMiss)Total packets that did not match any ACL
Examplestat acl
Related Commandsadd ns aclrm ns acl
17-64 Command Reference Guide
stat ns acl
enable ns acldisable ns aclset ns aclshow ns acl
Command Reference Guide 17-65
force ns failover
force ns failover
Synopsisforce ns failover
DescriptionUse this command to trigger a failover.
Related Commands
17-66 Command Reference Guide
force ns sync
force ns sync
Synopsisforce ns sync
DescriptionUse this command to force the configuration to be synchronized between the HA pair.
Related Commands
Command Reference Guide 17-67
disable ns feature
disable ns feature
Synopsisdisable ns feature [<feature> ...]
DescriptionUse this command to disable a specified feature or features.
Arguments
featureThe name of the feature to be disabled. To disable features enter one or more of the following: lCF|ContentFiltering - Disables content filtering. lCMP|CMPcntl - Disables compression. lCR|CacheRedirection - Disables cache redirection. lCS|ContentSwitching - Disables content switching. lHDOSP | HttpDosProtection - Disables HTTP DoS Protection. lGSLB| - Disables global server load balancing. lLB|LoadBalancing - Disables load balancing. lPQ|PriorityQueing - Disables priority queuing. lSC|SureConnect - Disables SureConnect . lSP|SurgeProtection - Disables surge protection. lSSL|SSLOffload - Disables SSL off load. lWL|WebLogging - Disables web server logging. lIC|IntegratedCaching - Disables integrated caching. lSSLVPN - Disables SSL VPN. lrouting - Disables dynamic routing.
Output
reqFeature
Related Commandsdisable ns modeenable ns featureshow ns feature
17-68 Command Reference Guide
enable ns feature
enable ns feature
Synopsisenable ns feature [<feature> ...]
DescriptionUse this command to enable a specific feature.
Arguments
featureThe feature to be enabled. Use the following values to enable corresponding features: lCF or ContentFiltering - Enables content filtering. lCMP or CMPcntl - Enables compression. lCR or CacheRedirection - Enables cache redirection. lCS or ContentSwitching - Enables content switching. lDOSP or DoSProtection - Enables DoS protection. lGSLB - Enables global server load balancing. lLB or LoadBalancing - Enables load balancing. lPQ or PriorityQueing - Enables priority queuing. lSC or SureConnect - Enables SureConnect . lSP or SurgeProtection - Enables surge protection. lSSL or SSLOffload - Enables SSL offload. lWL or WebLogging - Enables web server logging. lIC or IntegratedCaching - Enables Integrated Caching. lSSLVPN - Enables SSL VPN. lrouting - Enables the dynamic routing.
Output
reqFeature
Exampleenable ns feature sc This CLI command enables the SureConnect feature.
Related Commandsdisable ns featureshow ns feature
Command Reference Guide 17-69
show ns feature
show ns feature
Synopsisshow ns feature
DescriptionUse this command to display the current status of NetScaler features.
Arguments
Output
feature
reqFeature
Related Commandsdisable ns featureenable ns feature
17-70 Command Reference Guide
show ns info
show ns info
Synopsisshow ns info
DescriptionUse this command to display the most relevant information about a NetScaler system, including: lSoftware version lFeatures that are enabled and disabled lModes that are enabled and disabled lWhether the NetScaler 9000 system is acting as a normal or master node lThe NetScaler 9000 system IP address and mapped IP
ExampleAn example of this command's output is shown below: NetScaler 9000 system Rainier: Build 24, Date: Apr 25 2002, 21:13:25 NetScaler 9000 system IP: 10.101.4.22 (mask: 255.255.0.0) Mapped IP: 10.101.4.23 Node: Standalone HTTP port(s): (none) Max connections: 0 Max requests per connection: 0 Client IP insertion enabled: NO Cookie version: 0 Feature status: Web Logging: ON Surge Protection: ON Load Balancing: ON Content Switching: ON Cache Redirection: ON Sure Connect: ON Compression Control: OFF Priority Queuing: ON SSL Offloading: ON Global Server Load Balancing: ON HTTP DoS Protection: OFF N+1: OFF Dynamic Routing: OFF Content Filtering: ON Internal Caching: ON SSL VPN: OFF Mode status: Fast Ramp: ON Layer 2 mode: ON Use Source IP: OFF Client Keep-alive: ON TCP Buffering: OFF MAC-based forwarding: ON Edge configuration: OFF Use Subnet IP: OFF Layer 3 mode (ip forwarding): ON
Related Commands
Command Reference Guide 17-71
add ns ip
add ns ip
Synopsisadd ns ip <IPAddress>@ <netmask> [-type <type>]
DescriptionUse this command to add an IP address.
Arguments
IPAddressThe IP address of the entity.
netmaskThe netmask of the IP.
typeThe type of the IP address. Possible values: SNIP, VIP, MIP Default value: SNIP
arpUse this option to set (enable or disable) ARP and gratuitous ARP for the entity. Possible values: ENABLED, DISABLED Default value: ENABLED
icmpUse this option to set (enable or disable) ICMP responses for the entity. Possible values: ENABLED, DISABLED Default value: ENABLED
vServerUse this option to set (enable or disable) the vserver attribute for this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED
telnetUse this option to set (enable or disable) the state of telnet access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED
ftpUse this option to set (enable or disable) the state of ftp access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED
17-72 Command Reference Guide
add ns ip
guiUse this option to set (enable or disable) GUI access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED
sshUse this option to set (enable or disable) the state of SSH access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED
snmpUse this option to set (enable or disable) the state of SNMP access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED
mgmtAccessUse this option to set (enable or disable) the state of management access to this IP entity. Possible values: ENABLED, DISABLED Default value: DISABLED
hostrouteUse this option to control (enable or disable) the advertisement of a hostroute to this IP entity. Possible values: ENABLED, DISABLED Default value: DISABLED
ospfUse this option to enable or disable OSPF on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED
bgpUse this option to enable or disable BGP on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED
ripUse this option to enable or disable RIP on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED
hostrtgwUse this option to set the gateway for the hostroute to be advertised for this IP entity.
vserverRHILevelUse this option to set the per VIP RHI controls Possible values: ONE_VSERVER, ALL_VSERVERS, NONE Default value: ONE_VSERVER
Command Reference Guide 17-73
add ns ip
ospfLSATypeUse this option to choose whether OSPF should advertise this route as Type1 or Type5. Possible values: TYPE1, TYPE5 Default value: TYPE5
Exampleadd ns ip 10.102.4.123 255.255.255.0
Related Commandsshow ns ipset ns ipenable ns ipdisable ns iprm ns ip
17-74 Command Reference Guide
show ns ip
show ns ip
Synopsisshow ns ip [<IPAddress>]
DescriptionUse this command to display all the IP addresses such as VIP,MIP,NSIP, and SNIP.
Arguments
IPAddressThe IP address of the entity.
Output
IPAddressThe IP address of this entity.
netmaskThe netmask of this IP.
typeThe type of this IP.
arpWhether arp is enabled or disabled.
icmpWhether icmp is enabled or disabled.
vServerWhether vserver is enabled or disabled.
telnetWhether telnet is enabled or disabled.
sshWhether ssh is enabled or disabled.
Command Reference Guide 17-75
show ns ip
guiWhether gui is enabled or disabled.
snmpWhether snmp is enabled or disabled.
ftpWhether ftp is enabled or disabled.
mgmtAccessWhether management access is enabled or disabled.
bgpWhether bgp is enabled or disabled.
ospfWhether ospf is enabled or disabled.
ripWhether rip is enabled or disabled.
hostrouteWhether host route is enabled or disabled.
hostrtgwGateway used for advertising host route.
vserverRHILevelThe rhi level for this IP.
ospfLSATypeThe ospf lsa type to use while advertising this IP.
Exampleshow ns ip Ipaddress Type Mode Arp Icmp Vserver State --------- ---- ---- --- ---- ------- ----- 1)10.102.4.123 NetScaler IP Active Enabled Enabled NA Enabled 2)10.102.4.237 MIP Passive Enabled Enabled NA Enabled 3)10.102.1.131 VIP Passive Enabled Enabled Enabled Enabled
17-76 Command Reference Guide
show ns ip
Related Commandsadd ns ipset ns ipenable ns ipdisable ns iprm ns ip
Command Reference Guide 17-77
set ns ip
set ns ip
Synopsisset ns ip <IPAddress>@ [-arp ( ENABLED | DISABLED )] [-icmp ( ENABLED | DISABLED )] [-vServer ( ENABLED | DISABLED )] [-telnet ( ENABLED | DISABLED )] [-ftp ( ENABLED | DISABLED )] [-gui ( ENABLED | DISABLED )] [-ssh ( ENABLED | DISABLED )] [-snmp ( ENABLED | DISABLED )] [-mgmtAccess ( ENABLED | DISABLED )] [-ospf ( ENABLED | DISABLED )] [-bgp ( ENABLED | DISABLED )] [-rip ( ENABLED | DISABLED )] [-hostroute ( ENABLED | DISABLED )] [-hostrtgw <ip_addr>] [-vserverRHILevel <vserverRHILevel>] [-ospfLSAType ( TYPE1 | TYPE5 )]
DescriptionUse this command to set the attributes of an IP entity.
Arguments
IPAddressThe IP address of the entity.
arpUse this option to set (enable or disable) ARP and gratuitous ARP for the entity. Possible values: ENABLED, DISABLED
icmpUse this option to set (enable or disable) ICMP responses for the entity. Possible values: ENABLED, DISABLED
vServerUse this option to set (enable or disable) the vserver attribute for this IP entity. Possible values: ENABLED, DISABLED
telnetUse this option to set (enable or disable) the state of telnet access to this IP entity. Possible values: ENABLED, DISABLED
17-78 Command Reference Guide
set ns ip
ftpUse this option to set (enable or disable) the state of ftp access to this IP entity. Possible values: ENABLED, DISABLED
guiUse this option to set (enable or disable) GUI access to this IP entity. Possible values: ENABLED, DISABLED
sshUse this option to set (enable or disable) the state of SSH access to this IP entity. Possible values: ENABLED, DISABLED
snmpUse this option to set (enable or disable) the state of SNMP access to this IP entity. Possible values: ENABLED, DISABLED
mgmtAccessUse this option to set (enable or disable) the state of management access to this IP entity. Possible values: ENABLED, DISABLED
ospfUse this option to (enable or disable) OSPF on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED
bgpUse this option to (enable or disable) BGP on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED
ripUse this option to (enable or disable) RIP on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED
hostrouteUse this option to control (enable or disable) the advertisement of a hostroute to this IP entity. Possible values: ENABLED, DISABLED
hostrtgwUse this option to set the gateway for the hostroute to be advertised for this IP entity.
Command Reference Guide 17-79
set ns ip
vserverRHILevelUse this option to set the per VIP RHI controls. Possible values: ONE_VSERVER, ALL_VSERVERS, NONE Default value: ONE_VSERVER
ospfLSATypeUse this option to choose whether OSPF should advertise this route as Type1 or Type5. Possible values: TYPE1, TYPE5 Default value: TYPE5
Exampleset ns ip 10.102.4.123 -arp ENABLED
Related Commandsadd ns ipshow ns ipenable ns ipdisable ns iprm ns ip
17-80 Command Reference Guide
enable ns ip
enable ns ip
Synopsisenable ns ip <IPAddress>@
DescriptionUse this command to enable an IP entity.
Arguments
IPAddressThe IP address of the entity.
Exampleenable ns ip 10.10.10.10
Related Commandsadd ns ipshow ns ipset ns ipdisable ns iprm ns ip
Command Reference Guide 17-81
disable ns ip
disable ns ip
Synopsisdisable ns ip <IPAddress>@
DescriptionUse this command to disable an IP entity.
Arguments
IPAddressThe IP address of the entity.
Exampledisable ns ip 10.10.10.10
Related Commandsadd ns ipshow ns ipset ns ipenable ns iprm ns ip
17-82 Command Reference Guide
rm ns ip
rm ns ip
Synopsisrm ns ip <IPAddress>@
DescriptionUse this command to remove an IP entity.
Arguments
IPAddressThe IP address of the entity.
Examplerm ns ip 10.102.4.123
Related Commandsadd ns ipshow ns ipset ns ipenable ns ipdisable ns ip
Command Reference Guide 17-83
disable ns mode
disable ns mode
Synopsisdisable ns mode [<Mode> ...]
DescriptionUse this command to disable the specified feature or features.
Arguments
ModeThe feature to be disabled. The features are summarized as follows: lFR | FastRamp - Disables Fast Ramp . This mode is enabled by default. lL2 | Layer 2 mode - Disables the layer 2 mode. This mode is enabled by default. lL3 | Layer 3 mode - Disables the layer 3 mode. This mode is disabled by default. lUSIP | UseSourceIP - Disables the use source IP mode. This mode is disabled for the HTTP protocol and enabled for non-HTTP protocols by default. lCKA | Client Keep Alive - Disables the client keep alive mode. This mode is enabled by default. lTCPB | TCPBuffering - Disables the TCP buffering mode. lMBF | MAC Based Forwarding - Disables MAC based forwarding. This mode is enabled by default. ledge - Disables the edge mode configuration. lUSNIP - Disables the use SNIP mode
Output
swReqFeature
ExampleThis example shows the command to disable the NetScaler 9000 system's client keep-alive feature: disable ns mode CKA
Related Commandsenable ns modeshow ns mode
17-84 Command Reference Guide
enable ns mode
enable ns mode
Synopsisenable ns mode [<Mode> ...]
DescriptionUse this command to enable a specified mode.
Arguments
ModeThe name of the mode to be enabled. Enter one or more of the following mode names: lFR | FastRamp - Enables the Fast Ramp . This mode is enabled by default. lL2 | l2mode - Enables the layer 2 mode. This mode is enabled by default. lL3 | l3mode - enables the layer 3 mode. This mode is disabled by default. lUSIP | UseSourceIP - Enables the use source IP mode. This mode is disabled for the HTTP protocol and enabled for non-HTTP protocols by default. lCKA | Client Keep Alive - Enables the client keep alive mode. This mode is enabled by default. lTCPB | TCPBuffering - Enables the TCP buffering mode. This mode is disabled by default. lMBF | MAC Based Forwarding - Enables MAC based forwarding. This mode is enabled by default. ledge - Enables the edge mode configuration. lUSNIP - Enables the use SNIP mode
Output
swReqFeature
ExampleThis CLI command enables the NetScaler 9000 system's client keep-alive feature: enable ns mode CKA
Related Commandsdisable ns modeshow ns mode
Command Reference Guide 17-85
show ns mode
show ns mode
Synopsisshow ns mode
DescriptionUse this command to display the state of Fast Ramp, Layer 2, USIP, client keep-alive, TCP buffering, and MAC-based forwarding features.
Arguments
Output
Mode
Related Commandsdisable ns modeenable ns mode
17-86 Command Reference Guide
add ns fis
add ns fis
Synopsisadd ns fis <name>
DescriptionThis command creates an FIS. Each FIS is identified by a name (string max 31 letters). The FIS created is empty (without members.
Arguments
nameThe name of the FIS. This name must not exceed 31 characters
Related Commandsbind ns fisunbind ns fisrm ns fisshow ns fis
Command Reference Guide 17-87
bind ns fis
bind ns fis
Synopsisbind ns fis <name> <ifnum> ...
DescriptionThis command binds interfaces to an FIS. Adding an interface to an FIS deletes it from CIs and adds it to the new FIS.
Arguments
nameThe name of the FIS. This name must not exceed 31 characters
ifnumSpecifies the interface name represented in the <slot/port> notation. For example 1/1. Use the show interface CLI command to view the NetScaler 9000 system interfaces.
Related Commandsadd ns fisunbind ns fisrm ns fisshow ns fis
17-88 Command Reference Guide
unbind ns fis
unbind ns fis
Synopsisunbind ns fis <name> <ifnum> ...
DescriptionThis command unbinds the specified interface from the FIS. The interface unbound becomes a CI.
Arguments
nameThe name of the FIS. This name must not exceed 31 characters
ifnumSpecifies the interface name represented in the <slot/port> notation. For example 1/1. Use the show interface CLI command to view the NetScaler 9000 system interfaces.
Related Commandsadd ns fisbind ns fisrm ns fisshow ns fis
Command Reference Guide 17-89
rm ns fis
rm ns fis
Synopsisrm ns fis <name>
DescriptionRemoves the FIS created by the add fis command. Once the FIS is removed, its interfaces become CIs.
Arguments
nameThe name of the FIS. This name must not exceed 31 characters
Related Commandsadd ns fisbind ns fisunbind ns fisshow ns fis
17-90 Command Reference Guide
show ns fis
show ns fis
Synopsisshow ns fis [<name>]
DescriptionThis command displays the configured FISs.
Arguments
nameThe name of the FIS.
Output
nameThe name of the FIS.
ifacesInterfaces bound to theFIS.
Example>show ns fis 1) FIS: fis1 Member Interfaces : 1/1 Done
Related Commandsadd ns fisbind ns fisunbind ns fisrm ns fis
Command Reference Guide 17-91
show ns ci
show ns ci
Synopsisshow ns ci
DescriptionThis command displays the CIs.
Output
ifacesInterfaces that are critical.
Example>show ns ci Critical Interfaces: LO/1 1/2
Related Commands
17-92 Command Reference Guide
bind ns node
bind ns node
Synopsisbind ns node -routeMonitor <ip_addr|*> <netmask>
DescriptionUse this command to monitor the presence of a route in the FIB.
Arguments
routeMonitorThe network.
netmaskThe netmask.
Related Commandsstat ns nodeunbind ns nodeadd ns nodeset ns noderm ns nodeshow ns node
Command Reference Guide 17-93
unbind ns node
unbind ns node
Synopsisunbind ns node -routeMonitor <ip_addr|*> <netmask>
DescriptionUse this command to unbind a route monitor from the node.
Arguments
routeMonitorThe network.
netmaskThe netmask.
Related Commandsstat ns nodebind ns nodeadd ns nodeset ns noderm ns nodeshow ns node
17-94 Command Reference Guide
add ns node
add ns node
Synopsisadd ns node <id> <IPAddress> [-inc ( ENABLED | DISABLED )]
DescriptionUse this command to add the IP address of the other NetScaler system in the high availability configuration. The IP addresses of the both the NetScaler systems must belong to the same subnet.
Arguments
idThe unique number that identifies the node. The value of this parameter can range from 1 to 64.
IPAddressThe IP address of the node to be added. This should be in same subnet as NSIP.
incUse this option to set (enable or disable) the INC mode Possible values: ENABLED, DISABLED Default value: DISABLED
Related Commandsstat ns nodebind ns nodeunbind ns nodeset ns noderm ns nodeshow ns node
Command Reference Guide 17-95
set ns node
set ns node
Synopsisset ns node [-hastatus <hastatus>] [-hasync ( ENABLED | DISABLED )] [-helloInterval <msecs>] [-deadInterval <secs>]
DescriptionUse this command to set the HA status of the current node and configure synchronization.
Arguments
hastatusThe HA status of the node. The valid values are ENABLED and DISABLED. The HA status STAYSECONDARY is used to force the secondary device stay as secondary independent of the state of the Primary device. For example, in an existing HA setup, the Primary node has to be upgraded and this process would take few seconds. During the upgradation, it is possible that the Primary node may suffer from a downtime for a few seconds. However, the Secondary should not take over as the Primary node. Thus, the Secondary node should remain as Secondary even if there is a failure in the Primary node. Possible values: ENABLED, STAYSECONDARY, DISABLED
hasyncThe state of synchronization. The valid values are Enabled and Disabled. Possible values: ENABLED, DISABLED Default value: ENABLED
helloIntervalThe Hello Interval in milliseconds. Default value: 200
deadIntervalThe Dead Interval in seconds. Default value: 3
Related Commandsstat ns nodebind ns nodeunbind ns nodeadd ns node
17-96 Command Reference Guide
set ns node
rm ns nodeshow ns node
Command Reference Guide 17-97
rm ns node
rm ns node
Synopsisrm ns node <id>
DescriptionUse this command to remove a node.
Arguments
idThe unique number that identifies the node. The value can range from 1 to 64.
Related Commandsstat ns nodebind ns nodeunbind ns nodeadd ns nodeset ns nodeshow ns node
17-98 Command Reference Guide
show ns node
show ns node
Synopsisshow ns node
DescriptionUse this command to display all nodes. It also displays the number of additional nodes, ID, IP address, and the state of all nodes.
Arguments
Output
id
name
IPAddress
flags
hastatus
hasync
enaifaces
disifaces
Command Reference Guide 17-99
show ns node
hamonifaces
pfifaces
ifaces
networkThe network.
netmaskThe netmask.
incINC state.
helloIntervalHello Interval.
deadIntervalDead Interval.
ExampleAn example of the command's output is as follows: 2 configured nodes: 1) Node ID: 0 IP: 192.168.100.5 Primary node 2) Node ID: 2 IP: 192.168.100.112 Secondary node
Related Commandsstat ns nodebind ns nodeunbind ns nodeadd ns nodeset ns noderm ns node
17-100 Command Reference Guide
show ns license
show ns license
Synopsisshow ns license
DescriptionUse this command to display information about the current NetScaler license.
Arguments
Output
keyfeature
Related Commands
Command Reference Guide 17-101
show ns rnat
show ns rnat
Synopsisshow ns rnat
DescriptionUse this command to display the Reverse NAT configuration.
Arguments
Output
network
netmaskThe netmask of the network.
natip
aclnameThe acl name.
redirectPortThe redirect port.
Related Commandsset ns rnatclear ns rnat
17-102 Command Reference Guide
set ns rnat
set ns rnat
Synopsisset ns rnat ((<network> [<netmask>]) | (<aclname> [-redirectPort <port>])) [-natip <ip_addr> ...]
DescriptionUse this command to configure Reverse NAT on the NetScaler system.
Arguments
networkThe network or subnet from which the traffic is flowing.
netmaskThe netmask of the network.
aclnameThe acl name.
redirectPortThe redirect port.
natipThe NAT IP(s) assigned to a source IP or NetScaler IP.
Related Commandsshow ns rnatclear ns rnat
Command Reference Guide 17-103
clear ns rnat
clear ns rnat
Synopsisclear ns rnat ((<network> [<netmask>]) | (<aclname> [-redirectPort])) [-natip <ip_addr> ...]
DescriptionUse this command to clear the Reverse NAT configuration.
Arguments
networkThe network or subnet from which the traffic is flowing.
netmaskThe netmask of the network.
aclnameThe acl name.
redirectPortThe redirect port.
natipThe NAT IP(s) assigned to a source IP or NetScaler IP.
Related Commandsshow ns rnatset ns rnat
17-104 Command Reference Guide
add ns route
add ns route
Synopsisadd ns route <network> <netmask> <gateway> [<cost>] [-advertise ( DISABLED | ENABLED )] [-protocol <protocol> ...]
DescriptionUse this command to add a static route to the forwarding table.
Arguments
networkThe destination network.
netmaskThe netmask of the destination network.
gatewayThe gateway for this route.
costCost of the Route. Default value: 65535
advertiseUse this option to control (enable or disable) the advertisement of this route. Possible values: DISABLED, ENABLED
protocolUse this option to choose the routing protocols for advertisement of this route.
Exampleadd ns route 10.10.10.0 255.255.255.0 10.10.10.1
Related Commandsshow ns arprm ns arpset ns route
Command Reference Guide 17-105
add ns route
unset ns routeclear ns routerm ns routeshow ns route
17-106 Command Reference Guide
set ns route
set ns route
Synopsisset ns route <network> <netmask> <gateway> [<cost>] [-advertise ( DISABLED | ENABLED ) | -protocol <protocol> ...]
DescriptionUse this command to set the attributes of a route that was added via the add ns route command.
Arguments
networkThe destination network for the route.
netmaskThe netmask for this destination network.
gatewayThe gateway for the destination network of the route.
costCost of the Route. Default value: 65535
advertiseUse this option to control (enable or disable) the advertisement of this route. Possible values: DISABLED, ENABLED
protocolUse this option to choose the routing protocols for advertisement of this route.
Exampleset ns route 10.10.10.0 255.255.255.0 10.10.10.1 -advertise enable
Related Commandsadd ns routeunset ns route
Command Reference Guide 17-107
set ns route
clear ns routerm ns routeshow ns route
17-108 Command Reference Guide
unset ns route
unset ns route
Synopsisunset ns route <network> <netmask> <gateway> [-advertise ( DISABLED | ENABLED ) | -protocol <protocol> ...]
DescriptionUse this command to unset the attributes of a route that were added via the add/set ns route command.
Arguments
networkThe destination network for the route.
netmaskThe netmask for this destination network.
gatewayThe gateway for the destination network of the route.
advertiseUse this option to control (enable or disable) the advertisement of this route. Possible values: DISABLED, ENABLED
protocolUse this option to choose the routing protocols for advertisement of this route.
Exampleunset ns route 10.10.10.0 255.255.255.0 10.10.10.1 -advertise enable
Related Commandsadd ns routeset ns routeclear ns routerm ns route
Command Reference Guide 17-109
unset ns route
show ns route
17-110 Command Reference Guide
clear ns route
clear ns route
Synopsisclear ns route <type>
DescriptionUse this command to clear the Routes.
Arguments
typeThe type of routes to be cleared.
Related Commandsadd ns routeset ns routeunset ns routerm ns routeshow ns route
Command Reference Guide 17-111
rm ns route
rm ns route
Synopsisrm ns route <network> <netmask> <gateway>
DescriptionUse this command to remove a configured static route from the NetScaler system. Routes added via VLAN configuration cannot be deleted using this command. Use the rm vlan or clear vlan command instead.
Arguments
networkThe network of the route to be removed.
netmaskThe netmask of the route to be removed.
gatewayThe gateway address of the route to be removed.
Related Commandsclear vlanadd ns routeset ns routeunset ns routeclear ns routeshow ns route
17-112 Command Reference Guide
show ns route
show ns route
Synopsisshow ns route [<network> <netmask> [<gateway>]] [<type>] [-detail]
DescriptionUse this command to display the configured routing information.
Arguments
networkThe destination network or host.
typeThe type of routes to be shown.
detailTo get a detailed view.
Output
networkThe destination network or host.
netmaskThe netmask of the destination network.
gatewayThe gateway for this route.
gatewaynameThe name of the gateway for this route.
advertiseWhether advertisement is enabled or disabled.
Command Reference Guide 17-113
show ns route
rnatWhether rnat is enabled or disabled.
privateWhether this route is marked as private.
dynamicWhether this route is dynamically learnt or not.
costCost of this route.
flagsIf this route is dynamic then which routing protocol was it learnt from.
ExampleAn example of the ouput of the show route command is as follows: 3 configured routes: Network Netmask Gateway/OwnedIP Type ------- ------- --------------- ---- 1) 0.0.0.0 0.0.0.0 10.11.0.254 STATIC 2) 127.0.0.0 255.0.0.0 127.0.0.1 PERMANENT 3) 10.251.0.0 255.255.0.0 10.251.0.254 NAT
Related Commandsadd ns routeset ns routeunset ns routeclear ns routerm ns route
17-114 Command Reference Guide
set ns spparams
set ns spparams
Synopsisset ns spparams [-baseThreshold <integer>] [-throttle <throttle>]
DescriptionUse this command to set the base threshold and/or the throttle rate for surge protection.
Arguments
baseThresholdThe base threshold. This is the maximum number of server connections that can be opened before surge protection is activated. The maximum value is 32,767.
throttleThe throttle rate, which is the rate at which the NetScaler system opens connections to the server. The different names of throttle are the keywords: relaxed, normal, and aggressive. Possible values: Aggressive, Normal, Relaxed
Exampleset ns spparams -baseThreshold 1000 -throttle aggressive set ns spparams -throttle relaxed
Related Commandsshow ns spparams
Command Reference Guide 17-115
show ns spparams
show ns spparams
Synopsisshow ns spparams
DescriptionUse this command to display the surge protection configuration on the NetScaler system. This includes the base threshold value and throttle value. These values are set using the set nsparams command.
Arguments
Output
baseThresholdThe base threshold. This is the maximum number of server connections that can be open before surge protection is activated. The maximum value that you can enter for this argument is 32,767.
throttleThe throttle rate, which is the rate at which the NetScaler system opens connections to the server. The different names of throttle are the keywords: relaxed, normal, and aggressive.
Table
Example> show ns spparams Surge Protection parameters: BaseThreshold: 200 Throttle: Normal Done
Related Commandsset ns spparams
17-116 Command Reference Guide
set ns tcpbufparam
set ns tcpbufparam
Synopsisset ns tcpbufparam [-size <KBytes>] [-memLimit <MBytes>]
DescriptionUse this command to display the current TCP buffer size. The command also displays the percentage of the system memory that is used for buffering.
Arguments
sizeThe size (in KBytes) of the TCP buffer per connection. The default size is 64k bytes, the minimum is 4k bytes, and the maximum is 20 MB.
memLimitThe maximum memory that can be used for buffering, in megabytes.
Related Commandsshow ns tcpbufparam
Command Reference Guide 17-117
show ns tcpbufparam
show ns tcpbufparam
Synopsisshow ns tcpbufparam
DescriptionUse this command to display the current TCP buffer size. The command also displays the percentage of the system memory that is used for buffering.
Arguments
Output
size
memLimit
ExampleAn example of this command's output is as follows: TCP buffer size: 64KBytes TCP buffer percentage: 50%
Related Commandsset ns tcpbufparam
17-118 Command Reference Guide
show ns version
show ns version
Synopsisshow ns version
DescriptionUse this command to display the version and build number of the NetScaler system.
Arguments
Output
version
Related Commands
Command Reference Guide 17-119
set ns weblogparam
set ns weblogparam
Synopsisset ns weblogparam -bufferSizeMB <positive_integer>
DescriptionUse this command to set the current web log buffer size.
Arguments
bufferSizeMBThe buffer size (in MB) allocated for log transaction data on the NetScaler system. The default setting is 16 MB.
Related Commandsshow ns weblogparam
17-120 Command Reference Guide
show ns weblogparam
show ns weblogparam
Synopsisshow ns weblogparam
DescriptionUse this command to display the current size of the buffer, which is used to store log transactions.
Arguments
Output
bufferSizeMB
Related Commandsset ns weblogparam
Command Reference Guide 17-121
set ns rateControl
set ns rateControl
Synopsisset ns rateControl [-tcpThreshold <positive_integer>] [-udpThreshold <positive_integer>] [-icmpThreshold <positive_integer>]
DescriptionUse this option to configure udp/tcp/icmp packet rate controls for any application that is not configured at Netscaler(ie., direct access to the backend through Netscaler). This rate limit should be specified in the number of packets to allow per 10ms.
Arguments
tcpThresholdThe number of SYNs permitted per 10 milli second.
udpThresholdThe number of UDP packets permitted per 10 milli second.
icmpThresholdThe number of ICMP packets permitted per 10 milli second.
Example The following command will set the SYN rate to 100, icmp rate to 10 and the udp rate to unlimited. set ns ratecontrol -tcpThreshold 100 -udpThreshold 0 -icmpThreshold 10 The 'show ns rate control' command can be used to view the current settings of the rate controls. > show ns ratecontrol UDP threshold: 0 per 10 ms TCP threshold: 0 per 10 ms ICMP threshold: 100 per 10 ms Done
Related Commandsshow ns rateControl
17-122 Command Reference Guide
show ns rateControl
show ns rateControl
Synopsisshow ns rateControl
DescriptionUse this command to check the current rate control values.
Arguments
Output
tcpThreshold
udpThreshold
icmpThreshold
ExampleBy default, there is no rate control for TCP/UDP and for ICMP it will be 100. The output of the "show ns ratecontrol" command, with default setting, > show ns ratecontrol UDP threshold: 0 per 10 ms TCP threshold: 0 per 10 ms ICMP threshold: 100 per 10 ms Done
Related Commandsset ns rateControl
Command Reference Guide 17-123
reboot
reboot
Synopsisreboot
DescriptionUse this command to restart a NetScaler system. Notes: 1.When a standalone NetScaler system is rebooted, all configuration changes made since the last save ns config command was issued are lost. 2.In High Availability mode, on running this command on the primary NetScaler system, the secondary NetScaler system takes over and will have the configuration changes made since the last time that the save ns config command was issued on the primary NetScaler system. In this case, log on to the new primary NetScaler system, then issue the save ns config CLI command to save these changes.
Arguments
Related Commandsconfig nsshutdown
17-124 Command Reference Guide
shutdown
shutdown
Synopsisshutdown
DescriptionUse this command to stop the operations of the NetScaler system on which you are issuing this command. After you enter this command, you can turn off power to the NetScaler system. Notes 1.When a standalone NetScaler system is rebooted, all configuration changes made since the last save ns config command was issued are lost. 2.In High Availability mode, on running this command on the primary NetScaler system, the secondary NetScaler system takes over and will have the configuration changes made since the last time that the save ns config command was issued on the primary NetScaler system. In this case, log on to the new primary NetScaler system, then issue the save ns config CLI command to save these changes.
Arguments
Related Commandsconfig nsreboot
Command Reference Guide 17-125
set ns rpcnode
set ns rpcnode
Synopsisset ns rpcnode <IPAddress> [-password <string>]
DescriptionUse this command to set the authentication attributes associated with peer NetScaler node. All NetScaler nodes use remote procedure calls to communicate.
Arguments
IPAddressThe IP address of the node to be set. This has to be in same subnet as NSIP.
passwordThe password to be used in authentication with the peer NetScaler node.
ExampleExample-1: Failover configuration In a failover configuration define peer NS as: add node 1 10.101.4.87 Set peer ha-unit's password as: set ns rpcnode 10.101.4.87 -password testpass NetScaler will now use the configured password to authenticate with its failover unit. Example-2: GSLB configuration In a GSLB configuration define peer NS GSLB site as: add gslb site us_east_coast remote 206.123.3.4 Set peer GSLB-NS's password as: set ns rpcnode 206.123.3.4 -password testrun NetScaler will now use the configured password to authenticate with east-coast GSLB site.
Related Commandsshow ns rpcnode
17-126 Command Reference Guide
show ns rpcnode
show ns rpcnode
Synopsisshow ns rpcnode
DescriptionUse this command to display a list of nodes currently communicating using RPC. All NetScaler nodes use remote procedure calls to communicate.
Arguments
Output
IPAddressThe IP address of the node to be set. This has to be in same subnet as NSIP.
password
retryThe reference count.
ExampleFollowing example shows list of nodes communicating using RPC: > sh rpcnode 1) IPAddress: 10.101.4.84 Password: ..8a7b474124957776b56cf03b28 2) IPAddress: 10.101.4.87 Password: ..ca2a035465d22c Done
Related Commandsset ns rpcnode
Command Reference Guide 17-127
show ns rpcnode
17-128 Command Reference Guide
Policy Commands
This chapter covers the policy commands.
Command Reference Guide 18-1
add policy expression
add policy expression
Synopsisadd policy expression <name> <value>
DescriptionThis command creates an expression.
Arguments
nameThe name of the expression that will be created, The name can be up to 32 characters long.
value \"[(] <expname | expression> [<relop> <expname | expression>] [)]...\" <expname> = the name of an existing expression <relop> = ( && | || ) <expression> = the expression string in the format: ([<flow type>.<protocol>.]<qualifier> <headerName>) <operator> [<qualifier-value>] [-length <positive_integer>] [-offset <positive_integer>] [-netmask <netmask>] <flow type> = ( REQUEST | RESPONSE ) <protocol> = ( HTTP | SSL | TCP | IP ) <qualifier> = ( METHOD | URL | URLSUFFIX | URLTOKENS | VERSION | URLQUERY | HEADER | URLLEN | URLQUERYLEN | SOURCEIP | DESTIP | SOURCEPORT | DESTPORT | LOCATION | CLIENT.SSL.VERSION | CLIENT.CIPHER.BITS | CLIENT.CIPHER.TYPE | CLIENT.CERT | CLIENT.CERT.VERSION | CLIENT.CERT.SERIALNUMBER | CLIENT.CERT.SIGALGORITHM | CLIENT.CERT.SUBJECT | CLIENT.CERT.ISSUER | CLIENT.CERT.VALIDFROM | CLIENT.CERT.VALIDTO ) <operator> = ( == | eq | != | neq | > | gt | < | lt | >= | ge | <= | le | EXISTS | NOTEXISTS | CONTAINS | NOTCONTAINS | CONTENTS )
Related Commandsset policy expressionrm policy expressionshow policy expression
18-2 Command Reference Guide
set policy expression
set policy expression
Synopsisset policy expression <name> <value>
DescriptionThis command modifies an existing expression.
Arguments
nameThe name of the exression.
value the expression string in the format: \"([<flow type>.<protocol>.]<qualifier> <headerName>) <operator> [<qualifier-value>] [-length <positive_integer>] [-offset <positive_integer>] [-netmask <netmask>]\" <flow type> = ( REQUEST | RESPONSE ) <protocol> = ( HTTP | TCP | IP ) <qualifier> = ( METHOD | URL | URLSUFFIX | URLTOKENS | VERSION | URLQUERY | HEADER | URLLEN | URLQUERYLEN | SOURCEIP | DESTIP | SOURCEPORT | DESTPORT | LOCATION ) <operator> = ( == | eq | != | neq | > | gt | < | lt | >= | ge | <= | le | EXISTS | NOTEXISTS | CONTAINS | NOTCONTAINS | CONTENTS )
Related Commandsadd policy expressionrm policy expressionshow policy expression
Command Reference Guide 18-3
rm policy expression
rm policy expression
Synopsisrm policy expression <name> ...
DescriptionThis command removes a previously defined expression. If the expression is part of a policy or filter, you must remove the policy or filter before removing the expression.
Arguments
nameThe name of the expression to be removed. Separate multiple expressions with spaces.
Related Commandsadd policy expressionset policy expressionshow policy expression
18-4 Command Reference Guide
show policy expression
show policy expression
Synopsisshow policy expression [<name>]
DescriptionThis command displays the expressions defined in the NetScaler 9000 system. The information displayed includes the expression name, qualifier, operator, and expression usage statistics.
Arguments
nameSpecifies the name of the expression to be displayed. if no name is given then all expressions will be displayed.
Output
name
value
hits
Related Commandsadd policy expressionset policy expressionrm policy expression
Command Reference Guide 18-5
add policy map
add policy map
Synopsisadd policy map <mapPolicyName> -sd <string> [-su <string>] [-td <string>] [-tu <string>]
DescriptionFor a reverse proxy virtual server used in the cache redirection feature, this command creates a policy to map publicly-known domain name to a target domain name. Optionally, a source and target URL can also be specified. The map policy created can be associated with a reverse proxy cache redirection virtual server using the bind cr vserver CLI command. There can be only one default map policy for a domain.
Arguments
mapPolicyNameSpecifies the name of the map policy to be created. The name can be at most 32 characters long.
sdSpecifies the source domain name which is publicly known. The maximum string value is 64 characters. This is the domain name with which a client request arrives to a reverse proxy virtual server for cache redirection on the NetScaler 9000 system.
suSpecifies the source URL. The maximum string value can be 207 characters. The format to specify the argument is: / [[prefix] [*]] [.suffix]
tdSpecifies the domain name sent to the server. It replaces the source domain name specified by the -sd string argument. The maximum string value length is 64 characters.
tuSpecifies the target URL. The maximum string length is 207 characters. The format to specify the argument is: / [[prefix] [*]] [.suffix]
18-6 Command Reference Guide
add policy map
ExampleExample 1 The following example creates a default map policy (map1) for the source domain www.a.com. Any client requests with this source domain in the host header is changed to www.real_a.com. add policy map map2 -sd www.a.com -td www.real.a.com Example 2 This example shows how to create a URL map policy (map2) if you want to translate /sports.html in the incoming request to /news.html in addition to mapping the source domain www.a.com to www.real_a.com in the outgoing request. add policy map map2 -sd www.a.com -td www.real_a.com -su /sports.html -tu /news.html These type of map policies, called "URL map policies," have the following restrictions: lURL map policies belonging to www.a.com cannot be added without first adding a default map policy as described in Example 1. lIf a source suffix has been specified for URL map policy, a destination suffix must also be specified. lIf an exact URL has been specified as the source, then the target URL should also be exact URL. lIf there is a source prefix in the URL, there must be also a destination prefix in the URL.
Related Commandsrm policy mapshow policy map
Command Reference Guide 18-7
rm policy map
rm policy map
Synopsisrm policy map <mapPolicyName>
DescriptionThis command removes map policies. Note:Before using this command, you must first unbind the map policy from the reverse proxy virtual server by using the unbind cr vserver command.
Arguments
mapPolicyNameNames the map policy to be removed.
Related Commandsadd policy mapshow policy map
18-8 Command Reference Guide
show policy map
show policy map
Synopsisshow policy map
DescriptionThis command displays the map policies that have been configured and the related map policy information. This includes the name of the map policy, the source domain, the source URL, the target domain, the target URL, and the target virtual server.
Arguments
Output
mapPolicyName
sd
su
td
tu
targetName
Related Commandsadd policy maprm policy map
Command Reference Guide 18-9
show policy map
18-10 Command Reference Guide
Performance Queuing Commands
This chapter covers the performance queuing commands.
Command Reference Guide 19-1
show pq binding
show pq binding
Synopsisshow pq binding <vServerName>
DescriptionUse this command to display binding information for the NetScaler 9000 system's priority queuing feature. This applies to the specified load balancing virtual server (previously bound during priority queuing configuration).
Arguments
vServerNameSpecifies the load balancing virtual server.
Output
policyName
rule
priority
weight
qDepth
polqDepth
Related Commands
19-2 Command Reference Guide
add pq policy
add pq policy
Synopsisadd pq policy <policyName> -rule <expression> -priority <positive_integer>
DescriptionUse this command to create a priority queueing policy. Note: In order to activate priority queuing on a virtual server, this policy needs to be bound to the virtual server using the bind lb vserver command. This virtual server must also have priority queuing turned on using the set vserver CLI command
Arguments
policyNameThe name of the priority queuing policy.
ruleThe condition for applying the policy. When requests are received by a NetScaler 9000 system, they are classified into different priority levels based on the expression_logic that they match. Specifies the condition for applying the policy. Expression logic is expression names, separated by the logical operators || and &&, and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following are valid expression logic: ns_ext_cgi||ns_ext_asp ns_non_get && (ns_header_cookie||ns_header_pragma) When a request comes to the NetScaler 9000 system, it is prioritized based on the expression_list that is matches.
priorityThe priority of queuing the request. When a request matches the configured rule and if server resources are not available, this option specifies a priority for queuing the request until the server resources are available again. Enter the value of positive_integer as 1, 2 or 3. The highest priority level is 1 and the lowest priority value is 3.
weightThe weight for the priorty level. Each priority level is assigned a weight according to which it is served when server resources are available. The weight for a higher priority
Command Reference Guide 19-3
add pq policy
request must be set higher than that of a lower priority request. The default weights for the priority queues 1, 2, and 3 are 3, 2, and 1 respectively. Specify the weights as 0 through 101. A weight of 0 indicates that the particular priority level should be served only when there are no requests in any of the priority queues. A weight of 101 specifies a weight of infinity. This means that this priority level is served irrespective of the number of clients waiting in other priority queues.
qDepthThe queue depth threshold value. When the number of waiting requests in the queue (or queue size) on the virtual server to which this policy is bound, increases to the specified qdepth value, any subsequent requests are dropped to the lowest priority level.
polqDepthThe policy queue depth threshold value. When the number of waiting requests in all the queue belonging to this policy (or the policy queue size) increases to the specified polqdepth value all subsequent requests are dropped to the lowest priority level.
Related Commandsbind lb vserverset vserverrm pq policyset pq policyshow pq policy
19-4 Command Reference Guide
rm pq policy
rm pq policy
Synopsisrm pq policy <policyName> ...
DescriptionUse this command to remove the priority queuing policy that was added using the add pq policy command.
Arguments
policyNameThe name of the priority queuing policy to be removed.
Related Commandsadd pq policyset pq policyshow pq policy
Command Reference Guide 19-5
set pq policy
set pq policy
Synopsisset pq policy <policyName> [-weight <positive_integer>] [-qDepth <positive_integer> | -polqDepth <positive_integer>]
DescriptionUse this command to modify priority queuing policies that was set using the add pq policy command.
Arguments
policyNameThe name of the priority queuing policy that is to be modified.
weightThe weight for the priorty level. Each priority level is assigned a weight according to which it is served when server resources are available. The weight for a higher priority request must be set higher than that of a lower priority request. The default weights for the priority queues 1, 2, and 3 are 3, 2, and 1 respectively. Specify the weights as 0 through 101. A weight of 0 indicates that the particular priority level should be served only when there are no requests in any of the priority queues. A weight of 101 specifies a weight of infinity. This means that this priority level is served irrespective of the number of clients waiting in other priority queues.
qDepthThe queue depth threshold value. When the number of waiting requests in the queue (or queue size) on the virtual server to which this policy is bound, increases to the specified qdepth value, any subsequent requests are dropped to the lowest priority level.
polqDepthThe policy queue depth threshold value. When the number of waiting requests in all the queue belonging to this policy (or the policy queue size) increases to the specified polqdepth value all subsequent requests are dropped to the lowest priority level.
Related Commandsadd pq policy
19-6 Command Reference Guide
set pq policy
rm pq policyshow pq policy
Command Reference Guide 19-7
show pq policy
show pq policy
Synopsisshow pq policy [<policyName>]
DescriptionUse this command to display all priority queuing policies added using the add pq policy command.
Arguments
policyName
Output
policyName
rule
priority
weight
qDepth
polqDepth
Related Commandsadd pq policyrm pq policyset pq policy
19-8 Command Reference Guide
Protocols Commands
This chapter covers the protocols commands.
Command Reference Guide 20-1
stat protocol tcp
stat protocol tcp
Synopsisstat protocol tcp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplay TCP protocol statistics
Counters
All server connections (SvrCx)Number of server connections in NetScaler
Closing server connections (SvrCxCl)Number of server connections in NetScaler in closing states
Established server connections (SvrCxE)Number of server connections in NetScaler in established state
Opening server connections (SvrCxO)Number of server connections in NetScaler in opening states
Opened server connections (TotSvrO)Total number of opened server connections
All client connections (CltCx)Number of client connections in NetScaler
Closing client connections (CltCxCl)Number of client connections in NetScaler in closing states
Established client connections (CltCxE)Number of client connections in NetScaler in established state
Opening client connections (CltCxO)Number of client connections in NetScaler in opening states
20-2 Command Reference Guide
stat protocol tcp
Opened client connections (TotCltO)Total number of opened client connections
Surge queue (SQlen)Number of connections in surge queue
Spare connections (SpConn)Number of spare connections ready to be used
Server active connections (ActSvrCo)Number of connections currently serving requests
Server out of order packets (SvrOOO)Number of out of order TCP packets, received from servers
Client out of order packets (CltOOO)Number of out of order TCP packets, received from clients
TCP packets received (TCPPktRx)Number of TCP packets received
TCP bytes received (TCPbRx)Number TCP bytes received
TCP packets transmitted (TCPPktTx)Number TCP packets transmitted
TCP bytes transmitted (TCPbTx)Number TCP bytes transmitted
SYN packets received (TCPSYN)Number of SYN packets received
Server probes (SYNProbe)Number of times auto-discovered servers were probed
FIN packets from server (SvrFin)Number of FIN packet was received from a server
FIN packets from client (CltFin)Number of FIN packet was received from a client
Command Reference Guide 20-3
stat protocol tcp
Time wait to SYN (WaToSyn)Number of times SYN packet received on a connection in TIME_WAIT state
Data in TIME_WAIT (WaDat)Number of times data was received on a connection in TIME_WAIT state
Client idle flushed (ZomCltF)Number of idle client connections flushed
Server idle connections flushed (ZSvrF)Number of idle server flushed
Client half opened flushed (ZCltFHo)Number of half opened client connections flushed
Server half opened flushed (ZSvrFHo)Number of half opened server connections flushed
Client active half closed flushed (ZCltFAhc)Number of active half closed client connections flushed
Server active half closed flushed (ZSvrFAhc)Number of active half closed server connections flushed
Client passive half closed flushed (ZCltFPhc)Number of passive half closed client connections flushed
Server passive half closed flushed (ZSrvFPhc)Number of passive half closed server connections flushed
Bad TCP checksum (TCPBadCk)Number of bad TCP checksums received
SYN in SYN_RCVD state (TCPSYNRv)Number of SYN packets was received on a connection in SYN_RCVD state
SYN in ESTABLISHED state (TCPSYNEs)Number of SYN packets received on a connection in ESTABLISHED state
SYN packets timeout (TCPSYNG)Number of times connection establishment timed out
20-4 Command Reference Guide
stat protocol tcp
SYN_SENT incorrect ACK packet (TCPBadAk)Number incorrect ACK packets received on a connection in SYN_SENT state
SYN packet retries (TCPSYNRe)Number of times SYN packet was retried
FIN packet retries (TCPFINRe)Number of times FIN packet was retried
FIN packets timeout (TCPFING)Number of times connection closing timed out
RST packets received (TCPRST)Number of RST packets recieved
RST on not ESTABLISHED (TCPRSTNE)Number of RST packets recieved on a connection in not ESTABLISHED state
RST out of window (TCPRSTOW)Number of RST packets recieved on a connection out of current TCP window
RST in TIME_WAIT (TCPRSTTi)Number of RST packets recieved on a connection in TIME_WAIT state
Server retransmissions (TCPSvrRe)Number of retransmission packets from servers
Client retransmissions (TCPCltRe)Number of retransmission packets from clients
Full packet retransmissions (TCPFulRe)Number of full retransmission packets
Partial packet retransmissions (TCPParRe)Number of full retransmission packets
Server out of order packets (SvrOOO)Number of out of order TCP packets, received from servers
Client out of order packets (CltOOO)Number of out of order TCP packets, received from clients
Command Reference Guide 20-5
stat protocol tcp
TCP hole on client connection (CltHole)Number of TCP holes on client connnections
TCP hole on server connection (SvrHole)Number of TCP holes on server connnections
Seq number SYN cookie reject (CSeqRej)Number of TCP SYN cookie packets rejected due to incorrect sequence number
Signature SYN cookie reject (CSigRej)Number of TCP SYN cookie packets rejected due to incorrect signature
Seq number SYN cookie drop (CSigDrp)Number of TCP SYN cookie packets dropped due to out of window sequence number
MSS SYN cookie reject (CMssRej)Number of TCP SYN cookie packets rejected due to incorrect MSS
TCP retransmission (Retr)Number of TCP retransmissions sent
TCP retransmission giveup (RetrG)Number of times TCP retransmission giveups
Zombie cleanup calls (ZmbCall)Number times Zombie cleanup is called
SYN packets held (SYNHeld)Number of SYN packets held, waiting for server connection
SYN packets flushed (SYNFlush)Number of held SYN packets flushed due to no server response
TIME_WAIT connections closed (FinWaitC)Number of connections closed because there were too many connections in TIME_WAIT state
Any IP port allocation failure (PortFal)Number of port allocation failure on any IP address
20-6 Command Reference Guide
stat protocol tcp
IP port allocation failure (PortFalI)Number of port allocation failure on a specific IP address
Stray packets (StrayPkt)Number of packets received on non existant connection
RST packets sent (SentRst)Number of RST packets sent
Bad state connections (BadConn)Number of connections in non of known TCP states
Fast retransmits (FastRetr)Number of fast TCP restransmissions done
1st retransmission (1stRetr)Number of first restransmissions done
2nd retransmission (2ndRetr)Number of second restransmissions done
3rd retransmission (3rdRetr)Number of third restransmissions done
4th retransmission (4thRetr)Number of forth restransmissions done
5th retransmission (5thRetr)Number of fifth restransmissions done
6th retransmission (6thRetr)Number of sixth restransmissions done
7th retransmission (7thRetr)Number of seventh restransmissions done
Data after FIN (TCPDtFin)Number of times data was received after FIN packet
RST threshold dropped (RstThre)Number of RST packets dropped dor to RST threshold
Command Reference Guide 20-7
stat protocol tcp
Packets out of window (OOWPkt)Number of packets out of TCP advertised window
SYNs dropped (Congestion) (SynCng)Number of SYN packets dropped because of network congestion
Related Commands
20-8 Command Reference Guide
stat protocol http
stat protocol http
Synopsisstat protocol http [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplay HTTP protocol statistics
Counters
GETs (HTGETs)Number of HTTP GET requests received
POSTs (HTPOSTs)Number of HTTP POST requests received
Other methods (HTOthers)Number of non-GET/POST HTTP methods received
Total requests (HTReqRx)Total number HTTP requests received from clients
Total responses (HTRspRx)Number of HTTP responses received from servers
Request bytes received (HTReqbRx)Data received in request including headers (in bytes)
Response bytes received (HTRspbRx)Data received in the response including headers (in bytes)
HTTP/1.0 requests (HT10ReqRx)Number of HTTP/1.0 requests received from clients
HTTP/1.1 requests (HT11ReqRx)Number of HTTP/1.1 requests received from clients
Command Reference Guide 20-9
stat protocol http
Content-length requests (HTCLnReq)Number of content-length requests received
Chunked requests (HTChkReq)Number of chunked requests received
HTTP/1.0 responses (HT10RspRx)Number of HTTP/1.0 responses received from servers
HTTP/1.1 responses (HT11RspRx)Number of HTTP/1.1 responses received from servers
Content-length responses (HTCLnRsp)Number of HTTP requests/responses received with content-length headers
Chunked responses (HTChunk)Number of HTTP requests/responses received with chunked encoding
FIN-terminated responses (HTNoCLnChunk)Number of FIN-terminated responses
Multi-part responses (HTMPrtHd)Number of HTTP multi-part header requests/responses received
Incomplete headers (HTIncHd)Number of incomplete header reassembly failures
Incomplete request headers (HTIncReqHd)Number of incomplete request headers received
Incomplete response headers (HTIncRspHd)Number of incomplete response headers received
Large/Invalid messages (HTInvReq)Number of large/invalid requests/responses received
Large/Invalid chunk requests (HTInvChkRx)Number of large/invalid requests/responses received
Large/Invalid content-length (HTInvCLn)Number of large/invalid content-length requests/responses received
20-10 Command Reference Guide
stat protocol http
Related Commands
Command Reference Guide 20-11
stat protocol icmp
stat protocol icmp
Synopsisstat protocol icmp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplay ICMP protocol statistics
Counters
ICMP port unreachable received (PortUnRx)Number of ICMP port unreachable packets received.
ICMP packets received (ICPktRx)Number of ICMP packets received by NetScaler.
ICMP bytes received (ICbRx)Number of ICMP bytes received by NetScaler.
ICMP packets transmitted (ICPktTx)Number of ICMP packets transmitted by NetScaler.
ICMP bytes transmitted (ICbTx)Number of ICMP bytes transmitted by NetScaler.
ICMP echo replies received (ECORepRx)Number of ICMP echo replies received by NetScaler.
ICMP echo replies transmitted (ECORepTx)Number of ICMP echo replies transmitted by NetScaler.
ICMP echos received (ECORx)Number of ICMP echos received by NetScaler.
ICMP rate threshold exceeded (ICRtEx)Number of time ICMP rate threshold was exceeded.
20-12 Command Reference Guide
stat protocol icmp
ICMP packets dropped (ICPktDr)Number of ICMP packets dropped by NetScaler.
Bad ICMP checksum (BadCkSum)Number of packets with bad ICMP checksum received.
Need fragmentation received (NeedFrag)Number of ICMP error message: need fragmentation received.
PMTU non-first IP fragments (PMTUerr)Number of non-first IP fragments resulting in path MTU error.
PMTU Invalid body len received (IvBdyLen)Number of invalid body length received on a need fragmentation ICMP error message.
PMTU no tcp connection (NoTcpCon)Number of packets with no tcp connection on src/dst, ip/port information received on a need fragmentation ICMP error message.
PMTU no udp conection (NoUdpCon)Number of packets with no udp connection on src/dst, ip/port information received on a need fragmentation ICMP error message.
PMTU invalid tcp seqno recvd (InvSeqNo)Invalid tcp seqno received on need fragmentation ICMP error message.
Invalid next MTU value recvd (IvNxtMTU)Inval (576|>1500) next MTU value received on a need fragmentation ICMP error message.
Next MTU > Current MTU (BigNxMTU)Next MTU information received on a need fragmentation ICMP error message greater than current MTU.
PMTU Invalid protocol recvd (IvPrtRx)Invalid protocol type received on a need fragmentation ICMP error message.
PMTU IP check sum error (CkSumErr)IP checksum error on the IP fragment in the need fragmentation ICMP error message body.
Command Reference Guide 20-13
stat protocol icmp
PMTU pcb with no link (NoLnkErr)Need fragmentation ICMP error message received on a pcb with no link.
PMTU Discovery not enabled (PMTUdis)PMTU Discovery mode is not enabled.
ICMP rate threshold (ICThs)This contains the value set for 10ms rate threshold for icmp packets. This implies that within 10ms range , NetScaler can allow (receive or pass through ) the set number of ICMP packets
ICMP port unreachable generated (PortUnTx)Number of ICMP port unreachable packets generated by NetScaler.
Related Commands
20-14 Command Reference Guide
stat protocol ip
stat protocol ip
Synopsisstat protocol ip [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplay IP protocol statistics
Counters
IP packets received (IPPktRx)Number of IP packets received by NetScaler
IP bytes received (IPbRx)Number of IP bytes received by NetScaler.
IP packets transmitted (IPPktTx)Number of IP packets transmitted by NetScaler.
Bad IP checksums (badCksum)Number of packets reveived with bad IP checksums.
IP packets received (IPPktRx)Number of IP packets received by NetScaler
IP bytes received (IPbRx)Number of IP bytes received by NetScaler.
IP packets transmitted (IPPktTx)Number of IP packets transmitted by NetScaler.
IP bytes transmitted (IPbTx)Number of IP bytes transmitted by NetScaler.
Megabits received (IPMbRx)Number of IP bits received by the NetScaler, in megabits.
Command Reference Guide 20-15
stat protocol ip
Megabits transmitted (IPMbTx)Number of IP bits transmitted by the NetScaler, in megabits.
IP fragments received (IPFragRx)Number of IP fragments received.
Successful reassembly (reasSucc)Number of IP packets for which successful reassembly was done.
Unsuccessful reassembly (reasFail)Number of IP packets for which reassembly failed.
Reassembled data too big (reasBig)Number of IP packets for which reassembled data was too big.
Reassembly attempted (reasAtmp)Number of IP packets for which reassembly was attempted.
Zero fragment length received (zeroLen)Number of IP packets received with fragment length zero.
Duplicate fragments received (dupFrag)Number of duplicate IP fragments received.
Out of order fragment received (oooFrag)Number of out of order fragments received.
Unknown destination received (UnkDst)Number of unknown destinations received, cannot route packet to NSIP.
Bad Transport (badTran)Number of packets for which the service handler is unknown.
VIP down (vipDown)Number of packets received for which the VIP down for natpcb sessions.
Fix header failure (hdrFail)Number of IP packets in which there is an error in the IP header.
IP address lookups (IpLkUp)Number of IP address lookups done
20-16 Command Reference Guide
stat protocol ip
IP address lookup failure (IpLkFail)Number of IP address lookups which failed.
max non-TCP clients (maxClt)Number of times one tries to open a new connection to a service having maximum number of allowed open client connections
Unknown services (UnkSvc)Number of packets received for a NetScaler owned IP, but an un-configured port/service
land-attacks (LndAtk)Number of land attack packets received by NetScaler
UDP fragments forwarded (udpFgFwd)Total number of UDP fragments forwarded.
TCP fragments forwarded (tcpFgFwd)Total number TCP fragments forwarded.
Fragmentation packets created (frgPktCr)Total number of fragmentation packets created by NS applications.
Invalid IP header size (errHdrSz)Number of packets with invalid IP header size.
Invalid IP packet size (errPktLen)Number of packets with invalid IP packet size.
Truncated IP packet (trIP)Total number of truncated IP packets
Truncated non-IP packet (trNonIp)truncated non-IP packet
ZERO next hop (zrNxtHop)Total number of IP packets with ZERO next hop.
Packets with bad MAC sent (BadMacTx)The total number of transmitted ip packets with bad MAC addresseses.
Command Reference Guide 20-17
stat protocol ip
Packets with len > 1514 rcvd (BadLenTx)The total number of ip packets received with length > 1514.
TTL expired during transit (ttlExp)Number of IP packets for which TTL expired during transit.
Related Commands
20-18 Command Reference Guide
stat protocol udp
stat protocol udp
Synopsisstat protocol udp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionDisplay UDP protocol statistics
Counters
Current rate threshold (UDPThs)This contains the value set for 10ms rate threshold for udp packets. This implies that within 10ms range , NetScaler can allow (receive or pass through ) the set number of UDP packets
Packets received (UDPPktRx)Number of UDP packets received
Bytes received (UDPbRx)Number of UDP bytes received
Packets transmitted (UDPPktTx)Number of UDP packets transmitted
Bytes transmitted (UDPbTx)Number of UDP bytes transmitted
Unknown service (UDPUnSvc)Number of UDP packets to unconfigured services
Bad UDP checksum (UDPBadCkSum)Number of packets with bad UDP checksum received.
Rate threshold exceeded (UDPRtEx)Number of time UDP rate threshold was exceeded.
Related Commands
Command Reference Guide 20-19
stat protocol udp
20-20 Command Reference Guide
Routing Commands
This chapter covers the routing commands.
Command Reference Guide 21-1
vtysh
vtysh
Synopsisvtysh
Description
Related Commands
21-2 Command Reference Guide
set router ospf
set router ospf
Synopsisset router ospf [-routerID <ip_addr>] [-priority <integer>] [-passiveInterface <string>] [-staticRedistribute [-staticMetricType <integer>]] [-kernelRedistribute [-kernelMetricType <integer>]] [-conRedistribute [-conMetricType <integer>]] [-learnRoute] [-network <ip_addr> <netmask> -area <integer>] [-host <ip_addr> -cost <integer>]
DescriptionUse this command to configure different OSPF parameters.
Arguments
routerIDThe router ID.
priorityThe router priority. A value of 0 indicates that the router will not participate in the election of the Designated Router. Default value: 0
passiveInterfaceUse this option to change the mode of the interface to listen only.
staticRedistributeUse this option to enable the redistribution of static routes.
kernelRedistributeUse this option to enable the redistribution of kernel routes.
conRedistributeUse this option to enable the redistribution of connected routes.
learnRouteUse this option to enable route learning from OSPF.
Command Reference Guide 21-3
set router ospf
networkThe broadcast network on which OSPF is to be run.
hostThe stub link.
Exampleset ospf -routerID 1.2.3.4
Related Commandsunset router ospfshow router ospf
21-4 Command Reference Guide
unset router ospf
unset router ospf
Synopsisunset router ospf [-routerID] [-priority] [-learnRoute] [-conRedistribute] [-kernelRedistribute] [-staticRedistribute] [-network <ip_addr> <netmask> -area <integer>] [-host <ip_addr> -cost <integer>] [-passiveInterface <string>]
DescriptionUse this command to clear the OSPF parameters that were configured using the set ospf command.
Arguments
routerIDUse this option to specify that the OSPF router ID be unset.
priorityUse this option to specify that the OSPF priority be unset.
learnRouteUse this option to stop route learning from OSPF.
conRedistributeUse this option to unset the redistribution of connected routes.
kernelRedistributeUse this option to unset the redistribution of kernel routes.
staticRedistributeUse this option to unset the redistribution of static routes.
networkUse this option to stop the protocol from running on a specific broadcast network.
hostThe stub host link in the OSPF domain.
Command Reference Guide 21-5
unset router ospf
passiveInterfaceUse this option to unset the passive setting of the interface.
Exampleunset ospf -router-id
Related Commandsset router ospfshow router ospf
21-6 Command Reference Guide
show router ospf
show router ospf
Synopsisshow router ospf [<ospfoptions>]
DescriptionUse this option to display the state of the OSPF daemon.
Arguments
ospfoptionsUse this option to display one of border-routers, database, interface, neighbor, route, and virtual-links. Possible values: border-routers, database, interface, neighbor, route, virtual-links
Output
networkThe network on which OSPF is running.
netmaskNetmask of the network on which OSPF is running
Exampleshow ospf neighbor
Related Commandsset router ospfunset router ospf
Command Reference Guide 21-7
set router rip
set router rip
Synopsisset router rip [-defaultMetric <integer>] [-passiveInterface <string>] [-learnRoute] [-staticRedistribute] [-kernelRedistribute] [-network <ip_addr> <netmask>]
DescriptionUse this command to configure the RIP daemon.
Arguments
defaultMetricUse this option to set the default metrics when advertising routes. Default value: 1
passiveInterfaceUse this option to set the mode of the interface to listen only.
learnRouteUse this option to enable route learning and installation in the kernel.
staticRedistributeUse this option to redistribute static routes.
kernelRedistributeUse this option to redistribute kernel routes.
networkUse this option to set the broadcast network on which RIP must run.
Exampleset router rip -kernelRedistribute
Related Commandsunset router ripshow router rip
21-8 Command Reference Guide
unset router rip
unset router rip
Synopsisunset router rip [-defaultMetric] [-staticRedistribute] [-learnRoute] [-kernelRedistribute] [-passiveInterface <string>] [-network <ip_addr> <netmask>]
DescriptionUse this command to clear the RIP parameters.
Arguments
defaultMetricSpecifies that the RIP default-metric be unset.
staticRedistributeSpecifies that the RIP redistribute static be unset.
learnRouteUse this option to disable route learning.
kernelRedistributeSpecifies that the RIP redistribute kernel be unset.
passiveInterfaceUse this option to set the mode of the interface to listen only.
networkUse this option to unset the broadcast network on which RIP is running.
Exampleunset rip -default-metric
Related Commandsset router ripshow router rip
Command Reference Guide 21-9
show router rip
show router rip
Synopsisshow router rip [<ripoptions>]
DescriptionUse this command to display the RIP configuration.
Arguments
ripoptionsRIP option in show command, one of database or interface. Possible values: database, interface
Output
network
netmask
Exampleshow rip interface
Related Commandsset router ripunset router rip
21-10 Command Reference Guide
set router bgp
set router bgp
Synopsisset router bgp [<autonomousSystem>] [-routerID <ip_addr>] [-learnRoute] [-staticRedistribute [-staticRouteMap <string>]] [-kernelRedistribute [-kernelRouteMap <string>]] [-conRedistribute [-connectedRouteMap <string>]] [-neighbor <ip_addr> [<remoteAS>] [-neighborRouteMap <string>]] [-network <ip_addr> <netmask>]
DescriptionUse this option to configure BGP on the NetScaler system.
Arguments
autonomousSystemThe autonomous system for BGP.
routerIDThe Router ID of this router.
learnRouteUse this option to enable route learning and installation from BGP.
staticRedistributeUse this option to enable the redistribution of static routes.
kernelRedistributeUse this option to enable the redistribution of kernel routes.
conRedistributeUse this option to enable the redistribution of connected routes into the BGP domain.
neighborThe IP address of a BGP peer for the router.
Command Reference Guide 21-11
set router bgp
networkThe network to be advertized.
Exampleset router bgp -kernelRedistribute
Related Commandsshow router bgpunset router bgpadd router bgpclear router bgp
21-12 Command Reference Guide
show router bgp
show router bgp
Synopsisshow router bgp (<bgpoptions> | -routeMap <string>)
DescriptionUse this command to view the BGP configuration.
Arguments
bgpoptionsoption to show BGP command either neighbors or summary Possible values: neighbors, summary
routeMapUse this option to view the BGP route map.
Exampleshow router bgp summary
Related Commandsset router bgpunset router bgpadd router bgpclear router bgp
Command Reference Guide 21-13
unset router bgp
unset router bgp
Synopsisunset router bgp [<autonomousSystem>] [-routerID <ip_addr>] [-learnRoute] [-staticRedistribute [-staticRouteMap <string>]] [-kernelRedistribute [-kernelRouteMap <string>]] [-conRedistribute [-connectedRouteMap <string>]] [-neighbor <ip_addr> [-neighborRouteMap <string>]] [-network <ip_addr> <netmask>]
DescriptionUse this option to clear the BGP parameters.
Arguments
autonomousSystemThe autonomous system.
routerIDThe router ID of the router.
learnRouteUse this option to enable route learning from BGP.
staticRedistributeUse this option to enable the redistribution of static routes.
kernelRedistributeUse this option to enable the redistribution of kernel routes.
conRedistributeunset redistribute connected
neighborThe IP address of the BGP neighbor.
21-14 Command Reference Guide
unset router bgp
networkThe network to be advertised.
Exampleunset router bgp -kernelRedistribute
Related Commandsset router bgpshow router bgpadd router bgpclear router bgp
Command Reference Guide 21-15
add router bgp
add router bgp
Synopsisadd router bgp [<autonomousSystem>]
DescriptionUse this option to add BGP neighbors.
Arguments
autonomousSystemThe BGP autonomous system.
routerIDThe router ID of the router.
learnRouteUse this option to enable route learning from BGP.
staticRedistributeUse this option to enable the redistribution of static routes.
kernelRedistributeUse this option to enable the redistribution of kernel routes.
conRedistributeUse this option to enable the redistribution of connected routes.
neighborUse this option to add a BGP neighbor.
networkThe neighbor to be advertised.
Exampleadd router bgp 10 neighbor 10.102.10.10 10
21-16 Command Reference Guide
add router bgp
Related Commandsset router bgpshow router bgpunset router bgpclear router bgp
Command Reference Guide 21-17
clear router bgp
clear router bgp
Synopsisclear router bgp (-neighbor <ip_addr> | -all)
DescriptionUse this command to tear down the BGP connection to a specified neighbor.
Arguments
neighborUse this option to specify the neighbor associated with the connection that needs to be torn down.
allUse this option to reset TCP connections to all neighbors.
Exampleclear ip bgp neighbor 10.102.10.10
Related Commandsset router bgpshow router bgpunset router bgpadd router bgp
21-18 Command Reference Guide
add router map
add router map
Synopsisadd router map <action>
DescriptionUse this command to add a route map entry.
Arguments
actionThe action associated with the routemap. Possible values: BRIDGE, DENY, ALLOW
mapElementThe index of the entry.
nextHopThe next hop for BGP updates.
matchIPThe filter on the IP address.
metricTypeThe metric type of the route map entry.
metricThe metric for external routes advertised via OSPF.
Exampleadd router map deny 1 permit -nexthop 10.102.101.1
Related Commandsset router mapunset router mapshow router map
Command Reference Guide 21-19
set router map
set router map
Synopsisset router map <action> [-mapElement <integer>] [-nextHop <ip_addr>] [-matchIP <ip_addr>] [-metricType <integer>] [-metric <integer>]
DescriptionUse this command to set the route map attributes.
Arguments
actionThe action associated with the ACL. Possible values: BRIDGE, DENY, ALLOW
mapElementThe index of this entry.
nextHopThe next hop to be advertised to BGP neighbors.
matchIPThe filter on the IP prefix.
metricTypeThe OSPF metric type for the route map.
metricThe OSPF metric for external routes.
Related Commandsadd router mapunset router mapshow router map
21-20 Command Reference Guide
unset router map
unset router map
Synopsisunset router map <action> [-mapElement <integer>] [-nextHop <ip_addr>] [-matchIP <ip_addr>] [-metricType <integer>] [-metric <integer>]
DescriptionUse this command to clear the route map settings.
Arguments
actionThe action associated with the route map. Possible values: BRIDGE, DENY, ALLOW
mapElementThe index of the entry.
nextHopThe next hop to advertised to the BGP neighbors.
matchIPThe filter on the IP prefix.
metricTypeThe OSPF metric type for the route map.
metricThe OSPF metric for the external routes.
Exampleunset router map mapelement 1 nextHop 10.102.10.10
Related Commandsadd router mapset router mapshow router map
Command Reference Guide 21-21
show router map
show router map
Synopsisshow router map
DescriptionUse this command to view the route map.
Exampleshow router map
Related Commandsadd router mapset router mapunset router map
21-22 Command Reference Guide
SureConnect Commands
This chapter covers the SureConnect commands.
Command Reference Guide 22-1
set sc parameter
set sc parameter
Synopsisset sc parameter [-sessionlife <secs>] [-vsr <string>]
DescriptionUse this command to set SureConnect parameters.
Arguments
sessionlifeThe SureConnect alternate content window is displayed only once during a session. For the same browser accessing a configured URL, this argument specifies the time between the first time the window displays and the next time it displays. The value is in seconds. The default session life is 300 seconds (5 minutes).
vsrThe file containing the customized response that is to be displayed with ACTION as NS in the SureConnect policy.
Exampleset sc parameter -sessionlife 200 -vsr /etc/vsr.htm
Related Commandsshow sc parameter
22-2 Command Reference Guide
show sc parameter
show sc parameter
Synopsisshow sc parameter
DescriptionUse this command to display the SureConnect parameters set through the use of the set sc parameter CLI command.
Arguments
Output
aspq
sessionlifeThe SureConnect alternate content window is displayed only once during a session. For the same browser accessing a configured URL, this argument specifies the time between the first time the window displays and the next time it displays. The value is in seconds. The default session life is 300 seconds (5 minutes).
vsrUse this parameter to specify that the customized response will be displayed to the user if the alternate content server has been determined by the NetScaler 9000 system to have failed. If you have created a customized response that you want the NetScaler 9000 system to use, enter its filename (if you renamed the vsr.htm file supplied by NetScaler 9000 system). If you have not renamed the file, enter /etc/vsr.htm as the filename.
Example> show sc parameter Sure Connect Parameters: Sessionlife: 300 Vsr: DEFAULT Done
Related Commandsset sc parameter
Command Reference Guide 22-3
add sc policy
add sc policy
Synopsisadd sc policy <name> [-url <URL> | -rule <expression>] [-action <action>] [<altContentSvcName> <altContentPath>]
DescriptionUse this command to specify the SureConnect policy.
Arguments
nameThe name of the SureConnect policy to be added.
urlThe URL name. The NetScaler 9000 system matches the incoming client request against the URL you enter here. If the incoming request does not match any of the configured URLs or the rules that have been configured, then SureConnect does not trigger.
ruleThe rule that the NetScaler 9000 system matches with the incoming request. The NetScaler 9000 system matches the incoming request against the rules you enter here. Before matching against the configured rules, the NetScaler 9000 system matches the requests with any of the configured URLs. Thus, URLs have a higher precedence over rules. If the incoming request does not match any of the configured URLs or the rules that have been configured, then SureConnect does not trigger. Expression logic is expression names, separated by the logical operators || and && , and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes.The following are valid expression logic: ns_ext_cgi||ns_ext_asp ns_non_get && (ns_header_cookie||ns_header_pragma)
delayThe delay threshold in microseconds for the configured URL or the rule. If the delay statistics gathered for the configured URL or rule exceeds the configured delay, then SureConnect is triggered on the incoming request which matched the corresponding delay.
22-4 Command Reference Guide
add sc policy
maxConnThe maximum number of concurrent connections that can be open for the configured URL or rule. You can enter this argument as any integer value greater than zero.
actionThe action to be taken when the thresholds are met. The valid options are ACS , NS and NOACTION . ACS - Specifies that alternate content is to be served from altContSvcName with the path altContPath . NS - Specifies that alternate content is to be served from the NetScaler 9000 system. See the set sc parameter command to customize the response served from the NetScaler 9000 system. NOACTION - Specifies that no alternate content is to be served. However, delay statistics are still collected for the configured URLs. If the - maxconn argument is specified, the number of connections is limited to that specified value for that configured URL or rule (alternate content will not served even if the - maxconn threshold is met). Possible values: ACS, NS, NOACTION
altContentSvcNameThe alternate content service name used in the ACS action.
altContentPathThe alternate content path for the ACS action.
Exampleadd sc policy scpol_ns -delay 1000000 -url /delay.asp -action NS add policy expression exp_acs "url == /mc_acs.asp" add service svc_acs 10.110.100.253 http 80 add scpolicy scpol_acs -maxconn 10 -rule exp_acs -action ACS svc_acs /altcont.htm
Related Commandsrm sc policyset sc policyshow sc policy
Command Reference Guide 22-5
rm sc policy
rm sc policy
Synopsisrm sc policy <policyName>
DescriptionUse this command to remove the SureConnect policy (that has been previously specified using the add sc policy CLI command) for a service or virtual server.
Arguments
policyNameThe name of the SureConnect policy to be removed.
Examplerm sc policy scpol_ns rm sc policy scpol_acs
Related Commandsadd sc policyset sc policyshow sc policy
22-6 Command Reference Guide
set sc policy
set sc policy
Synopsisset sc policy <name> [-delay <usecs>] [-maxConn <positive_integer>]
DescriptionUse this command to set the delay and maxConn parameters for the specified SureConnect policy.
Arguments
nameThe name of the SureConnect policy that needs to be modified.
delayThe delay threshold in microseconds for the configured URL or the rule. If the delay statistics gathered for the configured URL or rule to exceed the configured delay, then SureConnect is triggered on the incoming request which matched the corresponding delay.
maxConnThe maximum number of concurrent connections that can be open for the configured URL or rule. You can enter this argument as any integer value greater than zero.
Exampleset sc policy scpol_ns -delay 2000000 set sc policy scpol_acs -maxconn 100
Related Commandsadd sc policyrm sc policyshow sc policy
Command Reference Guide 22-7
show sc policy
show sc policy
Synopsisshow sc policy
DescriptionUse this command to display all of the SureConnect policies that have been configured (by use of the add sc policy CLI command).
Arguments
Output
nameThe name of the SureConnect policy whose parameters need to be displayed.
urlThe URL name. The NetScaler 9000 system matches the incoming client request against the URL you enter here.
ruleThe rule that the NetScaler 9000 system matches with the incoming request. The NetScaler 9000 system matches the incoming request against the rules you enter here. Before matching against the configured rules, the NetScaler 9000 system matches the requests with any of the configured URLs. Thus, URLs have a higher precedence over rules. If the incoming request does not match any of the configured URLs or the rules that have been configured, then SureConnect does not trigger. Expression logic is expression names, separated by the logical operators || and && , and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes.The following are valid expression logic: ns_ext_cgi||ns_ext_asp ns_non_get && (ns_header_cookie||ns_header_pragma)
delayThe delay threshold in microseconds for the configured URL or the rule. If the delay statistics gathered for the configured URL or rule exceeds the configured delay, then SureConnect is triggered on the incoming request which matched the corresponding delay.
22-8 Command Reference Guide
show sc policy
maxConnThe maximum number of concurrent connections that can be open for the configured URL or rule. You can enter this argument as any integer value greater than zero.
actionThe action to be taken when the thresholds are met. The valid options are ACS , NS and NOACTION . ACS - Specifies that alternate content is to be served from altContSvcName with the path altContPath . NS - Specifies that alternate content is to be served from the NetScaler 9000 system. See the set sc parameter command to customize the response served from the NetScaler 9000 system. NOACTION - Specifies that no alternate content is to be served. However, delay statistics are still collected for the configured URLs. If the - maxconn argument is specified, the number of connections is limited to that specified value for that configured URL or rule (alternate content will not served even if the - maxconn threshold is met).
altContentSvcNameThe alternate content service name used in the ACS action.
altContentPathThe alternate content path for the ACS action.
Example> show sc policy 2 monitored Sure Connect Policies: 1) Name: scpol_ns RULE: exp1 Delay: 1000000 microsecs Alternate Content from NS 2) Name: scpol_acs RULE: exp_acs Max Conn: 10 Alternate Content from ACS, svc_acs /delay/alcont.htm Done
Related Commandsadd sc policyrm sc policyset sc policy
Command Reference Guide 22-9
show sc policy
22-10 Command Reference Guide
SNMP Commands
This chapter covers the SNMP commands.
Command Reference Guide 23-1
stat snmp
stat snmp
Synopsisstat snmp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays the snmp statistics.
Counters
SNMP packets received (PktsRx)The total number of SNMP packets received.
SNMP packets sent (PktsTx)The total number of SNMP packets transmitted.
Unsupported SNMP version (UnkVrsRx)The total number of SNMP Messages received which were for an unsupported SNMP version.
Unknown community name (UnkCNRx)The total number of SNMP Messages received which used a SNMP community name not known to NetScaler.
No permission on community (BadCURx)The total number of SNMP Messages received that represented an SNMP operation which was not allowed by the SNMP community named in the Message.
ASN.1/BER errors in requests (PrsErrRx)The total number of ASN.1 or BER errors encountered when decoding received SNMP Messages.
Get requests receieved (GetReqRx)The total number of SNMP Get-Request PDUs which have been accepted and processed.
Get-next requests receieved (GtNextRx)The total number of SNMP Get-Next PDUs which have been accepted and processed.
23-2 Command Reference Guide
stat snmp
Get-bulk requests received (GtBulkRx)The total number of SNMP Get-Bulk PDUs which have been accepted and processed.
Responses sent (RspTx)The total number of SNMP Get-Response PDUs which have been generated by the SNMP protocol entity.
Requests dropped (ReqDrop)The total number of SNMP requests dropped.
Traps messages sent (TrapsTx)The total number of SNMP Trap PDUs which have been generated by the SNMP protocol entity.
Examplestat snmp
Related Commands
Command Reference Guide 23-3
show snmp stats
show snmp stats
Synopsisshow snmp stats - alias for 'stat snmp'
Descriptionshow snmp stats is an alias for stat snmp
Related Commandsstat snmp
23-4 Command Reference Guide
enable snmp alarm
enable snmp alarm
Synopsisenable snmp alarm <trapName> ...
DescriptionUse this command to enable the specified SNMP alarm.
Arguments
trapNameThe alarm to be enabled. Possible values: CPU, MEMORY, SYNFLOOD, VSERVER-REQRATE, SERVICE-REQRATE, ENTITY-RXRATE, ENTITY-TXRATE, ENTITY-SYNFLOOD, SERVICE-MAXCLIENTS
Exampleenable snmp alarm VSERVER-REQRATE enable snmp alarm CPU SYNFLOOD
Related Commandsdisable snmp alarmset snmp alarmunset snmp alarmshow snmp alarm
Command Reference Guide 23-5
disable snmp alarm
disable snmp alarm
Synopsisdisable snmp alarm <trapName> ...
DescriptionUse this command to disable the specified SNMP alarm.
Arguments
trapNameThe alarm to be disabled. Possible values: CPU, MEMORY, SYNFLOOD, VSERVER-REQRATE, SERVICE-REQRATE, ENTITY-RXRATE, ENTITY-TXRATE, ENTITY-SYNFLOOD, SERVICE-MAXCLIENTS
Exampledisable snmp alarm VSERVER-REQRATE disable snmp alarm CPU SYNFLOOD
Related Commandsenable snmp alarmset snmp alarmunset snmp alarmshow snmp alarm
23-6 Command Reference Guide
set snmp alarm
set snmp alarm
Synopsisset snmp alarm <trapName> [<thresholdValue> [-normalValue <positive_integer>]] [-time <secs>] [-state ( ENABLED | DISABLED )]
DescriptionUse this command to configure the user-configurable SNMP alarms. For each configured alarm, an SNMP trap is sent when the value exceeds the specified high threshold. When the value falls below the normal threshold, another SNMP trap is sent indicating a return-to-normal state. Note: For any alarm, after a high threshold trap has been sent, it is not sent again until the monitored value falls back to normal. NetScaler supports eight user configurable alarms - CPU:High CPU usage SYNFLOOD:Global unacknowledged SYN count MEMORY:Memory usage VSERVER-REQRATE:Vserver specific request rate SERVICE-REQRATE: Service specific request rate ENTITY-RXRATE:Entity specific Rx bytes per second ENTITY-TXRATE:Entity specific Tx bytes per second ENTITY-SYNFLOOD:Entity specific unacknowledged SYN count. For the purposes of this command, entity includes vservers and services. Note: 1. These traps are sent to "specific" trap destinations added via the 'add snmp trap specific'. 2. Thresholds for SERVICE-MAXCLIENTS should be set through 'set service <name> -maxClients <n>'.
Arguments
trapNameThe name of the alarm. Possible values: CPU, MEMORY, SYNFLOOD, VSERVER-REQRATE, SERVICE-REQRATE, ENTITY-RXRATE, ENTITY-TXRATE, ENTITY-SYNFLOOD, SERVICE-MAXCLIENTS
thresholdValueThe high threshold value that triggers the alarm.
normalValueThe normal threshold value that triggers the return-to-normal alarm. If this value is not specified, the return to normal alarm is triggered by the value falling below the high threshold value.
Command Reference Guide 23-7
set snmp alarm
timeThe time interval for SYNFLOOD alarm only. Default value: 1
stateThe current state of the alarm. Possible values: ENABLED, DISABLED Default value: ENABLED
Exampleset snmp alarm VSERVER-REQRATE 10000
Related Commandsadd snmp trapenable snmp alarmdisable snmp alarmunset snmp alarmshow snmp alarm
23-8 Command Reference Guide
unset snmp alarm
unset snmp alarm
Synopsisunset snmp alarm <trapName>
DescriptionUse this command to unset a user-configurable SNMP alarm.
Arguments
trapNameThe name of the alarm. Possible values: CPU, MEMORY, SYNFLOOD, VSERVER-REQRATE, SERVICE-REQRATE, ENTITY-RXRATE, ENTITY-TXRATE, ENTITY-SYNFLOOD, SERVICE-MAXCLIENTS
Exampleunset snmp alarm VSERVER-REQRATE
Related Commandsenable snmp alarmdisable snmp alarmset snmp alarmshow snmp alarm
Command Reference Guide 23-9
show snmp alarm
show snmp alarm
Synopsisshow snmp alarm
DescriptionThis command displays the alarm thresholds for the user-configurable traps. These thresholds can be set by the set snmp alarm command.
Arguments
Output
trapNameThe name of the alarm.
thresholdValueThe high threshold value.
normalValueThe normal threshold value.
timeThe time interval for the SYNFLOOD alarm.
stateThe current state of the alarm.
Related Commandsenable snmp alarmdisable snmp alarmset snmp alarmunset snmp alarm
23-10 Command Reference Guide
add snmp community
add snmp community
Synopsisadd snmp community <communityName> <permissions>
DescriptionUse this command to set the SNMP community string to grant access to an SNMP network management application to manage the NetScaler system. It also defines the specific management tasks that this user can perform. Tip: Use the add SNMP manager command to set the management privileges for the network management application.
Arguments
communityNameThe SNMP community string.
permissionsThe access privileges. Possible values: GET, GET_NEXT, GET_BULK, ALL
Exampleadd snmp community public ALL add snmp community a#12ab GET_BULK
Related Commandsrm snmp communityshow snmp community
Command Reference Guide 23-11
rm snmp community
rm snmp community
Synopsisrm snmp community <communityName>
DescriptionUse this command to remove the specified SNMP community string. Once the string is deleted, the user will not be able to use the community to manage the NetScaler system.
Arguments
communityNameSNMP community string
Examplerm snmp community public
Related Commandsadd snmp communityshow snmp community
23-12 Command Reference Guide
show snmp community
show snmp community
Synopsisshow snmp community
DescriptionUse this command to display the access privileges set for all the SNMP community strings configured on the NetScaler system.
Arguments
Output
communityNameSNMP community string
permissionsThe access privileges.
Exampleshow snmp community
Related Commandsadd snmp communityrm snmp community
Command Reference Guide 23-13
add snmp manager
add snmp manager
Synopsisadd snmp manager <IPAddress> ... [-netmask <netmask>]
DescriptionUse this command to configure the management application, which complies with SNMP version 1 or SNMP version 2, to access to the NetScaler system. If at least one management station is not added through this command, network management applications from any host computer can access the NetScaler system. The netmask parameter can be used to grant access from entire subnets. Up to a maximum of 10 network management hosts or networks can be added.
Arguments
IPAddressThe IP/Network address of the management station(s).
netmaskThe subnet of management stations. Default value: 255.255.255.255
Exampleadd snmp manager 192.168.1.20 192.168.2.42 add snmp manager 192.168.2.16 -netmask 255.255.255.240
Related Commandsrm snmp managershow snmp manager
23-14 Command Reference Guide
rm snmp manager
rm snmp manager
Synopsisrm snmp manager <IPAddress> ... [-netmask <netmask>]
DescriptionUse this command to remove the access privileges from a management station, so that the management station no longer has access to the NetScaler system.
Arguments
IPAddressThe IP/Network address of the management station.
netmaskThe subnet of the management station.
Examplerm snmp manager 192.168.1.20 rm snmp manager 192.168.2.16 -netmask 255.255.255.240
Related Commandsadd snmp managershow snmp manager
Command Reference Guide 23-15
show snmp manager
show snmp manager
Synopsisshow snmp manager
DescriptionUse this command to list the management stations that are allowed to manage the NetScaler system. The managers are listed by their IP addresses and netmasks.
Arguments
Output
IPAddressThe IP/Network address of the management station.
netmaskNetmask - if a network address was specified
Related Commandsadd snmp managerrm snmp manager
23-16 Command Reference Guide
set snmp mib
set snmp mib
Synopsisset snmp mib [-contact <string>] [-name <string>] [-location <string>]
DescriptionUse this command to set the system SNMP MIB information of the NetScaler system.
Arguments
contactThe contact person for the NetScaler system.
nameThe name of the NetScaler system.
locationThe physical location of the NetScaler system.
Related Commandsshow snmp mib
Command Reference Guide 23-17
show snmp mib
show snmp mib
Synopsisshow snmp mib
DescriptionUse this command to display the information from the SNMP system MIB in the NetScaler system. The information that is displayed depends on what was specified when the set snmp mib CLI command was issued.
Arguments
Output
contactThe contact person for the NetScaler system.
nameThe name of the NetScaler system.
locationThe physical location of the NetScaler system.
sysDescThe description of the NetScaler system.
sysUptimeThe UP time of the NetScaler system in 100th of a second.
sysServicesThe services offered by the NetScaler system.
sysOIDThe OID of the NetScaler system's management system.
Exampleshow snmp mib
23-18 Command Reference Guide
show snmp mib
Related Commandsset snmp mib
Command Reference Guide 23-19
add snmp trap
add snmp trap
Synopsisadd snmp trap <trapClass> <trapDestination> ... [-version ( V1 | V2 )]
DescriptionThe SNMP traps are asynchronous events generated by the agent to indicate the state of the system. The destination to which these traps should be sent by the NetScaler system is configured via this command.
Arguments
trapClassThe Trap type. The Generic type causes the standard SNMP traps supported by the NetScaler system to be sent to the destination, while the Specific trap type sets the destination for NetScaler specific traps. Possible values: generic, specific
trapDestinationThe IP address of the trap destination.
versionThe SNMP version of the trap PDU to be sent. Possible values: V1, V2 Default value: V2
Related Commandsrm snmp trapshow snmp trap
23-20 Command Reference Guide
rm snmp trap
rm snmp trap
Synopsisrm snmp trap <trapClass> <trapDestination> ...
DescriptionUse this command to delete a trap destination that has been set.
Arguments
trapClassThe Trap type. Possible values: generic, specific
trapDestinationThe IP address of the trap destination.
Related Commandsadd snmp trapshow snmp trap
Command Reference Guide 23-21
show snmp trap
show snmp trap
Synopsisshow snmp trap
DescriptionUse this command to display the IP addresses of the SNMP managers to which the NetScaler system sends traps and the version of the PDU to be used for these destinations. The location where a trap notification is displayed can be set by using the add snmp trap command.
Arguments
Output
trapClassThe trap type.
trapDestinationThe IP address of the trap destination.
versionThe SNMP version of the trap to be sent.
Exampleshow snmp trap
Related Commandsadd snmp traprm snmp trap
23-22 Command Reference Guide
show snmp oid
show snmp oid
Synopsisshow snmp oid <entityType> [<name>]
DescriptionUse this command to display the SNMP OID index for entities of given type.
Arguments
entityTypeThe entity type. Possible values: VSERVER
nameThe name of the entity.
Output
Exampleshow snmp oid VSERVER vs1
Related Commands
Command Reference Guide 23-23
show snmp oid
23-24 Command Reference Guide
SSL Commands
This chapter covers the SSL commands.
Command Reference Guide 24-1
stat ssl
stat ssl
Synopsisstat ssl [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays the ssl statistics.
Counters
SSL crypto card status (SSLCard)Status of the SSL card (1=UP, 0=DOWN)
SSL engine statusStatus of the SSL Engine (1=UP, 0=DOWN)
SSL transactions (SSLTrn)Number of SSL transactions
SSLv2 transactions (SSL2Trn)Number of SSLv2 transactions
SSLv3 transactions (SSL3Trn) Total number of SSLv3 Transactions.
TLSv1 transactions (TLS1Trn)Number of TLSv1 transactions
SSL sessions (SSLSe)Number of SSL sessions
SSLv3 sessions (SSL3Se)Number of SSLv3 sessions
TLSv1 sessions (TLS1Se)Number of TLSv1 sessions
24-2 Command Reference Guide
stat ssl
new SSL sessions (NewSe)Number of new SSL sessions
SSL session hits (SeHit)Number of SSL session reuse hits
SSL session misses (SeMiss)Number of SSL session reuse misses
Export sessions (40-bit) (ExpSe)Total number of Expired SSL Sessions.
SSL session renegotiations (SSLRn)Number of SSL session renegotiations
SSLv3 session renegotiations (SSL3Rn)Number of session renegotiations done on SSLv3
TLSv1 session renegotiations (TLS1Rn)Number of SSL session renegotiations done on TLSv1
SSLv2 sessions (SSL2Se)Number of SSLv2 sessions
SSLv2 SSL handshakes (SSL2Hs)Number of handshakes on SSLv2
SSLv3 SSL handshakes (SSL3Hs)Number of handshakes on SSLv3
TLSv1 SSL handshakes (TLS1Hs)Number of SSL handshakes on TLSv1
RSA 1024-bit key exchanges (RSAKx1)Number of RSA 1024-bit key exchanges
RSA 512-bit key exchanges (RSAKx5)Number of RSA 512-bit key exchanges
RSA 2048-bit key exchanges (RSAKx2)Number of RSA 2048-bit key exchanges
Command Reference Guide 24-3
stat ssl
DH 512-bit key exchanges (DHKx5)Number of Diffie-Helman 512-bit key exchanges
DH 1024-bit key exchanges (DHKx1)Number of Diffie-Helman 1024-bit key exchanges
DH 2048-bit key exchanges (DHKx2)Number of Diffie-Helman 2048-bit key exchanges
RSA authentications (RSAAt)Number of RSA authentications
DH authentications (DHAt)Number of Diffie-Helman authentications
DSS (DSA) authentications (DSSAt) Total number of times DSS authorization used.
Null authentications (NullAt)Number of Null authentications
RC4 40-bit encryptions (RC4En4)Number of RC4 40-bit cipher encryptions
RC4 56-bit encryptions (RC4En5)Number of RC4 56-bit cipher encryptions
RC4 64-bit encryptions (RC4En6)Number of RC4 64-bit cipher encryptions
RC4 128-bit encryptions (RC4En1)Number of RC4 128-bit cipher encryptions
DES 40-bit encryptions (DESEn4)Number of DES 40-bit cipher encryptions
DES 56-bit encryptions (DESEn5)Number of DES 56-bit cipher encryptions
DES 168-bit encryptions (3DESEn1)Number of DES 168-bit cipher encryptions
24-4 Command Reference Guide
stat ssl
RC2 40-bit encryptions (RC2En4)Number of RC2 40-bit cipher encryptions
RC2 56-bit encryptions (RC2En5)Number of RC2 56-bit cipher encryptions
RC2 128-bit encryptions (RC2En1)Number of RC2 128-bit cipher encryptions
IDEA 128-bit encryptions (IDEAEn1)Number of IDEA 128-bit cipher encryptions
AES 128-bit encryptions (AESEn1)Number of AES 128-bit cipher encryptions
AES 256-bit encryptions (AESEn2)Number of AES 256-bit cipher encryptions
Null cipher encryptions (NullEn)Number of Null cipher encryptions
MD5 hashes (MD5Hsh)Number of MD5 hashes
SHA hashes (SHAHsh)Number of SHA hashes
SSLv2 client authentications (SSL2CAt)Number of client authentications done on SSLv2
SSLv3 client authentications (SSL3CAt)Number of client authentications done on SSLv3
TLSv1 client authentications (TLS1CAt)Number of client authentications done on TLSv1
Backend SSL sessions (BSSLSe)Number of Backend SSL sessions
Backend SSLv3 sessions (BSSL3Se)Number of Backend SSLv3 sessions
Command Reference Guide 24-5
stat ssl
Backend TLSv1 sessions (BTLS1Se)Number of Backend TLSv1 sessions
Backend SSL sessions reused (BSeRe)Number of Backend SSL sessions reused
Backend session multiplex attempts (BSeMx)Number of Backend SSL session multiplex attempts
Backend session multiplex successes (BSeMxS)Number of Backend SSL session multiplex successes
Backend SSL multiplex failures (BSeMxF)Number of Backend SSL session multiplex failures
Backend SSL session renegotiations (BSSLRn)Number of Backend SSL session renegotiations
Backend SSLv3 session renegotiations (BSSL3Rn)Number of Backend SSLv3 session renegotiations
Backend TLSv1 session renegotiations (BTLS1Rn)Number of Backend TLSv1 session renegotiations
Backend RSA 512-bit key exchanges (BRSAKx5)Number of Backend RSA 512-bit key exchanges
Backend RSA 1024-bit key exchanges (BRSAKx1)Number of Backend RSA 1024-bit key exchanges
Backend RSA 2048-bit key exchanges (BRSAKx2)Number of Backend RSA 2048-bit key exchanges
Backend DH 512-bit key exchanges (BDHKx5)Number of Backend DH 512-bit key exchanges
Backend DH 1024-bit key exchanges (BDHKx1)Number of Backend DH 1024-bit key exchanges
Backend DH 2048-bit key exchanges (BDHKx2)Number of Backend DH 2048-bit key exchanges
24-6 Command Reference Guide
stat ssl
Backend RC4 40-bit encryptions (BRC4En4)Number of Backend RC4 40-bit cipher encryptions
Backend RC4 56-bit encryptions (BRC4En5)Number of Backend RC4 56-bit cipher encryptions
Backend RC4 64-bit encryptions (BRC4En6)Number of Backend RC4 64-bit cipher encryptions
Backend RC4 128-bit encryptions (BRC4En1)Number of Backend RC4 128-bit cipher encryptions
Backend DES 40-bit encryptions (BDESEn4)Number of Backend DES 40-bit cipher encryptions
Backend DES 56-bit encryptions (BDESEn5)Number of Backend DES 56-bit cipher encryptions
Backend 3DES 168-bit encryptions (B3DESE1n)Number of Backend 3DES 168-bit cipher encryptions
Backend AES 128-bit encryptions (BAESEn1)Backend AES 128-bit cipher encryptions
Backend AES 256-bit encryptions (BAESEn2)Backend AES 256-bit cipher encryptions
Backend RC2 40-bit encryptions (BRC2En4)Number of Backend RC2 40-bit cipher encryptions
Backend RC2 56-bit encryptions (BRC2En5)Number of Backend RC2 56-bit cipher encryptions
Backend RC2 128-bit encryptions (BRC2En1)Number of Backend RC2 128-bit cipher encryptions
Backend IDEA 128-bit encryptions (BIDEAEn1)Number of Backend IDEA 128-bit cipher encryptions
Backend null encryptions (BNullEn)Number of Backend null cipher encryptions
Command Reference Guide 24-7
stat ssl
Backend MD5 hashes (BMD5Hsh)Number of Backend MD5 hashes
Backend SHA hashes (BSHAHsh)Number of Backend SHA hashes
SSLv2 SSL handshakes (SSL2Hs)Number of handshakes on SSLv2
SSLv3 SSL handshakes (SSL3Hs)Number of handshakes on SSLv3
TLSv1 SSL handshakes (TLS1Hs)Number of SSL handshakes on TLSv1
Backend SSLv3 handshakes (BSSL3Hs)Number of Backend SSLv3 handshakes
Backend TLSv1 handshakes (BTLS1Hs)Number of Backend TLSv1 handshakes
Backend SSLv3 client authentications (BSSL3CAt)Number of Backend SSLv3 client authentications
Backend TLSv1 client authentications (BTLS1CAt)Number of Backend TLSv1 client authentications
Backend RSA authentications (BRSAAt)Number of Backend RSA authentications
Backend DH authentications (BDHAt)Number of Backend DH authentications
Backend DSS authentications (BDSSAt)Number of Backend DSS authentications
Backend Null authentications (BNullAt)Number of Backend null authentications
Related Commands
24-8 Command Reference Guide
show ssl stats
show ssl stats
Synopsisshow ssl stats - alias for 'stat ssl'
Descriptionshow ssl stats is an alias for stat ssl
Related Commandsstat ssl
Command Reference Guide 24-9
create ssl cert
create ssl cert
Synopsiscreate ssl cert <certFile> <reqFile> <certType> [-keyFile <input_filename>] [-keyform ( DER | PEM )] [-days <positive_integer>] [-certForm ( DER | PEM )] [-CAcert <input_filename>] [-CAcertForm ( DER | PEM )] [-CAkey <input_filename>] [-CAkeyForm ( DER | PEM )] [-CAserial <output_filename>]
DescriptionUse this command to generate a signed X509 Certificate.
Arguments
certFileThe name of the generated certificate file. The default path of the certificate file is /nsconfig/ssl/.
reqFileThe Certificate Signing Request (CSR) file that is used to generate the certificate. This file is created using the "create ssl certreq" command or an existing CSR. The default input path for the CSR file is /nsconfig/ssl/.
certTypeThe type of the certificate to be generated. ROOT_CERT : The certificate generated will be a self-signed Root-CA certificate. For this, you need to specify the -keyfile parameter. The generated Root-CA certificate can be used for signing end-user certificates (Client/Server) or to create Intermediate-CA certificates. INTM_CERT : The certificate generated will be an Intermediate-CA certificate. For this, you need to specify the following parameters: -CAcert , -CAkey, and -CAserial. NOTE:The three parameters are also mandatory for the CLNT_CERT or SRVR_CERT certificate types. CLNT_CERT : The certificate generated will be an end-user client certificate. This can be used in a Client-Authentication setup. SRVR_CERT : The certificate generated will be an end-user Server certificate. This can be used as an SSL server certificate on the backend SSL servers for an SSL backend-encryption setup with the NetScaler system. NOTE:Avoid
24-10 Command Reference Guide
create ssl cert
using the Server certificate (generated above) for a front-end SSL virtual server (or SSL service) on a NetScaler system or on any frontend SSL server if the certificate is signed by NetScaler. The same is true with NetScaler generated Intermediate-CA or Root-CA certificate. The reason being, the NetScaler generated CA certificates will not be present in browsers (such as IE, Netscape, and other browsers) by default. So during the SSL handshake the Server Certificate verification will fail. Browsers generally display a warning message and prompt the user to either continue with the SSL handshake or terminate it. If the NetScaler generated CA certificates are installed in the browsers as trusted CA certificates, the SSL handshake will proceed without any errors or warnings. Possible values: ROOT_CERT, INTM_CERT, CLNT_CERT, SRVR_CERT
keyFileThe input keyFile to sign the certificate being generated. This keyFile is created using the "create ssl rsakey" or "create ssl dsakey" commands, or an existing RSA/DSA key. This file is required only when creating a self-signed Root-CA certificate. The default input path for the keyFile is /nsconfig/ssl/. Note: If the input key specified is an encrypted key, the user will be prompted to enter the PEM pass-phrase that was used for encrypting the key.
keyformThe format for the input key file: PEM : Privacy Enhanced Mail DER : Distinguished Encoding Rule. Possible values: DER, PEM Default value: PEM
daysThe number of days for which the certificate will be valid. The certificate is valid from the time and day (NetScaler 9000 system time) of the creation, to the number of days specified in the -days field. Default value: 365
certFormThe output certificate format: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM
CAcertThe CA certificate file that will issue and sign the Intermediate-CA certificate or the end-user certificates (Client/Server). The default input path for the CA certificate file is /nsconfig/ssl/.
Command Reference Guide 24-11
create ssl cert
CAcertFormThe format of the input CA certificate file: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM
CAkeyThe CA key file that will be used to sign the Intermediate-CA certificate or the end-user certificates (Client/Server). The default input path for the CA key file is /nsconfig/ssl/. Note: If the CA key file is password protected, the user will be prompted to enter the pass-phrase used for encrypting the key.
CAkeyFormThe format of the input CA key file: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM
CAserialThe Serial number file maintained for the CA certificate. This will contain the serial number of the next certificate to be issued/signed by the CA (-CAcert). If the specified file does not exist, a new file will be created. The default input path for the CAserial file name is /nsconfig/ssl/. Note: Specify the proper path of the existing serial file; else a new serial file will be created. This may change the certificate serial numbers assigned by the CA certificate to each of the certificate it signs.
Example1) create ssl cert /nsconfig/ssl/root_cert.pem /nsconfig/ssl/root_csr.pem ROOT_CERT -keyFile /nsconfig/ssl/root_key.pem -days 1000 The above example creates a self signed Root-CA certificate. 2) create ssl cert /nsconfig/ssl/server_cert.pem /nsconfig/ssl/server_csr.pem SRVR_CERT -CAcert /nsconfig/ssl/root_cert.pem -CAkey /nsconfig/ssl/root_key.pem -CAserial /nsconfig/ssl/root.srl The above example creates a Server certificate which is signed by the Root-CA certificate: root_cert.pem
Related Commandscreate ssl certreqcreate ssl rsakeycreate ssl dsakeyadd ssl certkey
24-12 Command Reference Guide
add ssl certkey
add ssl certkey
Synopsisadd ssl certkey <certkeyName> -cert <string> [(-key <string> [-password]) | -fipsKey <string>] [-inform ( DER | PEM )]
DescriptionUse this command to add a certificate-key pair object. Notes: 1)For server certificate-key pair, use both -cert and -key arguments. 2)The CLI command "bind ssl certkey", used for binding a certificate-key pair to an SSL virtual server, fails if the certificate-key pair does not include the private key. 3)In an HA configuration, the certificate should be located as specified in the -cert <string> parameter, on both the primary and secondary nodes. If the optional parameter -key is used, the key must be located as specified in the -key <string> parameter.
Arguments
certkeyNameThe name of the certificate and private-key pair.
certThe file name and path for the X509 certificate file. The certificate file should be present on the NetScaler system device (HDD). The default input path for the certificate file is /nsconfig/ssl/.
keyThe file name and path for the private-key file. The private-key file should be present on the NetScaler system device (HDD). The default input path for the key file is /nsconfig/ssl/. Notes: 1) This argument is optional when adding a Certificate-Authority (CA) certificate file. In this case the CA's private-key will not be available to the user. 2) The NetScaler FIPS system does not support external keys (non-FIPS keys). On a NetScaler FIPS system, you will not be able to load keys from a local storage device such as a hard disc or flash memory.
fipsKeyThe name of the FIPS key. The FIPS key is created inside the FIPS HSM (Hardware Security Module). This is applicable only to the SSL FIPS system.
Command Reference Guide 24-13
add ssl certkey
informThe input format of the certificate and the private-key files. The two formats supported by the NetScaler system are: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM
Example1)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command loads a certificate and private key file. 2)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ******** The above command loads a certificate and private key file. Here the private key file is an encrypted key. 3)add ssl certkey fipscert -cert /nsconfig/ssl/cert.pem -fipskey fips1024 The above command loads a certificate and associates it with the corresponding FIPS key that resides within the HSM.
Related Commandsbind ssl certkeylink ssl certkeyrm ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey
24-14 Command Reference Guide
bind ssl certkey
bind ssl certkey
Synopsisbind ssl certkey (<vServerName>@ | <serviceName>@) <certkeyName> [-CA] [-vServer | -service]
DescriptionUse this command to bind a certificate-key pair to an SSL virtual server or an SSL service
Arguments
vServerNameThe name of the SSL virtual server name to which the certificate-key pair needs to be bound.
serviceNameThe name of the SSL service to which the certificate-key pair needs to be bound. Use the "add service" command to create this service.
certkeyNameThe object name for the certificate-key pair.
CAIf this option is specified, it indicates that the certificate-key pair being bound to the SSL virtual server is a CA certificate. If this option is not specified, the certificate-key pair is bound as a normal server certificate. Note: In case of a normal server certificate, the certificate-key pair should consist of both the certificate and the private-key.
vServerSpecify this option to bind the certificate to a SSL virtual server. Note: The default option is -vServer.
serviceSpecify this option to bind the certificate to a SSL Service.
Command Reference Guide 24-15
bind ssl certkey
Example1)bind ssl certkey sslvip siteAcertkey In the above example, the certificate-key pair siteAcertkey is bound to the SSL virtual sever as server certificate. 2)bind ssl certkey sslvip CAcertkey -CA In the above example, the certificate-key pair CAcertkey is bound to the SSL virtual sever as CA certificate. 3)bind ssl certkey sslsvc siteAcertkey -service In the above example, the certificate-key pair CAcertkey is bound to the SSL Service as server certificate.
Related Commandsshow ssl vserveradd ssl certkeylink ssl certkeyrm ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey
24-16 Command Reference Guide
link ssl certkey
link ssl certkey
Synopsislink ssl certkey <certkeyName> <linkcertkeyName>
DescriptionUse this command to link a certificate-key pair to its Certificate Authority (CA) certificate-key pair. Note:The two certificate-key pairs are linked only if the certificate specified in the certKeyName parameter is issued by the Certificate-Authority specified in the linkCertKeyName parameter.
Arguments
certkeyNameThe certificate-key name that is to be bound to its issuer certificate-key pair.
linkcertkeyNameSpecifies the name of the Certificate-Authority.
Example1)link ssl certkey siteAcertkey CAcertkey In the above example, the certificate-key siteAcertkey is bound to its issuer certificate-key pair CAcertkey.
Related Commandsshow ssl certlinkadd ssl certkeybind ssl certkeyrm ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey
Command Reference Guide 24-17
rm ssl certkey
rm ssl certkey
Synopsisrm ssl certkey <certkeyName> ...
DescriptionUse this command to remove the specified certificate-key pair from the NetScaler system.
Arguments
certkeyNameThe name of the certificate-key pair. Note: The certificate-key pair is removed only when it is not referenced by any other object. The reference count is updated when the certificate-key pair is bound to an SSL virtual server (using the "bind ssl certkey" CLI command) or linked to another certificate-key pair (using the "link ssl certkey" CLI command).
Example1)rm ssl certkey siteAcertkey The above command removes the certificate-key pair siteAcertkey from the NetScaler 9000 system.
Related Commandsadd ssl certkeybind ssl certkeylink ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey
24-18 Command Reference Guide
show ssl certkey
show ssl certkey
Synopsisshow ssl certkey [<certkeyName>]
DescriptionUse this command to display the information pertaining to the certificate-key pairs configured on the NetScaler system: 1)If no argument is specified, the command will display all the certificate-key pairs configured on the NetScaler system. 2)If the certKeyName argument is specified, the command will display the details of the certificate.
Arguments
certkeyNameThe certificate-key pair object name for which the certificate details are to be displayed.
Output
cert
key
inform
signatureAlg
description
issuer
Command Reference Guide 24-19
show ssl certkey
notbefore
notafter
subject
publickey
publickeysize
version
status
fipsKey
passcrypt
serial
serverNamevsrvsvcname_len
serviceNamevsrvsvcname_len
Example1) An example of the output of the show ssl certkey command is shown below: 2 configured certkeys: 1)Name: siteAcertkey Cert Path: /nsconfig/ssl/siteA-cert.pem Key Path: /nsconfig/ssl/siteA-key.pem Format: PEM Status: Valid 2)Name: cert1 Cert Path: /nsconfig/ssl/server_cert.pem Key Path: /nsconfig/ssl/server_key.pem Format: PEM
24-20 Command Reference Guide
show ssl certkey
Status: Valid 2) An example of the output of the show ssl certkey siteAcertkey command is shown below: Name: siteAcertkeyStatus: Valid Version: 3 Serial Number: 02 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech Validity Not Before: Nov 11 14:58:18 2001 GMT Not After: Aug 7 14:58:18 2004 GMT Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security Public Key Algorithm: rsaEncryption Public Key size: 1024
Related Commandsadd ssl certkeybind ssl certkeylink ssl certkeyrm ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey
Command Reference Guide 24-21
unbind ssl certkey
unbind ssl certkey
Synopsisunbind ssl certkey (<vServerName>@ | <serviceName>@) <certkeyName> [-CA] [-vServer | -service]
DescriptionUse this command to unbind the certificate-key pair from the specified SSL vserver or SSL service. Use the "bind ssl certkey " command to bind the certificate-key pair to the specified SSL vserver or SSL service.
Arguments
vServerNameThe name of the SSL virtual server.
serviceNameThe name of the SSL service
certkeyNameThe certificate-key object name that needs to be unbound from the SSL virtual server or SSL service.
CASpecifies that the certificate-key pair being unbound is a Certificate Authority (CA) certificate. If you choose this option, the certificate-key pair is unbound from the list of CA certificates that were bound to the specified SSL virtual server or SSL service.
vServerSpecify this option to unbind the certificate from a SSL virtual server. Note: The default option is -vServer.
serviceSpecify this option to unbind the certificate from a SSL Service.
24-22 Command Reference Guide
unbind ssl certkey
Example1)unbind ssl certkey sslvip siteAcertkey In the above example, the server certificate siteAcertkey is unbound from the SSL virtual server. 2) unbind ssl certkey sslvip CAcertkey -CA In the above example, the CA certificate CAcertkey is unbound from the SSL virtual server.
Related Commandsshow ssl vserveradd ssl certkeybind ssl certkeylink ssl certkeyrm ssl certkeyshow ssl certkeyunlink ssl certkeyupdate ssl certkey
Command Reference Guide 24-23
unlink ssl certkey
unlink ssl certkey
Synopsisunlink ssl certkey <certkeyName>
DescriptionUse this command to unlink the certificate-key name from its Certificate-Authority (CA) certificate-key pair.
Arguments
certkeyNameThe certificate-key object name that has to be unlinked from the CA certificate. The CA certificate name is taken internally.
Example1)unlink ssl certkey siteAcertkey The above example unlinks the certificate 'siteAcertkey' from its Certificate-Authority (CA) certificate.
Related Commandsshow ssl certlinkadd ssl certkeybind ssl certkeylink ssl certkeyrm ssl certkeyshow ssl certkeyunbind ssl certkeyupdate ssl certkey
24-24 Command Reference Guide
update ssl certkey
update ssl certkey
Synopsisupdate ssl certkey <certkeyName> [-cert <string>] [(-key <string> [-password]) | -fipsKey <string>] [-inform ( DER | PEM )] [-noDomainCheck]
DescriptionUse this command to update a certificate-key pair object. Notes: 1)In a HA configuration, the certificate should be located as specified in the -cert <string> parameter, on both the primary and secondary nodes. If the optional parameter -key is used, the key must be located as specified in the -key <string> parameter.
Arguments
certkeyNameThe name of the certificate and private-key pair.
certThe file name and pathfor the X509 certificate file. The certificate file should be present on the NetScaler system device (HDD). The default input path for the certificate file is /nsconfig/ssl/.
keyThe file name and pathfor the private-key file. The private-key file should be present on the NetScaler system device (HDD). The default input path for the key file is /nsconfig/ssl/.
fipsKeyThe name of the FIPS key. The FIPS key is created inside the FIPS HSM (Hardware Security Module). This is applicable only to the SSL FIPS system.
informThe input format of the certificate and the private-key files. The two formats supported by the NetScaler system are: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM
Command Reference Guide 24-25
update ssl certkey
noDomainCheckSpecify this option to override the check for matching domain names during certificate update operation
Example1) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command updates a certificate and private key file. 2) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ******** The above command updates a certificate and private key file. Here the private key file is an encrypted key. 3) update ssl certkey mydomaincert The above command updates the certificate using the same parameters (-cert path/-key path) that it was added with.
Related Commandsadd ssl certkeyrm ssl certkeybind ssl certkeylink ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkey
24-26 Command Reference Guide
show ssl certlink
show ssl certlink
Synopsisshow ssl certlink
DescriptionUse this command to display all the linked certificate-key pairs in the NetScaler system.
Arguments
Output
certkeyName
linkcertkeyName
ExampleThe following shows an example of the output of the show ssl certlink command: linked certificate: 1) Cert Name: siteAcertkey CA Cert Name: CAcertkey
Related Commandslink ssl certkeyunlink ssl certkey
Command Reference Guide 24-27
create ssl certreq
create ssl certreq
Synopsiscreate ssl certreq <reqFile> [-keyFile <input_filename>] [-fipsKeyName <string>] [-keyform ( DER | PEM )]
DescriptionUse this command to generate a new Certificate Signing Request (CSR). The generated CSR can be sent to a Certificate-Authority (CA) to obtain an X509 certificate for the user domain (web site).
Arguments
reqFileThe file name where the generated Certificate Signing Requests are stored. The default output path for the CSR file is /nsconfig/ssl/.
keyFileThe key file name to be used. The key can be an RSA or a DSA key. The default input path for the key file is /nsconfig/ssl/.
fipsKeyNameThe FIPS key name to be used. FIPS keys are created inside the FIPS HSM (Hardware Security Module). This is applicable only to the SSL FIPS system.
keyformThe format for the input key file specified in the keyFileName: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule The command prompts the user for information that is incorporated in the Certificate Signing Request. For example, this information forms the Distinguished Name (DN) for the domain or the site. Country Name - Two letter ISO code for your country. For example, US for United States. State or Province Name - Full name for the state or province where your organization is located. Do not abbreviate. Locality Name - Name of the city or town in which your organization's head office is located. Organization Name - Name of the organization. The organization name (corporation, limited partnership, university, or government agency) must be registered with some authority at the national, state, or city level. Use the legal name under which the organization is registered. Do not abbreviate the organization name and do not use the
24-28 Command Reference Guide
create ssl certreq
following characters in the name: < > ~ ! @ # 0 ^ * / ( )?. Organization Unit Name - Division or Section name in the organization that will use the certificate. Common Name - Fully qualified domain name for the company/Web site. The common name is the fully qualified domain name (FQDN) for the company/Web site. The common name must match the name used by DNS servers to do a DNS lookup of your server (for example, www.mywebsite.com <http://www.mywebsite.com>). Most browsers use this information for authenticating the server's certificate during the SSL handshake. If the server name does not match the common name as given in the server certificate, the browsers will terminate the SSL handshake or prompt the user with a warning message. CAUTION: Do not use wildcard characters such as * or ? and do not use an IP address as the common name. The common name should be without the protocol specifier <http://> or <https://>. Challenge Password - Challenge password for this certificate. Optional Company Name - Additional name of the company/web-site. Challenge Password - The contact person's E-mail address. Note: If the input key specified is an encrypted key, the user will be prompted to enter the PEM pass-phrase that was used to encrypt the key. Possible values: DER, PEM Default value: PEM
Examplecreate ssl certreq /nsconfig/ssl/csr.pem -keyFile /nsconfig/ssl/rsa1024.pem
Related Commandscreate ssl certcreate ssl rsakeycreate ssl dsakey
Command Reference Guide 24-29
add ssl cipher
add ssl cipher
Synopsisadd ssl cipher <cipherGroupName> <cipherAliasName/cipherName/cipherGroupName> ...
DescriptionUse this command to either create a user-defined cipher group or to add ciphers to an existing group. The cipher group can be used to set the cipher-suite of an SSL virtual server.
Arguments
cipherGroupNameThe name of the user-defined cipher group. If the cipher group does not exist on the NetScaler system, a new group is created with the specified name. The ciphers are added to this group. If a group identified by cipherGroupName already exists on the NetScaler system, the ciphers are added to it.
cipherAliasName/cipherName/cipherGroupNameThe individual cipher name(s), a user-defined cipher group, or a NetScaler system predefined cipher alias that will be added to the predefined cipher alias that will be added to the group cipherGroupName. If a cipher alias or a cipher group is specified, all the individual ciphers in the cipher alias or group will be added to the user-defined cipher group.
Example1)add ssl cipher mygroup SSL2-RC4-MD5 SSL2-EXP-RC4-MD5 The above command creates a new cipher-group by the name: mygroup, with the two ciphers SSL2-RC4-MD5 and SSL2-EXP-RC4-MD5, as part of the cipher-group. If a cipher-group by the name: mygroup already exists in NetScaler 9000 system, then the two ciphers is added to the list of ciphers contained in the group. 2)add ssl cipher mygroup HIGH MEDIUM The above command creates a new cipher-group by the name: mygroup, with the ciphers from the cipher alias "HIGH" and "MEDIUM" as part of the cipher group. If a cipher-group by the name, mygroup, already exists in NetScaler 9000 system, then the ciphers from the two aliases is added to the list of ciphers contained in the group.
24-30 Command Reference Guide
add ssl cipher
Related Commandsbind ssl cipherrm ssl ciphershow ssl cipher
Command Reference Guide 24-31
bind ssl cipher
bind ssl cipher
Synopsisbind ssl cipher (<vServerName>@ | <serviceName>@) <cipherOperation> <cipherAliasName/cipherName/cipherGroupName> [-vServer | -service]
DescriptionUse this command to change the default cipher-suite defined for an SSL virtual server. By default, the predefined cipher alias on the NetScaler system is bound to all SSL virtual servers. The DEFAULT alias contains all ciphers supported by the NetScaler system, with the exception of NULL ciphers (ciphers with no encryption). Note:To view the individual ciphers in the alias DEFAULT, use the show ssl cipher DEFAULT CLI command
Arguments
vServerNameThe name of the SSL virtual server to which the cipher-suite is to be bound.
serviceNameThe name of the SSL service name to which the cipher-suite is to be bound.
cipherOperationThe operation that is performed when adding the cipher-suite. Possible cipher operations are: ADD - Appends the given cipher-suite to the existing one configured for the virtual server. REM - Removes the given cipher-suite from the existing one configured for the virtual server. ORD - Overrides the current configured cipher-suite for the virtual server with the given cipher-suite. Possible values: ADD, REM, ORD
cipherAliasName/cipherName/cipherGroupNameA cipher-suite can consist of an individual cipher name, the NetScaler system predefined cipher-alias name, or user defined cipher-group name.
vServerSelect the -vServer flag when the cipher operation is performed on an SSL virtual server. Note: By default the bind ssl cipher command internally assumes the flag of -vServer argument. Hence, while working with the SSL vserver, you need not specify this flag.
24-32 Command Reference Guide
bind ssl cipher
serviceSelect the -service flag value when the cipher operation is performed on an SSL Service.
Example1)bind ssl cipher sslvip ADD SSL3-RC4-SHA The above example appends the cipher SSL3-RC4-SHA to the cipher-suite already configured for the SSL virtual server sslvip. 2)bind ssl cipher sslvip REM NULL The above example removes the ciphers identified by the NetScaler 9000 system's predefined cipher-alias -NULL from the cipher-suite already configured for the SSL virtual server sslvip. 3)bind ssl cipher sslvip ORD HIGH The above example overrides the existing cipher-suite configured for the SSL virtual server with ciphers, having HIGH encryption strength (ciphers supporting 168-bit encryption). Note: The individual ciphers contained in a NetScaler 9000 system predefined cipher-alias can beviewed by using the following command: show ssl cipher <cipherAlaisName>
Related Commandsshow ssl vserveradd ssl cipherrm ssl ciphershow ssl cipher
Command Reference Guide 24-33
rm ssl cipher
rm ssl cipher
Synopsisrm ssl cipher <cipherGroupName> [<cipherName> ...]
DescriptionUse this command to remove cipher(s) from a user-defined cipher group. It can also remove an entire cipher group from the NetScaler system. If there is no cipherName included with the cipherGroupName, the cipher group specified by cipherGroupName is deleted. If there is a cipherName included, the specified cipher(s) are removed from the cipher group.
Arguments
cipherGroupNameThe user defined cipher group on the NetScaler 9000 system.
cipherNameThe cipher(s) to be removed from the cipher group.
Example1)rm ssl cipher mygroup SSL2-RC4-MD5 The above example removes the cipher SSL2-RC4-MD5 from the cipher group mygroup. 2)rm ssl cipher mygroup The above example will remove the cipher group 'mygroup' from the NetScaler 9000 system.
Related Commandsadd ssl cipherbind ssl ciphershow ssl cipher
24-34 Command Reference Guide
show ssl cipher
show ssl cipher
Synopsisshow ssl cipher [<cipherAliasName/cipherName/cipherGroupName>]
DescriptionUse this command to display the details of a cipher, cipher-group, or cipher-alias defined on the NetScaler system. If no argument is specified, the command displays all the predefined cipher-aliases and user-defined cipher-groups on the NetScaler system. If a cipher name is specified, the details of the cipher are displayed. If a user defined cipher-group name is specified, all the individual ciphers in the group are displayed along with the individual cipher description. If a NetScaler system predefined cipher-alias name is specified, all the individual ciphers in the alias are displayed along with the individual cipher description.
Arguments
cipherAliasName/cipherName/cipherGroupNamecipherName: The individual cipher name for which the cipher details are displayed. cipherGroupName: The user defined cipher-group name for which the cipher details are displayed. cipherAliasName: The NetScaler system predefined cipher-alias name for which the cipher details aredisplayed.
Output
cipherGroupName
description
cipherName
Example1) An example of the output of the show ssl cipher SSL3-RC4-MD5 command is as follows: Cipher Name: SSL3-RC4-MD5 Description: SSLv3 Kx=RSA Au=RSA
Command Reference Guide 24-35
show ssl cipher
Enc=RC4(128) Mac=MD5 2) This example displays the details of individual ciphers in the NetScaler 9000 system predefinedcipher-alias: SSLv2 (the command show ssl cipher SSLv2 has been entered): 8 configured cipher(s)in alias 1) Cipher Name: SSL2-RC4-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 2) Cipher Name: SSL2-EXP-RC4-MD5 Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export 3) Cipher Name: SSL2-RC2-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 4) Cipher Name: SSL2-EXP-RC2-CBC-MD5 Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export 5) Cipher Name: SSL2-IDEA-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 6) Cipher Name: SSL2-DES-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 7) Cipher Name: SSL2-DES-CBC3-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 8) Cipher Name: SSL2-RC4-64-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5
Related Commandsadd ssl cipherbind ssl cipherrm ssl cipher
24-36 Command Reference Guide
create ssl crl
create ssl crl
Synopsiscreate ssl crl <CAcertFile> <CAkeyFile> <indexFile> (-revoke <input_filename> | -genCRL <output_filename>) [-password <string>]
DescriptionUse this command to either revoke a certificate or list of certificates or generate a CRL for the list of certificates that are revoked.
Arguments
CAcertFilePath to the CA certificate file. The default input path for the CA certificate is /nsconfig/ssl/.
CAkeyFilePath to the CA key file. The default input path for the CA key is /nsconfig/ssl/.
indexFileThis file contains the serial number of all the certificates that are revoked. This file is created the first time. New certificate revocation will be added to it subsequently. The default input path for the index file is /nsconfig/ssl/.
revokeThe certificate file to be revoked. The default input path for the certificate(s) is /nsconfig/ssl/.
genCRLThe CRL file to be created. The list of certificates that have been revoked is obtained from the index file. The default output path for the CRL file is /var/netscaler/ssl/.
passwordThe password for the CA key file.
Command Reference Guide 24-37
create ssl crl
Example1)create crl /nsconfig/ssl/cacert.pem /nsconfig/ssl/cakey.pem /nsconfig/ssl/index.txt -gencrl /var/netscaler/ssl/crl.pem
Related Commandsadd ssl crlrm ssl crlset ssl crlshow ssl crl
24-38 Command Reference Guide
add ssl crl
add ssl crl
Synopsisadd ssl crl <crlName> <crlPath> [-inform ( DER | PEM )]
DescriptionUse this command to add a Certificate Revocation List (CRL) object. Note:In an HA configuration, the CRL on both the primary and secondary nodes must be present in the location specified by <crlPath>.
Arguments
crlNameThe object name for the CRL.
crlPathThe file name and path for the CRL file. The default input path for the CRL is /var/netscaler/ssl/.
informThe input format of the CRL file. PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM
refreshEnables or disables the auto refresh feature for the CRL identified by the crlName Possible values: ENABLED, DISABLED
CAcertThe corresponding CA certificate that has issued the CRL. This is the NetScaler object identifying the CA certificate that is loaded in NetScaler. Note: This is a mandatory field when the "-refresh" option is enabled. The CA certificate needs to be installed before loading the CRL.
methodThe method for CRL refresh - HTTP or LDAP. Possible values: HTTP, LDAP Default value: LDAP
Command Reference Guide 24-39
add ssl crl
serverThe IP address of the LDAP server from which the CRLs are to be fetched.
urlURI of the CRL Distribution Point.
portThe port for the LDAP server.
baseDNThe baseDN attribute used by LDAP search to query for the attribute certificateRevocationList. Note: It is recommended to use the baseDN attribute over the Issuer Name from the CA certificate for the CRL, if the Issuer-Name fields does not exactly match the LDAP directory structure's DN.
scopeExtent of the search operation on the LDAP server. Base: Exactly the same level as basedn One : One level below basedn Possible values: Base, One Default value: One
intervalThe CRL refresh interval. The valid values are monthly, weekly, and daily. This along with the -days and -time option will identify the exact time/time-interval for CRL refresh. -interval NONE can be used to reset previously set interval settings. Possible values: MONTHLY, WEEKLY, DAILY, NONE
dayThe purpose of this option varies with the usage of the -interval option. If the -interval option has been set to MONTHLY, the -days option can be used to set a particular day of the month (1-30/31/28) on which the CRL needs to be refreshed. If the -interval option has been set to WEEKLY, the -days option can be used to set a particular day of the week, i.e. 1...7 (Sun=1,Sat=7) on which the CRL needs to be refreshed. The NetScaler system handles the valid number of days in a Month or Week, if the input value for the corresponding -day option is set incorrectly. If the -interval option has been set to DAILY, the -days parameter is not used. If the -days option is used without the -interval option, it specifies the number of days after which the refresh is to be done.
timeThe exact time of the day when the CRL is to be refreshed. The time is specified in 24-hour time format, where HH stands for Hours and MM stands for minutes.
24-40 Command Reference Guide
add ssl crl
bindDNThe bindDN to be used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, i.e. anonymous access is not allowed.
passwordThe password to be used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted i.e. anonymous access is not allowed.
Example1)add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl.pem -cacert CAcert The above command adds a CRL from local storage system (HDD) with no refresh set. 2)add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl_new.pem -cacert Cacert -refresh ENABLED -server 10.102.1.100 -port 389 -interval DAILY -baseDN o=example.com,ou=security,c=US The above command adds a CRL to the NetScaler 9000 system by fetching the CRL from the LDAP server and setting the refresh interval as daily.
Related Commandscreate ssl crlrm ssl crlset ssl crlshow ssl crl
Command Reference Guide 24-41
rm ssl crl
rm ssl crl
Synopsisrm ssl crl <crlName> ...
DescriptionUse this command to remove the specified CRL object from the NetScaler system.
Arguments
crlNameThe name of the CRL object to be removed from the NetScaler system.
Example1)rm ssl crl ca_crl The above CLI command to delete the CRL object ca_crl from the NetScaler 9000 system is.
Related Commandscreate ssl crladd ssl crlset ssl crlshow ssl crl
24-42 Command Reference Guide
set ssl crl
set ssl crl
Synopsisset ssl crl <crlName> [-refresh ( ENABLED | DISABLED )] [-CAcert <string>] [-method ( HTTP | LDAP )] [-server <ip_addr> | -url <URL>] [-port <port>] [-baseDN <string>] [-scope ( Base | One )] [-interval <interval>] [-day <integer>] [-time <HH:MM>] [-bindDN <string>] [-password <string>]
DescriptionUse this command to enable the automatic refresh option on a CRL and set different refresh parameters.
Arguments
crlNameThe object name for the CRL.
refreshThe state of the auto refresh feature for the CRL. The valid states are ENABLED and DISABLED. Possible values: ENABLED, DISABLED
CAcertThe corresponding CA certificate that has issued the CRL. This is the NetScaler object identifying the CA certificate that is loaded in NetScaler.
methodThe method for CRL refresh - HTTP or LDAP. Possible values: HTTP, LDAP Default value: LDAP
serverThe IP address of the LDAP server from which the CRLs are to be fetched.
urlURI of the CRL Distribution Point.
Command Reference Guide 24-43
set ssl crl
portThe port of the LDAP server.
baseDNThe bindDN to be used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, i.e. anonymous access is not allowed.
scopeExtent of the search operation on the LDAP server. Base: Exactly the same level as basedn One : One level below basedn Possible values: Base, One
intervalMONTHLY | WEEKLY | DAILY| NOW| NONE The CRL refresh interval. This option, when used in conjunction with the -days and -time option, can identify the exact time/time-interval for the CRL refresh. -interval NONE can be used to reset previously set interval settings. -interval NOW can be used to force a instantaneous CRL refresh. This is a one time operation. Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE
dayThe purpose of this option varies with the usage of the -interval option. If the -interval option has been set to MONTHLY, the -days option can be used to set a particular day of the month (1-30/31/28) on which the CRL needs to be refreshed. If the -interval option has been set to WEEKLY, the -days option can be used to set a particular day of the week, i.e. 1...7 (Sun=1,Sat=7) on which the CRL needs to be refreshed. NetScaler handles the valid number of days in a Month or Week, if the input value for the corresponding -day option is set incorrectly. For -interval daily, the -days parameter is not used. If -days is used without the -interval option, it specifies the number of days after which the refresh is to be performed.
timeThe exact time of the day when the CRL is to be refreshed. The time is specified in 24-hour time format, where HH stands for Hours and MM stands for minutes.
bindDNThe bindDN to be used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, i.e. anonymous access is not allowed.
24-44 Command Reference Guide
set ssl crl
passwordThe password to be is used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, i.e. anonymous access is not allowed.
Example1)set ssl crl crl_file -refresh ENABLE -interval MONTHLY -days 10 -time 12:00 The above example sets the CRL refresh to every Month, on date=10, and time=12:00hrs. 2)set ssl crl crl_file -refresh ENABLE -interval WEEKLY -days 1 -time 00:10 The above example sets the CRL refresh every Week, on weekday=Sunday, and at time 10 past midnight. 3)set ssl crl crl_file -refresh ENABLE -interval DAILY -days 1 -time 12:00 The above example sets the CRL refresh every Day, at 12:00hrs. 4)set ssl crl crl_file -refresh ENABLE -days 10 The above example sets the CRL refresh after every 10 days. Note: The CRL will be refreshed after every 10 days. The time for CRL refresh will be 00:00 hrs. 5)set ssl crl crl_file -refresh ENABLE -time 01:00 The above example sets the CRL refresh after every 1 hour. 6)set ssl crl crl_file -refresh ENABLE -interval NOW The above example sets the CRL refresh instantaneously.
Related Commandscreate ssl crladd ssl crlrm ssl crlshow ssl crl
Command Reference Guide 24-45
show ssl crl
show ssl crl
Synopsisshow ssl crl [<crlName>]
DescriptionUse this command to display the information pertaining to the Certificate Revocation Lists (CRL) configured on the NetScaler system: If the crlName argument is specified, the command displays the details of the CRL. If the crlName argument is not specified, the command displays all the CRLs.
Arguments
crlNameThe CRL object name for which details are to be displayed.
Output
crlName
crlPath
inform
CAcert
refresh
scope
server
24-46 Command Reference Guide
show ssl crl
port
url
baseDN
interval
day
time
bindDN
password
flags
lastupdatetime
version
signaturealgo
issuer
lastupdate
Command Reference Guide 24-47
show ssl crl
nextupdate
date
number
Example1) An example output of the show ssl crl command is as follows: 1 configured CRL(s) 1 Name: ca_crl CRL Path: /var/netscaler/ssl/cr1.der Format: DER Cacert: ca_cert Refresh: DISABLED 2) An example of the output of the show ssl crl ca_crl command is as follows: Name: ca_crl Version: 1 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=santa clara /O=CA/OU=security Last_update:Dec 21 09:47:16 2001 GMT Next_update:Jan 20 09:47:16 2002 GMT Revoked Certificates: Serial Number: 01 Revocation Date:Dec 21 09:47:02 2001 GMT Serial Number: 02 Revocation Date:Dec 21 09:47:02 2001 GMT
Related Commandscreate ssl crladd ssl crlrm ssl crlset ssl crl
24-48 Command Reference Guide
create ssl dhparam
create ssl dhparam
Synopsiscreate ssl dhparam [<dhFile>] [<bits>] [-gen ( 2 | 5 )]
DescriptionUse this command to generate the Diffie-Hellman (DH) parameters.
Arguments
dhFileThe name of the output file where the generated DH parameter is stored.
bitsThe bit value for the DH parameters.
genThe DH generator value (g) to be used. Possible values: 2, 5 Default value: 2
Example1)create ssl dhparam /nsconfig/ssl/dh1024.pem 1024 -gen 5
Related Commandsset ssl vservershow ssl vserver
Command Reference Guide 24-49
create ssl dsakey
create ssl dsakey
Synopsiscreate ssl dsakey <keyFile> <bits> [-keyform ( DER | PEM )] [-des] [-des3] [-password <string>]
DescriptionUse this command to generate a DSA key.
Arguments
keyFileThe name of the output file where the generated DSA key is stored. The default output path for the DH file is /nsconfig/ssl/.
bitsThe bit value (key length) for the DSA key.
keyformThe format of the key file: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule. Possible values: DER, PEM Default value: PEM
desUse this option to encrypt the generated DSA key using the DES algorithm. It prompts you to enter the pass-phrase (password) that is used to encrypt the key.
des3Use this option to encrypt the generated DSA key using Triple-DES algorithm. You will be prompted to enter the pass-phrase (password) that is used to encrypt the key.
passwordThe pass-phrase to use for encryption if '-des' or '-des3' option is selected.
Examplecreate ssl dsakey /nsconfig/ssl/dsa1024.pem 1024
24-50 Command Reference Guide
create ssl dsakey
Related Commandscreate ssl certcreate ssl certreqadd ssl certkey
Command Reference Guide 24-51
set ssl fips
set ssl fips
Synopsisset ssl fips -initHSM Level-2 <soPassword> <oldSoPassword> <userPassword> [-hsmLabel <string>]
DescriptionUse this command to initialize the Hardware Security Module (HSM) or the FIPS card and set a new Security Officer password and User password. CAUTION: This command will erase all data on the FIPS card. You will be prompted before proceeding with the command execution. Save the current configuration after executing this command.
Arguments
initHSMThe FIPS initialization level. The NetScaler system currently supports Level-2 (FIPS 140-2 Level-2). Possible values: Level-2
soPasswordThe Hardware Security Module's (HSM) Security Officer password.
oldSoPasswordThe old Security Officer password. This is used for authentication.
userPasswordThe Hardware Security Module's (HSM) User password.
hsmLabelThe label to identify the Hardware Security Module (HSM).
Example1) set fips -initHSM Level-2 fipsso123 oldfipsso123 fipuser123 -hsmLabel FIPS-140-2 >This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command.Do you want to continue?(Y/N)y The above command initializes the FIPS card to FIPS-140-2 Level-2 and sets the HSM's Security Officer and User passwords.
24-52 Command Reference Guide
set ssl fips
Related Commandsreset ssl fipsshow ssl fips
Command Reference Guide 24-53
reset ssl fips
reset ssl fips
Synopsisreset ssl fips
DescriptionUse this command to reset the FIPS card to default password for SO and User accounts. Note: This command can be used only if the FIPS card has been locked due to three or more unsuccessful login attempts
Arguments
Examplereset fips
Related Commandsset ssl fipsshow ssl fips
24-54 Command Reference Guide
show ssl fips
show ssl fips
Synopsisshow ssl fips
DescriptionUse this command to display the information on the FIPS card.
Output
initHSM
soPassword
userPassword
oldSoPassword
eraseData
hsmLabel
serial
majorVersion
minorVersion
Command Reference Guide 24-55
show ssl fips
flashMemoryTotal
flashMemoryFree
sramTotal
sramFree
sramFree
status
ExampleAn example of the output for show ssl fips command is as follows: FIPS HSM Info: HSM Label : FIPS1 Initialization : FIPS-140-2 Level-2 HSM Serial Number : 238180016 Firmware Version : 4.3.0 Total Flash Memory : 1900428 Free Flash Memory : 1899720 Total SRAM Memory : 26210216 Free SRAM Memory : 17857232
Related Commandsset ssl fipsreset ssl fips
24-56 Command Reference Guide
create ssl fipskey
create ssl fipskey
Synopsiscreate ssl fipskey <fipsKeyName> -modulus <positive_integer> [-exponent ( 3 | F4 )]
DescriptionUse this command to generate a FIPS key within the Hardware Security Module (HSM)-FIPS card.
Arguments
fipsKeyNameThe object name for the FIPS key.
modulusThe modulus of the key to be created. Minimum value is 512bits and maximum value is 2048bits. The modulus value should be a multiple of 64.
exponentThe exponent value for the key to be created. 3: Hex value 0x3 F4: Hex value 0x10001 Possible values: 3, F4 Default value: 3
Examplecreate fipskey fips1 -modulus 1024 -exp f4
Related Commandsrm ssl fipskeyshow ssl fipskeyimport ssl fipskeyexport ssl fipskey
Command Reference Guide 24-57
rm ssl fipskey
rm ssl fipskey
Synopsisrm ssl fipskey <fipsKeyName> ...
DescriptionUse this command to remove the specified FIPS key(s) from the NetScaler system.
Arguments
fipsKeyNameThe name of the FIPS key(s) to be removed from the NetScaler 9000 system.
Examplerm fipskey fips1
Related Commandscreate ssl fipskeyshow ssl fipskeyimport ssl fipskeyexport ssl fipskey
24-58 Command Reference Guide
show ssl fipskey
show ssl fipskey
Synopsisshow ssl fipskey [<fipsKeyName>]
DescriptionUse this command to display the information on the FIPS keys configured on the NetScaler system. If no FIPS key name is specified then the command will list all the FIPS keys configured in the system. If a FIPS key name is specified, the command will display the details of the FIPS key.
Arguments
fipsKeyNameThe name of the FIPS key for which details are to be displayed.
Output
modulus
exponent
size
Example1) An example of output of show ssl fipskey command is as follows: show fipskey 2 FIPS keys: 1) FIPS Key Name: fips1 2) FIPS Key Name: fips2 2) An example of output of show fipskey command with FIPS key name specified is as follows: show fipskey fips1 FIPS Key Name: fips1 Modulus: 1024 Public Exponent: 3 (Hex: 0x3)
Related Commandscreate ssl fipskeyrm ssl fipskeyimport ssl fipskey
Command Reference Guide 24-59
show ssl fipskey
export ssl fipskey
24-60 Command Reference Guide
import ssl fipskey
import ssl fipskey
Synopsisimport ssl fipskey <fipsKeyName> -key <string> [-inform ( SIM | DER )] [-wrapKeyName <string>] [-iv <string>]
DescriptionUse this command to import a key into the Hardware Security Module (HSM) -FIPS card. You can also use this command to import a FIPS key from another NetScaler FIPS system (example Primary system), or for importing a non-FIPS key from an external Web server (Apache/IIS).
Arguments
fipsKeyNameThe object name for the FIPS key being imported.
keyThe path to the key file. The default input path for the key is /nsconfig/ssl/.
informThe input format of the key file. SIM: Secure Information Management. This is used when a FIPS key is transferred from one FIPS system to other. DER: Distinguished Encoding Rule. This is used when a non-FIPS key is to be imported inside a FIPS system. The non-FIPS key has to be converted to PKCS#8 form using the CLI command "convert pkcs8". Possible values: SIM, DER Default value: SIM
wrapKeyNameThe object name of the wrapkey to use for importing the key. The wrapkey is created using the CLI command "create ssl wrapkey". This is required if the key being imported is a non-FIPS key.
ivThe Initialization Vector (IV) to use for importing the key. This is required if the key being imported is a non-FIPS key.
Command Reference Guide 24-61
import ssl fipskey
Example1)import fipskey fips1 -key /nsconfig/ssl/fipskey.sim The above example imports a FIPS key stored in the file fipskey.sim in the NetScaler 9000 system. 2)import fipskey fips2 -key /nsconfig/ssl/key.der -inform DER -wrapKeyName wrapkey1 -iv wrap123 The above example imports a non-FIPS key stored in the file key.der in the NetScaler 9000 system.
Related Commandscreate ssl fipskeyrm ssl fipskeyshow ssl fipskeyexport ssl fipskey
24-62 Command Reference Guide
export ssl fipskey
export ssl fipskey
Synopsisexport ssl fipskey <fipsKeyName> -key <string>
DescriptionUse this command to export a FIPS key from one system to another or to backup the FIPS key in a secure manner. The exported key is secured using a strong asymmetric key encryption methods.
Arguments
fipsKeyNameThe name of the FIPS key to be exported.
keyThe path and file name to store the exported key. The default output path for the key is /nsconfig/ssl/.
Exampleexport fipskey fips1 -key /nsconfig/ssl/fips1.key
Related Commandscreate ssl fipskeyrm ssl fipskeyshow ssl fipskeyimport ssl fipskey
Command Reference Guide 24-63
create ssl rsakey
create ssl rsakey
Synopsiscreate ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform ( DER | PEM )] [-des] [-des3] [-password <string>]
DescriptionUse this command to generate an RSA key.
Arguments
keyFileThe file in which the generated RSA key is stored. The default output path for the key file is /nsconfig/ssl/.
bitsThe bit value (key length) for the RSA key. Minimum value is 512 bits and maximum value is 2048 bits.
exponentThe public exponent value for the RSA key. The supported values are F4 (Hex: 0x10001) or 3 (Hex: 0x3). Possible values: 3, F4 Default value: F4
keyformThe format for the key file: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM
desUse this option to encrypt the generated RSA key using DES algorithm. You will be prompted to enter the pass-phrase (password) that will be used to encrypt the key.
des3Use this option to encrypt the generated RSA key using the Triple-DES algorithm. You will be prompted to enter the pass-phrase (password) that will be used to encrypt the key.
passwordThe pass-phrase to use for encryption if '-des' or '-des3' option is selected.
24-64 Command Reference Guide
create ssl rsakey
Examplecreate ssl rsakey /nsconfig/ssl/rsa1024.pem 1024 -exp F4
Related Commandscreate ssl certcreate ssl certreqadd ssl certkey
Command Reference Guide 24-65
convert ssl pkcs12
convert ssl pkcs12
Synopsisconvert ssl pkcs12 <outfile> [-import [-pkcs12File <input_filename>] [-des | -des3] ] [-pkcs12File <input_filename>] [-des] [-des3] [-export [-certFile <input_filename>] [-keyFile <input_filename>]]
DescriptionUse this command to convert the end-user certificate (Client-certificate/Server-Certificate) from PEM encoding format to PKCS#12 format. These certificates can then be distributed and installed in browsers as Client certificates.
Arguments
outfileThe output file to be generated. If the -import option is used, this file will be used to store the certificate and the private-key in PEM format. If the -export option is used, the certificate and private-key will be stored in the PKCS12 format. The default output path for the file is /nsconfig/ssl/.
importUse this option to convert the certificate and private-key from PKCS12 format to PEM format.
pkcs12FileThe input file which contains the certificate and the private-key in PKCS12 format. The default input path is /nsconfig/ssl/. Note: During the import operation, the user will be prompted to enter the 'Import password'.
desUse this option to encrypt the private key with DES in CBC mode during -import operation. You will be prompted to enter the pass-phrase if this option is mentioned.
24-66 Command Reference Guide
convert ssl pkcs12
des3Use this option to encrypt the private key with DES in EDE CBC mode(168 bit key) during the -import operation. You will be prompted to enter the pass-phrase if this option is mentioned.
exportUse this option to convert the certificate and private-key from PEM format to PKCS12 format. Note: During the export operation, you will be prompted to enter the 'Export password'
certFileThe input certificate file in PEM format. The default input path for the file is /nsconfig/ssl/.
keyFileThe input private-key file in PEM format. The default input path for the file is /nsconfig/ssl/. Note: If the key file is in encrypted form, then the user will be prompted to enter the pass-phrase used for encrypting the key.
Example1)convert ssl pkcs12 /nsconfig/ssl/client_certkey.p12 -export -cert /nsconfig/ssl/client_certcert.pem -key /nsconfig/ssl/client_key.pem The above example CLI command converts the PEM encoded certificate and key file to PKCS#12. 2)convert ssl pkcs12 /nsconfig/ssl/client_certkey.pem -import -pkcs12 /nsconfig/ssl/client_certcertkey.p12 The above example CLI command converts the PKCS12 file to PEM format. 3)convert ssl pkcs12 /nsconfig/ssl/client_certkey.pem -import -pkcs12 /nsconfig/ssl/client_certcertkey.p12 -des The above example CLI command converts the PKCS12 file to PEM format, with encrypted key. Note:The -des option will encrypt the output key using DES algorithm. User will be prompted to enter the pass-phrase to be used for encryption.
Related Commandscreate ssl rsakeycreate ssl dsakeycreate ssl certreqcreate ssl cert
Command Reference Guide 24-67
convert ssl pkcs8
convert ssl pkcs8
Synopsisconvert ssl pkcs8 <pkcs8File> <keyFile> [-keyform ( DER | PEM )] [-password <string>]
DescriptionUse this command to convert a PEM or DER encoded key file to PKCS#8 format before importing it into the NetScaler FIPS system.
Arguments
pkcs8FileThe name of the output file where the PKCS8 format key file will be stored. The default output path for the PKCS8 file is /nsconfig/ssl/.
keyFileThe input key file. The default input path for the key file is /nsconfig/ssl/.
keyformThe format of the keyFile. PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM
passwordThe password if the key is encrypted. Valid for PEM encoded files only.
Exampleconvert ssl pkcs8 /nsconfig/ssl/key.pk8 /nsconfig/ssl/key.pem
Related Commands
24-68 Command Reference Guide
set ssl service
set ssl service
Synopsisset ssl service <serviceName>@ [-dh ( ENABLED | DISABLED ) -dhFile <string>] [-dhCount <positive_integer>] [-eRSA ( ENABLED | DISABLED ) [-eRSACount <positive_integer>]] [-sessReuse ( ENABLED | DISABLED ) [-sessTimeout <positive_integer>]] [-certHeader ( ENABLED | DISABLED ) -certH <string>] [-certSubject ( ENABLED | DISABLED ) -certS <string>] [-certIssuer ( ENABLED | DISABLED ) -certI <string>] [-sessHeader ( ENABLED | DISABLED ) -sessH <string>] [-cipherHeader ( ENABLED | DISABLED ) -cipherH <string>] [-cipherRedirect ( ENABLED | DISABLED ) [-cipherURL <URL>]] [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL <URL>]] [-clientAuth ( ENABLED | DISABLED ) [-clientCert ( Mandatory | Optional )]] [-owa_support ( ENABLED | DISABLED )] [-ssl_redirect ( ENABLED | DISABLED )] [-redirectPortRewrite ( ENABLED | DISABLED )] [-nonFipsCiphers ( ENABLED | DISABLED )] [-ssl2 ( ENABLED | DISABLED )] [-ssl3 ( ENABLED | DISABLED )] [-tls1 ( ENABLED | DISABLED )] [-serverAuth ( ENABLED | DISABLED )]
DescriptionUse this command to set the Advance SSL Configurations for a SSL service.
Arguments
serviceNameThe SSL service name for which the advance configurations are to be set.
dhUse this option to enable or disable Diffie-Hellman (DH) key exchange support for the SSL service. Possible values: ENABLED, DISABLED Default value: DISABLED
Command Reference Guide 24-69
set ssl service
dhFileThe file name and path for the DH parameter. You need to enable the -dh option. File format is PEM. The default input path for the DH file is /nsconfig/ssl/.
dhCountThe refresh count for regeneration of DH public-key and private-key from the DH parameter. The value has to be a positive integer and can be 0, or any number greater than or equal to 500. Zero means infinite usage (no refresh). Option '-dh' has to be enabled Default value: 0
eRSAUse this option to enable or disable Ephemeral RSA key exchange support for the SSL service. Possible values: ENABLED, DISABLED Default value: ENABLED
eRSACountThe refresh count for re-generation of RSA public-key and private-key pair. The value has to be a positive integer and can be 0, or any number greater than or equal to 500. Zero means infinite usage (no refresh). Option '-eRSA' has to be enabled Default value: 0
sessReuseUse this option to enable or disable session reuse support for the SSL service. Possible values: ENABLED, DISABLED Default value: ENABLED
sessTimeoutThe session timeout value in seconds. The value has to be a positive integer. Option '-sessReuse' has to be enabled. Default value: 300
certHeaderUse this option to enable or disable the insertion of a client certificate in the HTTP header of the request being sent to the web-server. The client certificate is inserted only when the SSL service is configured to perform Client-Authentication. See '-clientAuth' option below. Possible values: ENABLED, DISABLED Default value: DISABLED
certHThe tag name to be used while inserting the certificate in the HTTP header. Option '-certHeader' has to the enabled.
24-70 Command Reference Guide
set ssl service
certSubjectUse this option to enable or disable the insertion of the client Certificate's Subject Name in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED
certSThe tag name that is used when inserting the Certificate Subject Name in the HTTP header. The '-certSubject' argument must be enabled if this argument is specified.
certIssuerUse this option to enable or disable the insertion of the client Certificate's Issuer Name in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED
certIThe tag name that is used when inserting the Certificate Issue Name in the HTTP header. The '-certIssuer' argument must be enabled if this argument is specified.
sessHeaderUse this option to enable or disable the insertion of the Session-ID in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED
sessHThe tag name to be used while inserting the Session-ID in the HTTP header. Option '-sessHeader' has to the enabled.
cipherHeaderUse this option to enable or disable the insertion of the Cipher, negotiated with the client, in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED
cipherHThe tag name that is used when inserting the Cipher negotiated in the HTTP header. The '-cipherHeader' argument must be enabled if this argument is specified.
cipherRedirectUse this option to control the Cipher Redirect feature. The valid options are ENABLE and DISABLE. Possible values: ENABLED, DISABLED Default value: DISABLED
Command Reference Guide 24-71
set ssl service
cipherURLThe redirect URL to be used with the Cipher Redirect feature.
sslv2RedirectUse this option to enable or disable the SSLv2 Redirect feature. Possible values: ENABLED, DISABLED Default value: DISABLED
sslv2URLThe redirect URL to be used with the SSLv2 Redirect feature.
clientAuthUse this option to enable or disable Client-Authentication support for the SSL service. Possible values: ENABLED, DISABLED Default value: DISABLED
clientCertUse this option to set the rule for client authentication. If clientCert is set to Mandatory, NetScaler will terminate the SSL handshake if SSL client does not provide a valid certificate. If the setting is optional, then NetScaler will allow SSL clients with no certificate or invalid certificates to access the secure resource. Note: Make sure proper access control policies are defined before changing the above setting to Optional. Possible values: Mandatory, Optional
owa_supportUse this option to enable or disable the Outlook Web-Access support. The default setting is DISABLED. If you are using the NetScaler system SSL Accelerator in front of an Outlook Web-access (OWA) Front-end server, a special header field, 'FRONT-END-HTTPS: ON', needs to be inserted in the HTTP requests going to the OWA Back-end servers. This is required to inform the back-end servers to generate proper URL links as https:// instead of http://. Possible values: ENABLED, DISABLED Default value: DISABLED
ssl_redirectUse this option to enable or disable HTTPS redirects for the SSL service. Default setting is disabled. This is required for the proper functioning of the redirect messages from the server. The redirect message from the server provides the new location for the moved object. This is contained in the HTTP header field: Location, e.g. Location: http://www.moved.org/here.html For the SSL session, if the client browser receives this message, the browser will try to connect to the new location. This will break the secure SSL session, as the object has moved from a secure site (https://) to an un-secure one
24-72 Command Reference Guide
set ssl service
(http://). Generally browsers flash a warning message on the screen and prompt the user, either to continue or disconnect. The above feature, when enabled will automatically convert all such http:// redirect message to https://. This will not break the client SSL session. Note: The set ssl service command can be used for configuring a front-end SSL service for service based SSL Off-Loading, or a backend SSL service for backend-encryption setup. Some of the command options are not applicable while configuring a backend service. CLI will not report an error if these options are used for a backend SSL service. These are: [-dh (ENABLED|DISABLED) (-dhFile < file_name >)] [(-dhCount <pos_int>)] [-eRSA (ENABLED|DISABLED)] [(-eRSACount <pos_int>)] [-certHeader (ENABLED|DISABLED) (-certH <string>)] [-certSubject ( ENABLED | DISABLED ) -certS <string>] [-certIssuer ( ENABLED | DISABLED ) -certI <string>] [-sessHeader (ENABLED|DISABLED) (-sessH <string>)] [-cipherHeader ( ENABLED | DISABLED ) -cipherH <string>] [-cipherRedirect (ENABLED | DISABLED) [-cipherURL <URL>]] [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL <URL>]] [-clientAuth ( ENABLED | DISABLED ) [-clientCert ( Mandatory | Optional )]] [-owa_support (ENABLED|DISABLED)] [-ssl_redirect ( ENABLED | DISABLED )] [-ssl2 (ENABLED|DISABLED)]. Possible values: ENABLED, DISABLED Default value: DISABLED
redirectPortRewriteUse this option to enable port rewrite while performing HTTPS redirect. Possible values: ENABLED, DISABLED Default value: DISABLED
nonFipsCiphersUse this option to enable or disable the use of non FIPS approved ciphers. Valid only for an SSL service bound with a FIPS key and certificate. Possible values: ENABLED, DISABLED Default value: DISABLED
ssl2Use this option enable or disable SSLv2 protocol support for the SSL service. Possible values: ENABLED, DISABLED Default value: DISABLED
ssl3Use this option to enable or disable SSLv3 protocol support for the SSL service. Possible values: ENABLED, DISABLED Default value: ENABLED
tls1Use this option to Enable or disable TLSv1 protocol support for the SSL service. Possible values: ENABLED, DISABLED Default value: ENABLED
Command Reference Guide 24-73
set ssl service
serverAuthUse this option to enable or disable Server-Authentication support for the SSL service. Possible values: ENABLED, DISABLED Default value: DISABLED
Example1)set ssl service sslsvc -dh ENABLED -dhFile /nsconfig/ssl/dh1024.pem -dhCount 500 The above example sets the DH parameters for the SSL service 'sslsvc'. 2.set ssl service sslsvc -ssl2 DISABLED The above example disables the support for SSLv2 protocol for the SSL service 'sslsvc'.
Related Commandsshow ssl service
24-74 Command Reference Guide
show ssl service
show ssl service
Synopsisshow ssl service <serviceName>
DescriptionUse this command to view the advanced SSL settings for an SSL service.
Arguments
serviceNameThe name of the SSL service for which the Advance SSL settings are to be displayed.
Output
dh
dhFile
dhCount
eRSA
eRSACount
sessReuse
sessTimeout
certHeader
Command Reference Guide 24-75
show ssl service
certH
certSubject
certS
certIssuer
certI
sessHeader
sessH
cipherHeader
cipherH
cipherRedirect
cipherURL
sslv2Redirect
sslv2URL
clientAuth
24-76 Command Reference Guide
show ssl service
clientCert
owa_support
ssl_redirect
redirectPortRewrite
nonFipsCiphers
ssl2
ssl3
tls1
serverAuth
cipherAliasName/cipherName/cipherGroupName
description
certkeyName
clearTextPort
Command Reference Guide 24-77
show ssl service
ExampleAn example of output of show ssl service command is as shown below show ssl service sr3 Advanced SSL configuration for Back-end SSL Service sr3: DH: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 300 seconds Session-ID Header: DISABLED Cert Header: DISABLED Cert DN Header: DISABLED Cert Issuer Header: DISABLED Cipher Header: DISABLED Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED Server Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED OWA Support: DISABLED SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 11 configured ciphers: 1) Cipher Name: SSL3-DES-CBC-SHA Description: SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 2) Cipher Name: TLS1-EXP1024-DES-CBC-SHA Description: TLSv1 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 Export 3) Cipher Name: SSL3-EXP-DES-CBC-SHA Description: SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 4) Cipher Name: SSL2-DES-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 5) Cipher Name: SSL3-EDH-DSS-DES-CBC-SHA Description: SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 6) Cipher Name: TLS1-EXP1024-DHE-DSS-DES-CBC-SHA Description: TLSv1 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 Export 7) Cipher Name: SSL3-EXP-EDH-DSS-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 Export 8) Cipher Name: SSL3-EDH-RSA-DES-CBC-SHA Description: SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 9) Cipher Name: SSL3-EXP-EDH-RSA-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 10)Cipher Name: SSL3-ADH-DES-CBC-SHA Description: SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 11)Cipher Name: SSL3-EXP-ADH-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 Export
Related Commandsset ssl service
24-78 Command Reference Guide
set ssl vserver
set ssl vserver
Synopsisset ssl vserver <vServerName>@ [-clearTextPort <port>] [-dh ( ENABLED | DISABLED ) -dhFile <string>] [-dhCount <positive_integer>] [-eRSA ( ENABLED | DISABLED ) [-eRSACount <positive_integer>]] [-sessReuse ( ENABLED | DISABLED ) [-sessTimeout <positive_integer>]] [-certHeader ( ENABLED | DISABLED ) -certH <string>] [-certSubject ( ENABLED | DISABLED ) -certS <string>] [-certIssuer ( ENABLED | DISABLED ) -certI <string>] [-sessHeader ( ENABLED | DISABLED ) -sessH <string>] [-cipherHeader ( ENABLED | DISABLED ) -cipherH <string>] [-cipherRedirect ( ENABLED | DISABLED ) [-cipherURL <URL>]] [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL <URL>]] [-clientAuth ( ENABLED | DISABLED ) [-clientCert ( Mandatory | Optional )]] [-owa_support ( ENABLED | DISABLED )] [-ssl_redirect ( ENABLED | DISABLED )] [-redirectPortRewrite ( ENABLED | DISABLED )] [-nonFipsCiphers ( ENABLED | DISABLED )] [-ssl2 ( ENABLED | DISABLED )] [-ssl3 ( ENABLED | DISABLED )] [-tls1 ( ENABLED | DISABLED )]
DescriptionUse this command to set Advance SSL Configurations for an SSL virtual server.
Arguments
vServerNameThe name of the SSL virtual server.
clearTextPortThe port on the back-end web-servers where the clear-text data is sent by NetScaler system. Use this setting for the wildcard IP based SSL Acceleration configuration (*:443).
Command Reference Guide 24-79
set ssl vserver
dhUse this option to enable or disable DH key exchange support for the specified SSL virtual server. Possible values: ENABLED, DISABLED Default value: DISABLED
dhFileThe file name and path for the DH parameter. The file format is PEM. Note: The '-dh' argument must be enabled if this argument is specified.
dhCountThe refresh count for the re-generation of DH public-key and private-key from the DH parameter. The value must be a positive integer, zero (0), or any number greater than or equal to 500. Zero means infinite usage (no refresh). Note: The '-dh' argument must be enabled if this argument is specified. Default value: 0
eRSAUse this option to enable or disable Ephemeral RSA key exchange support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED
eRSACountThe refresh count for the re-generation of RSA public-key and private-key pair. The value has to be a positive integer (0 (zero), or any number greater than or equal to 500). Zero means infinite usage (no refresh) Note: The '-eRSA' argument must be enabled if this argument is specified. Default value: 0
sessReuseUse this option to enable or disable session re-use support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED
sessTimeoutThe Session timeout value in seconds. The value has to be a positive integer. The '-sessReuse' argument must be enabled if this argument is specified. Default value: 120
certHeaderUse this option to enable or disable the insertion of the client certificate in the HTTP header when the request is sent to the web-server. The client certificate insertion is done only when the SSL virtual server is configured to perform Client-Authentication. Thus the '-clientAuth' argument must be enabled. Possible values: ENABLED, DISABLED Default value: DISABLED
24-80 Command Reference Guide
set ssl vserver
certHThe tag name to be used while inserting the certificate in the HTTP header. The '-certHeader' argument must be enabled if this argument is specified.
certSubjectUse this option to enable or disable the insertion of the client Certificate's Subject Name in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED
certSThe tag name that is used when inserting the Certificate Subject Name in the HTTP header. The '-certSubject' argument must be enabled if this argument is specified.
certIssuerUse this option to enable or disable the insertion of the client Certificate's Issuer Name in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED
certIThe tag name that is used when inserting the Certificate Issuer Name in the HTTP header. The '-certIssuer' argument must be enabled if this argument is specified.
sessHeaderUse this option to enable or disable the insertion of Session-ID in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED
sessHThe tag name that is used when inserting the Session-ID in the HTTP header. The '-sessHeader' argument must be enabled if this argument is specified
cipherHeaderUse this option to enable or disable the insertion of Cipher negotiated with the client in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED
cipherHThe tag name that is used when inserting the Cipher negotiated in the HTTP header. The '-cipherHeader' argument must be enabled if this argument is specified.
Command Reference Guide 24-81
set ssl vserver
cipherRedirectUse this option to enable or disable the Cipher Redirect feature. Possible values: ENABLED, DISABLED Default value: DISABLED
cipherURLThe redirect URL to be used with the Cipher Redirect feature.
sslv2RedirectUse this option to enable or disable the SSLv2 Redirect feature. Possible values: ENABLED, DISABLED Default value: DISABLED
sslv2URLThe redirect URL to be used with SSLv2 Redirect feature.
clientAuthUse this option to enable or disable Client-Authentication support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: DISABLED
clientCertUse this option to set the rule for client authentication. If the clientCert if set to Mandatory, the NetScaler system will terminate the SSL handshake if the SSL client does not provide a valid certificate. If the setting is Optional, then NetScaler will allow SSL clients with no certificate or invalid certificates to access the secure resource. Note: Make sure proper access control policies are defined before changing the above setting to Optional. Possible values: Mandatory, Optional
owa_supportUse this option to enable or disable Outlook Web-Access support. If the NetScaler system is in front of an Outlook Web Access (OWA) server, a special header field, 'FRONT-END-HTTPS: ON', needs to be inserted in the HTTP requests going to the OWA server. Note: This parameter is required as the SSL requests (HTTPS) arrives at the back-end Exchange-2000 server on the configured HTTP port (80) instead of arriving at the front-end Exchange 2000 server. Possible values: ENABLED, DISABLED Default value: DISABLED
ssl_redirectUse this option to enable or disable HTTPS redirects for the SSL virtual server. This is required for proper working of the redirect messages from the web server. The redirect message from the server gives the new location for the moved object. This is contained in the HTTP header field: Location (for example, Location: http://www.moved.org/
24-82 Command Reference Guide
set ssl vserver
here.html). For an SSL session, if the client browser receives this message, the browser will try to connect to the new location. This will break the secure SSL session, as the object has moved from a secure site (https://) to an unsecured one (http://). Browsers usually flash a warning message on the screen and prompt the user to either continue or disconnect. When the above feature is enabled, all such http:// redirect messages are automatically converted to https://. This does not break the client SSL session. Possible values: ENABLED, DISABLED Default value: DISABLED
redirectPortRewriteUse this option to enable port rewrite while performing HTTPS redirect. Possible values: ENABLED, DISABLED Default value: DISABLED
nonFipsCiphersUse this option to enable or disable the use of non FIPS approved ciphers. Valid only for a SSL vserver bound with a FIPS key and certificate. Possible values: ENABLED, DISABLED Default value: DISABLED
ssl2Use this option to enable or disable SSLv2 protocol support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: DISABLED
ssl3Use this option to enable or disable SSLv3 protocol support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED
tls1Use this option to enable or disable TLSv1 protocol support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED
Example1)set ssl vserver sslvip -dh ENABLED -dhFile /siteA/dh1024.pem -dhCount 500 The above example set the DH parameters for the SSL virtual server 'sslvip'. 2)set ssl vserver sslvip -certHeader ENABLED -certH CLIENT_CERT The above example enables the Client certificate insertion for the SSL virtual server 'sslvip'. 3)set ssl vserver sslvip -ssl2 DISABLED The above example disables the support for SSLv2 protocol for the SSL virtual server 'sslvip'.
Related Commandsshow ssl vserver
Command Reference Guide 24-83
show ssl vserver
show ssl vserver
Synopsisshow ssl vserver <vServerName>
DescriptionUse this command to display all the SSL specific configurations for a SSL virtual server. This includes information about the Advance SSL configurations, certificate bindings, and cipher-suite configurations.
Arguments
vServerNameThe name of the SSL virtual server for which the configuration details are displayed.
Output
clearTextPort
dh
dhFile
dhCount
eRSA
eRSACount
sessReuse
24-84 Command Reference Guide
show ssl vserver
sessTimeout
certHeader
certH
certSubject
certS
certIssuer
certI
sessHeader
sessH
cipherHeader
cipherH
cipherRedirect
cipherURL
sslv2Redirect
Command Reference Guide 24-85
show ssl vserver
sslv2URL
clientAuth
clientCert
owa_support
ssl_redirect
redirectPortRewrite
nonFipsCiphers
ssl2
ssl3
tls1
cipherAliasName/cipherName/cipherGroupName
description
service
certkeyName
24-86 Command Reference Guide
show ssl vserver
serviceName
ExampleAn example of the output of the show vserver sslvip command is as follows: sh ssl vserver va1 Advanced SSL configuration for VServer va1: DH: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: DISABLED Session-ID Header: DISABLED Cert Header: DISABLED Cert DN Header: DISABLED Cert Issuer Header: DISABLED Cipher Header: DISABLED Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED OWA Support: DISABLED SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 1 bound certificate: 1) CertKey Name: buy Server Certificate 1 bound CA certificate: 1) CertKey Name: rtca CA Certificate 11 configured ciphers: 1) Cipher Name: SSL3-DES-CBC-SHA Description: SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 2) Cipher Name: TLS1-EXP1024-DES-CBC-SHA Description: TLSv1 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 Export 3) Cipher Name: SSL3-EXP-DES-CBC-SHA Description: SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 4) Cipher Name: SSL2-DES-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 5) Cipher Name: SSL3-EDH-DSS-DES-CBC-SHA Description: SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 6) Cipher Name: TLS1-EXP1024-DHE-DSS-DES-CBC-SHA Description: TLSv1 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 Export 7) Cipher Name: SSL3-EXP-EDH-DSS-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 Export 8) Cipher Name: SSL3-EDH-RSA-DES-CBC-SHA Description: SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 9) Cipher Name: SSL3-EXP-EDH-RSA-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 10)Cipher Name: SSL3-ADH-DES-CBC-SHA Description: SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 11)Cipher Name: SSL3-EXP-ADH-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 Export
Related Commandsbind ssl certkeybind ssl cipherset ssl vserver
Command Reference Guide 24-87
create ssl wrapkey
create ssl wrapkey
Synopsiscreate ssl wrapkey <wrapKeyName> -password <string> -salt <string>
DescriptionUse this command to generate a wrap key.
Arguments
wrapKeyNameThe object name for the wrap key.
passwordThe password string for the wrap key.
saltThe salt string for the wrap key.
Examplecreate wrapkey wrap1 -password wrapkey123 -salt wrapsalt123
Related Commandsrm ssl wrapkeyshow ssl wrapkey
24-88 Command Reference Guide
rm ssl wrapkey
rm ssl wrapkey
Synopsisrm ssl wrapkey <wrapKeyName> ...
DescriptionUse this command to remove the specified wrapkey(s) from the NetScaler system.
Arguments
wrapKeyNameThe name of the wrapkey(s) to be removed from the NetScaler system.
Examplerm wrapkey wrap1
Related Commandscreate ssl wrapkeyshow ssl wrapkey
Command Reference Guide 24-89
show ssl wrapkey
show ssl wrapkey
Synopsisshow ssl wrapkey
DescriptionUse this command to display the wrap keys.
Output
wrapKeyName
ExampleAn example of output of 'show wrapkey' command is as shown below: sh wrapkey 1 WRAP key: 1)WRAP Key Name: wrap1
Related Commandscreate ssl wrapkeyrm ssl wrapkey
24-90 Command Reference Guide
init ssl fipsSIMsource
init ssl fipsSIMsource
Synopsisinit ssl fipsSIMsource <certFile>
DescriptionUse this command to initialize the source FIPS system for participating in secure exchange of keys with another FIPS system. The command is used for secure transfer of FIPS keys from the primary NetScaler system to the secondary NetScaler system.
Arguments
certFileThe file name and path where the source FIPS system's certificate is to be stored. The default output path for the certificate file is /nsconfig/ssl/.
Exampleinit fipsSIMsource /nsconfig/ssl/source.cert
Related Commandsenable ssl fipsSIMsource
Command Reference Guide 24-91
init ssl fipsSIMtarget
init ssl fipsSIMtarget
Synopsisinit ssl fipsSIMtarget <certFile> <keyVector> <targetSecret>
DescriptionUse this command to initialize the target FIPS system for participating in secure exchange of keys with another FIPS system. The command is used for secure transfer of FIPS keys from the primary NetScaler system to the Secondary NetScaler system.
Arguments
certFileThe source FIPS system's certificate file name and path. The default input path for the certificate file is /nsconfig/ssl/.
keyVectorThe file name and path for storing the target FIPS system's key-vector. The default output path for the key-vector is /nsconfig/ssl/.
targetSecretThe file name and path for storing the target FIPS system's secret data. The default output path for the secret data is /nsconfig/ssl/.
Exampleinit fipsSIMtarget /nsconfig/ssl/source.cert /nsconfig/ssl/target.key /nsconfig/ssl/target.secret
Related Commandsenable ssl fipsSIMtarget
24-92 Command Reference Guide
enable ssl fipsSIMtarget
enable ssl fipsSIMtarget
Synopsisenable ssl fipsSIMtarget <keyVector> <sourceSecret>
DescriptionUse this command to enable the target FIPS system to participate in secure exchange of keys with another FIPS system. The command is used for secure transfer of FIPS keys from the Primary NetScaler system to the Secondary NetScaler system.
Arguments
keyVectorThe file name and path for storing the target FIPS system's secret data. The default output path for the secret data is /nsconfig/ssl/.
sourceSecretThe file name and path for the source FIPS system's secret data. The default input path for the secret data is /nsconfig/ssl/.
Exampleenable fipsSIMtarget /nsconfig/ssl/target.key /nsconfig/ssl/source.secret
Related Commandsinit ssl fipsSIMtarget
Command Reference Guide 24-93
enable ssl fipsSIMsource
enable ssl fipsSIMsource
Synopsisenable ssl fipsSIMsource <targetSecret> <sourceSecret>
DescriptionUse this command to enable the source FIPS system for participating in secure exchange of keys with another FIPS system. The command is used for secure transfer of FIPS keys from the Primary NetScaler system to the Secondary NetScaler system.
Arguments
targetSecretThe file name and path for the target FIPS system's secret data. The default input path for the secret data is /nsconfig/ssl/.
sourceSecretThe file name and path for storing the source FIPS system's secret data. The default output path for the secret data is /nsconfig/ssl/.
Exampleenable fipsSIMsource /nsconfig/ssl/target.secret /nsconfig/ssl/source.secret
Related Commandsinit ssl fipsSIMsource
24-94 Command Reference Guide
System Commands
This chapter covers the system commands.
Command Reference Guide 25-1
batch
batch
Synopsisbatch [-fileName <input_filename>] [-outfile <output_filename>] [-ntimes <positive_integer>]
DescriptionUse this command to read the contents of a file and execute each line as a separate CLI command. Each command in the file being read must be on a separate line. Lines starting with # are considered comments.
Arguments
fileNameThe name of the batch file.
outfileThe name of the file that the output of the executed batch file will be written to.
ntimesThe number of times the batch file is to be executed. Default value: 1
Examplebatch -f cmds.txt
Related Commands
25-2 Command Reference Guide
ping
ping
Synopsisping [-c <count>] [-i <interval>] [-I <interface>] [-n] [-p <pattern>] [-q] [-s <size>] [-S <src_addr>] [-t <timeout>] <hostname>
DescriptionUse this command to invoke the UNIX ping command. The <hostName> option is used if the name is in /etc/hosts file directory or is otherwise known in DNS.
Arguments
cNumber of packets to send (default is infinite)
iWaiting time in seconds (default is 1 sec)
INetwork interface on which to ping, if you have multiple interfaces
nNumeric output only - no name resolution
pPattern to fill in packets. Can be up to 16 bytes, useful for diagnosing data-dependent problems.
qQuiet output - only summary is printed
sData size in bytes (default is 56)
SThe source IP address to be used in the outgoing query packets. If the IP addrESS Is not one of this machine's addresses, an error is returned and nothing is sent.
Command Reference Guide 25-3
ping
tTimeout in seconds before ping exits
hostnameAddress of host to ping
Exampleping -p ff -I rl0 -c 4 10.102.4.107
Related Commandstraceroutegrepshellscp
25-4 Command Reference Guide
traceroute
traceroute
Synopsistraceroute [-S] [-n] [-r] [-v] [-M <min_ttl] [-m <max_ttl>] [-P <protocol>][-p <portno>] [-q <nqueries>] [-s <src_addr>] [-t <tos>] [-w <wait>] <host> [<packetlen>]
DescriptionUse this command to invoke the UNIX traceroute command. Traceroute attempts to track the route that the packets follow to reach the destination host.
Arguments
SPrint a summary of how many probes were not answered for each hop.
nPrint hop addresses numerically rather than symbolically andnumerically.
rBypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned.
vVerbose output. Received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs are listed.
MThe minimum ttl value used in outgoing probe packets. Default value: 1
mThe maximum TTL value used in outgoing probe packets. Default value: 64
PSend packets of specified IP protocol. The currently supported protocols are UDP and ICMP.
Command Reference Guide 25-5
traceroute
pThe base port number used in probes. Default value: 33434
qThe number of queries per hop. Default value: 3
sThe source IP address to be used in the outgoing query packets. If the IP address is not one of this machine's addresses, an error is returned and nothing is sent.
tThe type-of-service in query packets. Default value: 0
wThe time (in seconds) to wait for a response to a query. Default value: 5
hostThe destination host ip address or name.
packetlenThe packet length (in bytes) of the query packets. Default value: 44
Exampletraceroute 10.102.4.107
Related Commandspinggrepshellscp
25-6 Command Reference Guide
grep
grep
Synopsisgrep [-c] [-E] [-i] [-v] [-w] [-x] <pattern>
DescriptionUse grep to search files or output for lines containing a match to the given <pattern>. By default, grep prints the matching lines.
Arguments
cSuppress normal output; instead print a count of matching lines. With the -v option, count non-matching lines.
EInterpret <pattern> as an extended regular expression.
iIgnore case distinctions.
vInvert the sense of matching, to select non-matching lines.
wSelect only those lines containing matches that form whole words.
xSelect only those matches that exactly match the whole line.
patternThe pattern (regular expression or text string) being sought.
Exampleshow ns info | grep off -i
Related Commandsping
Command Reference Guide 25-7
grep
tracerouteshellscp
25-8 Command Reference Guide
shell
shell
Synopsisshell
DescriptionUse this command to exit to the FreeBSD command prompt, where FreeBSD commands may be entered. Press the <Control> + <D> keys or type exit to return to the NetScaler system CLI prompt.
Arguments
Example> shell # ps | grep nscli 485 p0 S 0:01.12 -nscli (nscli) 590 p0 S+ 0:00.00 grep nscli # ^D Done >
Related Commandspingtraceroutegrepscp
Command Reference Guide 25-9
scp
scp
Synopsisscp [-r] [-C] [-q] <sourceString> <destString>
DescriptionUse this command to securely copy data from one computer to another via the ssh protocol.
Arguments
rRecursively copy subdirectories
CEnable compression
qQuiet output - disable progress meter
sourceStringThe source user, host and file path, specified as user@host:path/to/copy/from. User and host parts are optional.
destStringThe destination user, host and file path, specified as user@host:path/to/copy/to. User and host parts are optional.
Examplescp /nsconfig/ns.conf [email protected]:/nsconfig/
Related Commandspingtraceroutegrepshell
25-10 Command Reference Guide
add system cmdPolicy
add system cmdPolicy
Synopsisadd system cmdPolicy <policyName> <action> <cmdSpec>
DescriptionUse this command to add a system command policy to the system.
Arguments
policyNameThe name for the new command policy.
actionThe action the cmdPolicy is to apply when the cmdSpec pattern matches a system user entered command. The valid actions are to ALLOW and DENY execution of the entered command. Possible values: ALLOW, DENY
cmdSpecThe matching rule that the command policy will utilize. This rule is a regular expression which the policy uses to pattern match against the command a system user executes.
Related Commandsrm system cmdPolicyset system cmdPolicyshow system cmdPolicy
Command Reference Guide 25-11
rm system cmdPolicy
rm system cmdPolicy
Synopsisrm system cmdPolicy <policyName>
DescriptionUse this command to remove a system command policy.
Arguments
policyNameThe name of the command policy to be removed.
Related Commandsadd system cmdPolicyset system cmdPolicyshow system cmdPolicy
25-12 Command Reference Guide
set system cmdPolicy
set system cmdPolicy
Synopsisset system cmdPolicy <policyName> <action> <cmdSpec>
DescriptionUse this command to modify an already configured command policy.
Arguments
policyNameThe name of the command policy to be modified.
actionThe new command policy action to be used by the policy. Possible values: ALLOW, DENY
cmdSpecThe new pattern matching regular expression that the policy is to use.
Related Commandsadd system cmdPolicyrm system cmdPolicyshow system cmdPolicy
Command Reference Guide 25-13
show system cmdPolicy
show system cmdPolicy
Synopsisshow system cmdPolicy [<policyName>]
DescriptionUse this command to display configured command policies.
Arguments
policyNameThe name of a specific command policy to display. When this option is omitted, a listing of the configured command policies is shown.
Output
actionSpecifies the policy action.
cmdSpecSpecifies the policy.
Related Commandsadd system cmdPolicyrm system cmdPolicyset system cmdPolicy
25-14 Command Reference Guide
add system user
add system user
Synopsisadd system user <userName> {<password>}
DescriptionUse this command to add a new system user to the system.
Arguments
userNameThe name for the new system user.
passwordThe new system user's password.
Related Commandsset system userrm system usershow system user
Command Reference Guide 25-15
set system user
set system user
Synopsisset system user <userName> {<password>}
DescriptionUse this to set a system user's password.
Arguments
userNameThe name of system user to be modified.
passwordThe new password for the system user.
Related Commandsadd system userrm system usershow system user
25-16 Command Reference Guide
rm system user
rm system user
Synopsisrm system user <userName>
DescriptionUse this command to remove a system user.
Arguments
userNameThe name of the system user to be removed.
Related Commandsadd system userset system usershow system user
Command Reference Guide 25-17
show system user
show system user
Synopsisshow system user [<userName>]
DescriptionUse this command to display configured system users.
Arguments
userNameThe name of a system user to display details for. If this argument is omitted, a listing of the configured system users is shown.
Output
groupNameSpecifies the system group.
policyNameThe command policy name.
priorityThe priority of the command policy.
Related Commandsadd system userset system userrm system user
25-18 Command Reference Guide
bind system user
bind system user
Synopsisbind system user <userName> <policyName> <priority>
DescriptionUse this command to bind attributes to a system user.
Arguments
userNameThe name of the system user being modified.
policyNameThe name of the command policy being bound to the system user.
priorityThe priority the command policy is to be bound with.
Related Commandsunbind system user
Command Reference Guide 25-19
unbind system user
unbind system user
Synopsisunbind system user <userName> <policyName>
DescriptionUse this command to unbind attributes of a system user.
Arguments
userNameThe name of the system user being modified.
policyNameThe name of the command policy to be unbound.
Related Commandsbind system user
25-20 Command Reference Guide
add system group
add system group
Synopsisadd system group <groupName>
DescriptionUse this command to add a new system group.
Arguments
groupNameThe new system group's name.
Related Commandsrm system groupshow system group
Command Reference Guide 25-21
rm system group
rm system group
Synopsisrm system group <groupName>
DescriptionUse this comand to remove a system group.
Arguments
groupNameThe name of the system group to be removed.
Related Commandsadd system groupshow system group
25-22 Command Reference Guide
show system group
show system group
Synopsisshow system group [<groupName>]
DescriptionDisplays the configured system groups.
Arguments
groupNameThe name of the system group to display details of. If this argument is omitted, a list of all the configured system groups is displayed.
Output
userNameSpecifies the system user.
policyNameSpecifies the command policy name.
prioritySpecify the priority of the command policy.
Related Commandsadd system grouprm system group
Command Reference Guide 25-23
bind system group
bind system group
Synopsisbind system group <groupName> [-userName <string>] [-policyName <string> <priority>]
DescriptionUse this command to bind entities to a system group.
Arguments
groupNameThe name of the system group to be modified.
userNameThe name of a system user to be bound to the group.
policyNameThe name fo the command policy to be bound to the group.
Related Commandsunbind system group
25-24 Command Reference Guide
unbind system group
unbind system group
Synopsisunbind system group <groupName> [-userName <string>] [-policyName <string>]
DescriptionUse this command to unbind entities from a system group.
Arguments
groupNameThe system group to be modified.
userNameThe name of a system user to be unbound from the group.
policyNameThe command policy to be be unbound from the group.
Related Commandsbind system group
Command Reference Guide 25-25
bind system global
bind system global
Synopsisbind system global [<policyName> [-priority <positive_integer>]]
DescriptionUse this command to bind entities to system global.
Arguments
policyNameThe name of the policy to be bound to system global.
Related Commandsunbind system globalshow system global
25-26 Command Reference Guide
unbind system global
unbind system global
Synopsisunbind system global [<policyName>]
DescriptionUse this command to unbind entities from system global.
Arguments
policyNameThe name of the command policy to be unnbound.
Related Commandsbind system globalshow system global
Command Reference Guide 25-27
show system global
show system global
Synopsisshow system global
DescriptionUse this command to display system global bindings.
Arguments
Output
policyNameSpecifies the command policy name.
prioritySpecify the priority of the command policy.
Related Commandsbind system globalunbind system global
25-28 Command Reference Guide
Tunnel Commands
This chapter covers the tunnel commands.
Command Reference Guide 26-1
add tunnel trafficpolicy
add tunnel trafficpolicy
Synopsisadd tunnel trafficpolicy <name> <rule> <action>
DescriptionUse this command to create a tunnel trafficpolicy.
Arguments
nameThe name of the new tunnel trafficpolicy.
ruleThe expression specifying the condition under which this policy is applied.
actionThe name of the action to be performed. The string value may be one of the following built-in compression actions: COMPRESS: Enables default compression (DEFLATE). NOCOMPRESS: Disables compression. GZIP: Enables GZIP compression. DEFLATE: Enables DEFLATE compression.
ExampleExample 1: add tunnel trafficpolicy cmp_all_destport "REQ.TCP.DESTPORT == 0-65535" GZIP After creating above tunnel policy, it can be activated by binding it globally: bind tunnel global cmp_all_destport The policy is evaluated for all traffic flowing through the ssl-vpn tunnel, and compresses traffic for all TCP application ports. Example 2: The following tunnel policy disables compression for all access from a specific subnet: add tunnel trafficpolicy local_sub_nocmp "SOURCEIP == 10.1.1.0 -netmask 255.255.255.0" NOCOMPRESS bind tunnel global local_sub_nocmp
Related Commandsrm tunnel trafficpolicyshow tunnel trafficpolicyset tunnel trafficpolicy
26-2 Command Reference Guide
rm tunnel trafficpolicy
rm tunnel trafficpolicy
Synopsisrm tunnel trafficpolicy <name>
DescriptionUse this command to remove a tunnel traffic policy.
Arguments
nameThe name of the tunnel traffic policy.
Examplerm tunnel trafficpolicy tunnel_policy_name The "show tunnel trafficpolicy" command shows all tunnel policies that are currently defined.
Related Commandsadd tunnel trafficpolicyshow tunnel trafficpolicyset tunnel trafficpolicy
Command Reference Guide 26-3
show tunnel trafficpolicy
show tunnel trafficpolicy
Synopsisshow tunnel trafficpolicy [<name>]
DescriptionUse this to command show all tunnel policies that are currently defined.
Arguments
nameThe name of the tunnel traffic policy.
Output
name
rule
action
hits
txbytes
rxbytes
Example> show tunnel trafficpolicy 2 Tunnel policies: 1) Name: local_sub_nocmp Rule: SOURCEIP == 10.1.1.0 -netmask 255.255.255.0 Action: NOCOMPRESS Hits: 3 2) Name: cmp_all Rule: REQ.TCP.DESTPORT == 0-65535 Action: GZIP Hits: 57125
26-4 Command Reference Guide
show tunnel trafficpolicy
Bytes In:...796160 Bytes Out:... 197730 Bandwidth saving...75.16% Ratio 4.03:1 Done
Related Commandsadd tunnel trafficpolicyrm tunnel trafficpolicyset tunnel trafficpolicy
Command Reference Guide 26-5
set tunnel trafficpolicy
set tunnel trafficpolicy
Synopsisset tunnel trafficpolicy <name> [-rule <expression>] [-action <string>]
DescriptionUse this command to modify the rule and/or action of an existing tunnel traffic policy, created using the "add tunnel trafficpolicy" command.
Arguments
nameThe name of the policy to be modified.
ruleThe new rule to be used in the policy.
actionThe new action to be applied by the policy.
Exampleadd tunnel trafficpolicy cmp_all_destport "REQ.TCP.DESTPORT == 0-65535" GZIP set tunnel trafficpolicy cmp_all_destport -action NOCOMPRESS Above 'set' command changes action for policy cmp_all_destport from GZIP to NOCOMPRESS
Related Commandsadd tunnel trafficpolicyrm tunnel trafficpolicyshow tunnel trafficpolicy
26-6 Command Reference Guide
bind tunnel global
bind tunnel global
Synopsisbind tunnel global (<policyName> [-priority <positive_integer>]) [-state ( ENABLED | DISABLED )]
DescriptionUse this command to activate the tunnel traffic policy globally. The tunnel policies are created using the "add tunnel trafficpolicy" command. The command "show tunnel trafficpolicy" shows all the existing tunnel policies and the command "show tunnel global" shows all the globally active tunnel policies. Note that the ssl-vpn license is required for tunnel compression feature to work.
Arguments
policyNameThe name of the tunnel traffic policy to be bound.
stateThe current state of the binding. Possible values: ENABLED, DISABLED Default value: ENABLED
Exampleadd tunnel trafficpolicy cmp_all_destport "REQ.TCP.DESTPORT == 0-65535" GZIP After creating above tunnel policy, it can be activated by binding it globally: bind tunnel global cmp_all_destport After binding cmp_all_destport compression policy globally, the policy gets activated and the Netscaler will compress all TCP traffic accessed through ssl-vpn tunnel. Globally active tunnel policies can be seen using command: > show tunnel global 1 Globally Active Tunnel Policies: 1) Policy Name: cmp_all_destport Priority: 0 Done
Related Commandsunbind tunnel globalshow tunnel global
Command Reference Guide 26-7
unbind tunnel global
unbind tunnel global
Synopsisunbind tunnel global <policyName>
DescriptionUse this command to deactivate an active tunnel traffic policy. Use command "show tunnel global" to see all the globally active tunnel policies.
Arguments
policyNameThe name of the tunnel traffic policy.
ExampleGlobally active tunnel policies can be seen using command: > show tunnel global 1 Globally Active Tunnel Policies: 1) Policy Name: cmp_all_destport Priority: 0 Done The globally active tunnel traffic policy can be deactivated on the NetScaler system by issuing the command: unbind tunnel global cmp_all_destport
Related Commandsbind tunnel globalshow tunnel global
26-8 Command Reference Guide
show tunnel global
show tunnel global
Synopsisshow tunnel global
DescriptionUse this command to display globally active tunnel policies.
Arguments
Output
policyName
priority
stateThe current state of the binding.
Example> sh tunnel global 1) Policy Name: cmp_all_destport Priority: 0 2) Policy Name: local_sub_nocmp Priority: 500 Done
Related Commandsbind tunnel globalunbind tunnel global
Command Reference Guide 26-9
show tunnel global
26-10 Command Reference Guide
SSLVPN Commands
This chapter covers the SSL VPN commands.
Command Reference Guide 27-1
stat vpn
stat vpn
Synopsisstat vpn [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]
DescriptionThis command displays VPN statistics
Counters
Login-page requests received (iHtHit)Total number of login-page request received by SSLVPN server.
Login-page delivery failures (iHtFail)Number of times login-page has not been delivered by SSLVPN server.
Client-configuration requests (cfgHit)Total number of SSLVPN-client configuration request received by SSLVPN-server. In response to this SSLVPN-server returns information to configure SSLVPN-client.
DNS queries received (dnsHit)Total number of DNS query(s) received by SSLVPN server.
WINS queries received (winsHit)Total number of WINS query(s) received by SSLVPN server.
Number of SSLVPN tunnels (csHit)Total number of SSLVPN tunnels created between SSLVPN client and server.
Backend non-HTTP server probes (csNoHttp)Number of probes from NetScaler to backend non-HTTP servers. The backend servers are those servers which has been accessed by VPN client. This is an application debug counter.
Backend HTTP server probes (csHttp)Number of probes from NetScaler to backend HTTP server. The backend servers are those servers which has been accessed by VPN client. This is an application debug counter.
27-2 Command Reference Guide
stat vpn
Backend server probe successes (csConSuc)Number of successful probes to backend servers (both HTTP and non-HTTP). This is an application debug counter.
File-system requests received (totFsHit)Total number of file-system request received by SSLVPN server.
IIP disabled and MIP disabled (IIPdMIPd)Both IIP and MIP is disabled.
IIP failed and MIP disabled (IIPfMIPd)Number of times IIP assignment failed and MIP is disabled.
IIP disabled and MIP used (IIPdMIPu)Number of times MIP is used as IIP is disabled.
IIP failed and MIP used (IIPfMIPu)Number of times MIP is used as IIP assignment failed.
Related Commands
Command Reference Guide 27-3
show vpn stats
show vpn stats
Synopsisshow vpn stats - alias for 'stat vpn'
Descriptionshow vpn stats is an alias for stat vpn
Related Commandsstat vpn
27-4 Command Reference Guide
add vpn vserver
add vpn vserver
Synopsisadd vpn vserver <vServerName> <serviceType> (<IPAddress> [-range <positive_integer>]) <port> [-state ( ENABLED | DISABLED )]
DescriptionUse this command to add a VPN virtual server.
Arguments
vServerNameThe name for the new vpn vserver.
serviceTypeThe vpn vserver's protocol type. The default protocol is SSL. Possible values: SSL Default value: SSL
IPAddressThe IP address for the vpn vserver.
portThe port on which the vserver listens.
stateThe intital vserver server state. Possible values: ENABLED, DISABLED Default value: ENABLED
authenticationThis option toggles on or off the application of authentication to incoming users to the VPN. Possible values: ON, OFF Default value: ON
ExampleThe following example creates a VPN vserver named myvpnvip which supports SSL portocol and with AAA functionality enabled: vserver myvpnvip SSL 65.219.17.34 443 -aaa ON
Command Reference Guide 27-5
add vpn vserver
Related Commandsshow vpn vserverset vpn vserver
27-6 Command Reference Guide
show vpn vserver
show vpn vserver
Synopsisshow vpn vserver [<name>]
DescriptionUse this command to display all of the configured VPN virtual servers.
Arguments
nameThe name of the VPN vserver to display.
Output
IPAddress
value
port
range
serviceType
type
state
status
Command Reference Guide 27-7
show vpn vserver
cacheType
redirect
precedence
redirectURL
authentication
domain
rule
policyName
serviceName
weight
cacheVserver
backupVServerName
priority
cltTimeout
27-8 Command Reference Guide
show vpn vserver
soMethod
soPersistence
soPersistenceTimeOut
soThreshold
intranetApplicationSpecifies the intranet vpn application.
urlNameSpecifies the intranet url.
intranetip
netmask
useMIP
map
Related Commandsadd vpn vserverset vpn vserver
Command Reference Guide 27-9
set vpn vserver
set vpn vserver
Synopsisset vpn vserver <vServerName> [-authentication ( ON | OFF )]
DescriptionUse this command to change the parameters of a VPN virtual server.
Arguments
vServerNameThe name of the vserver to be modified.
authenticationThis option toggles authentication off or on. Possible values: ON, OFF
Related Commandsadd vpn vservershow vpn vserver
27-10 Command Reference Guide
rm vpn vserver
rm vpn vserver
Synopsisrm vpn vserver <name>@ ...
DescriptionUse this command to remove a virtual server.
Arguments
nameThe name of the virtual server to be removed.
Examplerm vserver lb_vip
Related Commandsenable vpn vserverdisable vpn vserver
Command Reference Guide 27-11
enable vpn vserver
enable vpn vserver
Synopsisenable vpn vserver <name>@
DescriptionUse this command to enable a virtual server. Note:Virtual servers, when added, are enabled by default.
Arguments
nameThe name of the virtual server to be enabled.
Exampleenable vserver lb_vip
Related Commandsrm vpn vserverdisable vpn vserver
27-12 Command Reference Guide
disable vpn vserver
disable vpn vserver
Synopsisdisable vpn vserver <name>@
DescriptionUse this command to disable (makes out of service) a virtual server.
Arguments
nameThe name of the virtual server to be disabled. Notes: 1.The NetScaler 9000 system still responds to ARP and/or ping requests for the IP address of this virtual server. 2.As the virtual server is still configured in the NetScaler 9000 system, you can enable the virtual server using enable vserver CLI command.
Exampledisable vserver lb_vip
Related Commandsrm vpn vserverenable vpn vserver
Command Reference Guide 27-13
bind vpn vserver
bind vpn vserver
Synopsisbind vpn vserver <vServerName> [-policy <string> [-priority <positive_integer>]] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]
DescriptionUse this command to bind attributes to a vserver.
Arguments
vServerNameThe vserver that this command shall bind parameters to.
policyThe name of the policy to be bound to the vserver.
intranetApplicationThe name of the intranet application to be bound to the vserver.
urlNameThe name of the vpn url to be bound.
intranetipThe network id for the range of intranet IP addresses or individual intranet ip to be bound to the vserver.
Related Commandsunbind vpn vserver
27-14 Command Reference Guide
unbind vpn vserver
unbind vpn vserver
Synopsisunbind vpn vserver <vServerName> [-policy <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]
DescriptionUse this command to unbind attributes from a vserver.
Arguments
vServerNameThe name of the vserver from which an attribute is to be unbound.
policyThe name of the policy to be unbound.
intranetApplicationThe intranet application to be unbound.
urlNameThe vpn url to be unbound.
intranetipThe network id for the range of intranet IP addresses or the individually bound intranet IP address to be unbound.
Related Commandsbind vpn vserver
Command Reference Guide 27-15
add vpn intranetapplication
add vpn intranetapplication
Synopsisadd vpn intranetapplication <intranetApplication> <protocol> ((<destIP> [-netmask <netmask>]) | <IPRange> | <hostname>) [-destPort <port[-port]>] [-interception ( PROXY | TRANSPARENT )] [-srcip <ip_addr>] [-srcport <port>]
DescriptionUse this command to add an intranet application.
Arguments
intranetApplicationThe name for the new vpn intranet application.
protocolThe protocol of the intranet application. The supported protocols are TCP and UDP. Possible values: TCP, UDP, ANY
destIPThe destination IP address for the application. This address is the real application server IP address.
destPortThe destination port. (range)
interceptionSpecifies the interception type. Possible values: PROXY, TRANSPARENT
srcipThe source IP address. This is the address on the client's computer that the application will be accessed at. If not optionally specified, the default is 127.0.0.1.
srcportThe source port.
27-16 Command Reference Guide
add vpn intranetapplication
Related Commandsshow vpn intranetapplicationrm vpn intranetapplication
Command Reference Guide 27-17
show vpn intranetapplication
show vpn intranetapplication
Synopsisshow vpn intranetapplication
DescriptionUse this command to display the configured vpn intranet applications.
Arguments
Output
intranetApplicationThe name of the intranet vpn application to be shown.
protocol
destIP
netmaskSpecifies the destination netmask.
IPAddressThe destination IP address for the application. This address is the real application server IP address.
hostnameName based interception. Names should be valid dns or wins names and will be resolved during interception on the sslvpn.
destPortSpecifies the destination port.
interceptionSpecifies the interception type.
27-18 Command Reference Guide
show vpn intranetapplication
srcipSpecifies the source IP.
srcportSpecifies the source port.
Related Commandsadd vpn intranetapplicationrm vpn intranetapplication
Command Reference Guide 27-19
rm vpn intranetapplication
rm vpn intranetapplication
Synopsisrm vpn intranetapplication <intranetApplication>
DescriptionUse this command remove a configured intranet application.
Arguments
intranetApplicationThe name of the vpn intranet application to remove.
Related Commandsadd vpn intranetapplicationshow vpn intranetapplication
27-20 Command Reference Guide
bind vpn global
bind vpn global
Synopsisbind vpn global [-policyName <string> [-priority <positive_integer>]] [-intranetdomain <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]
DescriptionUse this command to bind vpn entities to vpn global.
Arguments
policyNameThe name of the policy to be bound to vpn global.
intranetdomainA conflicting intranet domain name.
intranetApplicationThe vpn intranet application to be bound.
urlNameThe vpn url to be bound.
intranetipThe intranet ip or range to be bound to VPN global.
Related Commandsunbind vpn globalshow vpn global
Command Reference Guide 27-21
unbind vpn global
unbind vpn global
Synopsisunbind vpn global [-policyName <string>] [-intranetdomain <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]
DescriptionUse this command to unbind entities from vpn global.
Arguments
policyNameThe name of the policy to be unbound.
intranetdomainA conflicting intranet domain name to be unbound.
intranetApplicationThe name of a vpn intranet application to be unbound.
urlNameThe name of a vpn url to be unbound from vpn global.
intranetipThe intranet ip address or range to be unbound.
Related Commandsbind vpn globalshow vpn global
27-22 Command Reference Guide
show vpn global
show vpn global
Synopsisshow vpn global
DescriptionUse this command to display the vpn global bindings.
Arguments
Output
policyNameSpecifies the name of the policy to be displayed.
prioritySpecifies the priority of the policy.
intranetdomainSpecifies the conflicting intranet domain name.
intranetApplicationSpecifies the intranet vpn application.
urlNameSpecifies the intranet url.
intranetipSpecifies the intranet ip address or range.
netmaskSpecifies the intranet ip address or range's netmask.
Related Commandsbind vpn globalunbind vpn global
Command Reference Guide 27-23
add vpn trafficpolicy
add vpn trafficpolicy
Synopsisadd vpn trafficpolicy <name> <rule> <action>
DescriptionUse this command to add a traffic policy. A traffic policy conditionally sets VPN traffic characteristics at run time.
Arguments
nameThe name for the new vpn traffic policy.
ruleThe rule to be used by the vpn traffic policy.
actionThe action to be applied by the policy if it's rule is matched.
Related Commandsrm vpn trafficpolicyshow vpn trafficpolicyset vpn trafficpolicy
27-24 Command Reference Guide
rm vpn trafficpolicy
rm vpn trafficpolicy
Synopsisrm vpn trafficpolicy <name>
DescriptionUse this coomand to remove a vpn traffic policy.
Arguments
nameThe name of the vpn traffic policy to be removed.
Related Commandsadd vpn trafficpolicyshow vpn trafficpolicyset vpn trafficpolicy
Command Reference Guide 27-25
show vpn trafficpolicy
show vpn trafficpolicy
Synopsisshow vpn trafficpolicy
DescriptionUse this commmand to display vpn traffic policies.
Arguments
Output
name
rule
action
Related Commandsadd vpn trafficpolicyrm vpn trafficpolicyset vpn trafficpolicy
27-26 Command Reference Guide
set vpn trafficpolicy
set vpn trafficpolicy
Synopsisset vpn trafficpolicy <name> [-rule <expression>] [-action <string>]
DescriptionUse this command to change the properties of an existing traffic policy.
Arguments
nameThe name of the policy to be modified.
ruleThe new rule to be used in the policy.
actionThe new action to be applied by the policy.
Related Commandsadd vpn trafficpolicyrm vpn trafficpolicyshow vpn trafficpolicy
Command Reference Guide 27-27
add vpn trafficaction
add vpn trafficaction
Synopsisadd vpn trafficaction <name> <qual> [-apptimeout <mins>] [-sso ( ON | OFF )]
DescriptionUse this command to create a vpn traffic action. A vpn traffic action defines the characteristics of run time VPN traffic.
Arguments
nameThe name for the action.
qualThe protocol to be set with the action. HTTP and TCP are the allowed protocols. Possible values: http, tcp
apptimeoutThe inactivity timeout after which the system closes a connection.
ssoswitch to turn on the SSO engine. Possible values: ON, OFF
Related Commandsrm vpn trafficactionshow vpn trafficaction
27-28 Command Reference Guide
rm vpn trafficaction
rm vpn trafficaction
Synopsisrm vpn trafficaction <name>
DescriptionUse this command to remove a previously created traffic action.
Arguments
nameThe name of the action to be removed.
Related Commandsadd vpn trafficactionshow vpn trafficaction
Command Reference Guide 27-29
show vpn trafficaction
show vpn trafficaction
Synopsisshow vpn trafficaction
DescriptionUse this command to display the configured vpn traffic action(s).
Arguments
Output
name
qual
apptimeout
sso
Related Commandsadd vpn trafficactionrm vpn trafficaction
27-30 Command Reference Guide
add vpn url
add vpn url
Synopsisadd vpn url <urlName> <linkName> <actualURL>
DescriptionUse this command to add vpn urls. A vpn url provides a link to intranet resources on the vpn portal page.
Arguments
urlNameThe name for the new vpn url.
linkNameThe display name for the vpn url. This is the name that will display in the bookmark links in the vpn portal page.
actualURLThe actual URL that the vpn url points to.
Exampleadd vpn url ggl search www.google.com.
Related Commandsrm vpn urlshow vpn url
Command Reference Guide 27-31
rm vpn url
rm vpn url
Synopsisrm vpn url <urlName>
DescriptionUse this command to remove vpn urls.
Arguments
urlNameThe name of the vpn url to be removed.
Examplerm vpn url ggl
Related Commandsadd vpn urlshow vpn url
27-32 Command Reference Guide
show vpn url
show vpn url
Synopsisshow vpn url
DescriptionUse this command to display the configured vpn urls.
Arguments
Output
Related Commandsadd vpn urlrm vpn url
Command Reference Guide 27-33
add vpn sessionpolicy
add vpn sessionpolicy
Synopsisadd vpn sessionpolicy <name> <rule> <action>
DescriptionUse this command to add a vpn session policy, which conditionally sets characteristics of a vpn session upon session establishment.
Arguments
nameThe name for the new vpn session policy.
ruleThe rule to be evaluated in the policy.
actionThe action to be performed when the rule is matched.
Related Commandsrm vpn sessionpolicyshow vpn sessionpolicyset vpn sessionpolicy
27-34 Command Reference Guide
rm vpn sessionpolicy
rm vpn sessionpolicy
Synopsisrm vpn sessionpolicy <name>
DescriptionUse this command to remove a previously created vpn session policy.
Arguments
nameThe name of the policy to be removed.
Related Commandsadd vpn sessionpolicyshow vpn sessionpolicyset vpn sessionpolicy
Command Reference Guide 27-35
show vpn sessionpolicy
show vpn sessionpolicy
Synopsisshow vpn sessionpolicy
DescriptionUse this command to display the configured vpn session policies.
Arguments
Output
name
rule
action
Related Commandsadd vpn sessionpolicyrm vpn sessionpolicyset vpn sessionpolicy
27-36 Command Reference Guide
set vpn sessionpolicy
set vpn sessionpolicy
Synopsisset vpn sessionpolicy <name> [-rule <expression>] [-action <string>]
DescriptionUse this command to modify the rule or action of a vpn session policy.
Arguments
nameThe name of the vpn session policy to be modified.
ruleThe new rule to be associated with the policy.
actionThe new vpn session action the policy is to use.
Related Commandsadd vpn sessionpolicyrm vpn sessionpolicyshow vpn sessionpolicy
Command Reference Guide 27-37
add vpn sessionaction
add vpn sessionaction
Synopsisadd vpn sessionaction <name> [-httpPort <port> ...] [-winsIP <ip_addr>] [-dnsVserverName <string>] [-sessTimeout <mins>] [-clientSecurity <string> [-clientSecurityGroup <string>]] [-splitTunnel <splitTunnel>] [-spoofIIP ( ON | OFF )] [-killConnections ( ON | OFF )] [-transparentInterception ( ON | OFF )] [-windowsClientType ( AGENT | PLUGIN )] [-defaultAuthorizationAction ( ALLOW | DENY )] [-authorizationGroup <string>] [-clientIdleTimeout <mins>] [-proxy <proxy>] [-allProtocolProxy <string> | -httpProxy <string> | -ftpProxy <string> | -socksProxy <string> | -gopherProxy <string> | -sslProxy <string>] [-proxyException <string>] [-clientCleanupPrompt ( ON | OFF )] [-forceCleanup <forceCleanup> ...] [-clientOptions <clientOptions> ...] [-clientConfiguration <clientConfiguration> ...] [-sso ( ON | OFF )] [-useMIP ( NS | OFF )] [-useIIP <useIIP>] [-clientDebug <clientDebug>] [-loginScript <input_filename>] [-logoutScript <input_filename>] [-homePage <URL>] [-iipDnsSuffix <string>] [-forcedTimeout <mins>] [-forcedTimeoutWarning <mins>]
DescriptionUse this command to create a session action, which defines the properties of a vpn session.
Arguments
nameThe name for the new vpn session action.
httpPortThe http port number.
27-38 Command Reference Guide
add vpn sessionaction
winsIPThe WINS server ip address to be set.
dnsVserverNameThe name of the DNS vserver to be configured by the session action.
sessTimeoutThe session timeout to be set by the action.
clientSecurityThe client security check string to be applied.
splitTunnelThe split tunnel state. Possible values: ON, OFF, REVERSE
spoofIIPControls the Spoofing of Intranet IP to the Windows Applications by Windows VPN client when the end-user is connected to SSL VPN in '-splittunnel OFF' mode. Possible values: ON, OFF
killConnectionsDetermines whether Windows VPN client should kill all pre-existing connections (i.e. the connections existing before the end user logged in to SSL VPN) and prevent new incoming connections on the Windows Client system when the end-user is connected to SSL VPN in '-splittunnel OFF' mode. Possible values: ON, OFF
transparentInterceptionThe transparent interception state. Possible values: ON, OFF
windowsClientTypeChoose between two types of Windows Client a) Application Agent - which always runs in the task bar as a standalone application and also has a supporting service which runs permanently when installed b) Activex Control - ActiveX control run by Microsoft's Internet Explorer. Possible values: AGENT, PLUGIN
defaultAuthorizationActionThis toggles the default authorization action to either ALLOW or DENY. Possible values: ALLOW, DENY
Command Reference Guide 27-39
add vpn sessionaction
authorizationGroupThe authorization group to be applied to the session.
clientIdleTimeoutDefines the client idle timeout value. Measured in minutes, the client idle timeout default is 20 minutes and meters a client session's keyboard and mouse inactivity.
proxyEnables or disables use of a proxy configuration in the session. Possible values: BROWSER, NS, OFF
allProtocolProxySets the address to use for all proxies.
httpProxySets the HTTP proxy IP address.
ftpProxyDefines the FTP proxy IP address.
socksProxySpecifies the SOCKS proxy IP address.
gopherProxySets the Gopher proxy IP address.
sslProxySets the HTTPS proxy IP address.
proxyExceptionProxy Exception string that will be configured in the Browser for bypassing the previously configured proxies. Allowed only if proxy type is Browser.
clientCleanupPromptToggles the prompt for client clean up on a client intitiated session close. Possible values: ON, OFF
forceCleanupThe client side items for force cleanup on session close. Options are: none, all, cookie, addressbar, plugin, filesystemapplication, addressbar, application, clientcertificate,
27-40 Command Reference Guide
add vpn sessionaction
applicationdata, and autocomplete. You may specify all or none alone or any combination of the client side items.
clientOptionsDisplay only configured buttons(and/or menu options in the docked client) in the Windows VPN client. Options: none none of the Windows Client's buttons/menu options (except logout) are displayed. all all of the Windows Client's buttons/menu options are displayed. One or more of the following services only the "Services" button/menu option is displayed. filetransfer only the "File Transfer" button/menu option is displayed. configuration only the "Configuration" button/menu option is displayed.
clientConfigurationDisplay only configured tabs in the Windows VPN client. Options: none none of the Windows Client's tabs(except About) are displayed. all all of the Windows Client's tabs (except "Resptime") are displayed. One or more of the following general only the "General" tab is displayed. tunnel only the "Tunnel" tab is displayed. trace only the "Trace" tab is displayed. compression only the "Compression" tab is displayed. resptime only the "Resptime" tab is displayed.
ssoEnables or disables the use of SSO for the session. Possible values: ON, OFF
useMIPEnables or disables the use of MIP for the session Possible values: NS, OFF
useIIPControls how the intranet IP module is configured for usage. Options: SPILLOVER specifies that iip is ON and when we can't assign an intranet IP to an entity, which has other instances active, we spill over to using Mapped IP. NOSPILLOVER specifies that iip is ON and when we can't assign intranet IP to an entity, which has other instances active, then we initiate transfer login. OFFnspecifies that intranet IP module won't be activated for this entity. Possible values: NOSPILLOVER, SPILLOVER, OFF
clientDebugSets the trace level on the Windows VPN Client. Options: debugn Detailed debug messages are collected are written into the specified file. stats Application audit level error messages and debug statistic counters are written into the specified file. events Application audit level error messages are written into the specified file. off Only critical
Command Reference Guide 27-41
add vpn sessionaction
events are logged into the Windows Application Log. Possible values: debug, stats, events, OFF
loginScriptLogin script path.
logoutScriptLogout script path.
homePageSets the client home page. Setting this parameter overrides serving the default portal page to SSL VPN users with the URL specified here.
iipDnsSuffixConfigure the IntranetIP DNS suffix. When a user logs into SSL-VPN, an A record is added to the DNS cache, after appending the configured IntranetIP DNS suffix to the username.
forcedTimeoutMaximum number of minutes a session is allowed to persist.
forcedTimeoutWarningNumber of minutes to warn a user before their session is removed by a forced time out.
Related Commandsrm vpn sessionactionshow vpn sessionaction
27-42 Command Reference Guide
rm vpn sessionaction
rm vpn sessionaction
Synopsisrm vpn sessionaction <name>
DescriptionUse this command to delete a previously created session action.
Arguments
nameThe vpn session action to be removed.
Related Commandsadd vpn sessionactionshow vpn sessionaction
Command Reference Guide 27-43
show vpn sessionaction
show vpn sessionaction
Synopsisshow vpn sessionaction
DescriptionUse this command to display vpn session action details.
Arguments
Output
name
httpPort
winsIP
dnsVserverName
sessTimeout
clientSecurity
clientSecurityGroup
splitTunnel
spoofIIP
27-44 Command Reference Guide
show vpn sessionaction
killConnections
transparentInterception
windowsClientType
defaultAuthorizationAction
authorizationGroup
clientIdleTimeout
clientidletimeoutwarning
proxy
allProtocolProxy
httpProxy
ftpProxy
socksProxy
gopherProxy
sslProxy
Command Reference Guide 27-45
show vpn sessionaction
proxyException
clientCleanupPrompt
forceCleanup
clientOptions
clientConfiguration
sso
useMIPEnables or disables the use of MIP for the session
useIIPControls how the intranet IP module is configured for usage. Options: SPILLOVER specifies that iip is ON and when we can't assign an intranet IP to an entity, which has other instances active, we spill over to using Mapped IP. NOSPILLOVER specifies that iip is ON and when we can't assign intranet IP to an entity, which has other instances active, then we initiate transfer login. OFFnspecifies that intranet IP module won't be activated for this entity.
clientDebug
loginScriptLogin script path.
logoutScriptLogout script path.
homePage
27-46 Command Reference Guide
show vpn sessionaction
iipDnsSuffix
forcedTimeout
forcedTimeoutWarning
Related Commandsadd vpn sessionactionrm vpn sessionaction
Command Reference Guide 27-47
set vpn parameter
set vpn parameter
Synopsisset vpn parameter [-httpPort <port> ...] [-winsIP <ip_addr>] [-dnsVserverName <string>] [-sessTimeout <mins>] [-clientSecurity <string> [-clientSecurityGroup <string>]] [-splitTunnel <splitTunnel>] [-spoofIIP ( ON | OFF )] [-killConnections ( ON | OFF )] [-transparentInterception ( ON | OFF )] [-windowsClientType ( AGENT | PLUGIN )] [-defaultAuthorizationAction ( ALLOW | DENY )] [-authorizationGroup <string>] [-clientIdleTimeout <mins>] [-proxy <proxy>] [-allProtocolProxy <string> | -httpProxy <string> | -ftpProxy <string> | -socksProxy <string> | -gopherProxy <string> | -sslProxy <string>] [-proxyException <string>] [-clientCleanupPrompt ( ON | OFF )] [-forceCleanup <forceCleanup> ...] [-clientOptions <clientOptions> ...] [-clientConfiguration <clientConfiguration> ...] [-sso ( ON | OFF )] [-useMIP ( NS | OFF )] [-useIIP <useIIP>] [-clientDebug <clientDebug>] [-loginScript <input_filename>] [-logoutScript <input_filename>] [-homePage <URL>] [-iipDnsSuffix <string>] [-forcedTimeout <mins>] [-forcedTimeoutWarning <mins>]
DescriptionUse this command to set global parameters for the SSL VPN feature.
Arguments
httpPortThe SSL VPN HTTP port.
winsIPThe WINS server IP address to be used for WINS host resolution by the VPN.
27-48 Command Reference Guide
set vpn parameter
dnsVserverNameThe configured DNS vserver to be used for DNS host resolution by the VPN.
sessTimeoutThe session idle timeout value in minutes. This idle timeout meters the overall network inactivity for a session and has a default of 30. Default value: 30
clientSecurityThe client security check string to be applied to client sessions.
splitTunnelSets the split tunnel state. Possible values: ON, OFF, REVERSE Default value: OFF
spoofIIPControls the Spoofing of Intranet IP to the Windows Applications by Windows VPN client when the end-user is connected to SSL VPN in '-splittunnel OFF' mode. Possible values: ON, OFF Default value: ON
killConnectionsDetermines whether Windows VPN client should kill all pre-existing connections (i.e. the connections existing before the end user logged in to SSL VPN) and prevent new incoming connections on the Windows Client system when the end-user is connected to SSL VPN in '-splittunnel OFF' mode. Possible values: ON, OFF Default value: ON
transparentInterceptionSets the transparent interception state. Possible values: ON, OFF Default value: ON
windowsClientTypeChoose between two types of Windows Client a) Application Agent - which always runs in the task bar as a standalone application and also has a supporting service which runs permanently when installed b) Activex Control - ActiveX control run by Microsoft's Internet Explorer. Possible values: AGENT, PLUGIN Default value: AGENT
defaultAuthorizationActionToggles the default authorization action to either ALLOW or DENY. Possible values: ALLOW, DENY Default value: ALLOW
authorizationGroupThe authorization group to be applied to client sessions.
Command Reference Guide 27-49
set vpn parameter
clientIdleTimeoutThe client idle time out interval which meters the client session's mouse and keyboard inactivity. The value is specified in minutes and has a default setting of 20 minutes.
proxyEnables or disables use of a proxy configuration. Possible values: BROWSER, NS, OFF
allProtocolProxyThe address to use for all proxies.
httpProxySets the HTTP proxy IP address.
ftpProxyDefines the FTP proxy IP address.
socksProxySpecifies the SOCKS proxy IP address.
gopherProxySets the Gopher proxy IP address.
sslProxySets the HTTPS proxy IP address.
proxyExceptionProxy Exception string that will be configured in the Browser for bypassing the previously configured proxies. Allowed only if proxy type is Browser.
clientCleanupPromptSets the state for prompting for client clean up on session close. Possible values: ON, OFF Default value: ON
forceCleanupThe client side items for force cleanup on session close. Options are: none, all, cookie, addressbar, plugin, filesystemapplication, addressbar, application, clientcertificate, applicationdata, and autocomplete. You may specify all or none alone or any combination of the client side items.
27-50 Command Reference Guide
set vpn parameter
clientOptionsDisplay only configured buttons(and/or menu options in the docked client) in the Windows VPN client. Possible options none none of the Windows Client's buttons/menu options (except logout) are displayed. all all of the Windows Client's buttons/menu options are displayed. One or more of the following services only the "Services" button/menu option is displayed. filetransfer only the "File Transfer" button/menu option is displayed. configuration only the "Configuration" button/menu option is displayed.
clientConfigurationDisplay only configured tabs in the Windows VPN client. Options: none none of the Windows Client's tabs(except About) are displayed. all all of the Windows Client's tabs (except "Resptime") are displayed. One or more of the following general only the "General" tab is displayed. tunnel only the "Tunnel" tab is displayed. trace only the "Trace" tab is displayed. compression only the "Compression" tab is displayed. resptime only the "Resptime" tab is displayed.
ssoEnables or disables the use of SSO. Possible values: ON, OFF Default value: OFF
useMIPEnables or disables the use of MIP for the session Possible values: NS, OFF Default value: NS
useIIPControls how the intranet IP module is configured for usage. Options: SPILLOVER specifies that iip is ON and when we can't assign an intranet IP to an entity, which has other instances active, we spill over to using Mapped IP. NOSPILLOVER specifies that iip is ON and when we can't assign intranet IP to an entity, which has other instances active, then we initiate transfer login. OFFnspecifies that intranet IP module won't be activated for this entity. Possible values: NOSPILLOVER, SPILLOVER, OFF Default value: NOSPILLOVER
clientDebugSets the trace level on the Windows VPN Client. Options: debugn Detailed debug messages are collected are written into the specified file. stats Application audit level error messages and debug statistic counters are written into the specified file. events Application audit level error messages are written into the specified file. off Only critical events are logged into the Windows Application Log. Possible values: debug, stats, events, OFF Default value: OFF
Command Reference Guide 27-51
set vpn parameter
loginScriptLogin script path.
logoutScriptLogout script path.
homePageSets the client home page. Setting this parameter overrides the serving of the default portal page with the URL specified here.
iipDnsSuffixConfigure the IntranetIP DNS suffix. When a user logs into SSL-VPN, an A record is added to the DNS cache, after appending the configured IntranetIP DNS suffix to the username.
forcedTimeoutMaximum number of minutes a session is allowed to persist.
forcedTimeoutWarningNumber of minutes to warn a user before their session is removed by a forced time out.
Exampleset vpn parameter -httpport 80 90 -winsIP 192.168.0.220 -dnsVserverName mydns -sessTimeout 240
Related Commandsunset vpn parametershow vpn parameter
27-52 Command Reference Guide
unset vpn parameter
unset vpn parameter
Synopsisunset vpn parameter [-httpPort] [-winsIP] [-dnsVserverName] [-sessTimeout] [-clientSecurity] [-clientSecurityGroup] [-authorizationGroup] [-clientIdleTimeout] [-allProtocolProxy | -httpProxy | -ftpProxy | -socksProxy | -gopherProxy | -sslProxy] [-proxyException] [-forceCleanup] [-clientOptions] [-clientConfiguration] [-loginScript] [-logoutScript] [-homePage] [-iipDnsSuffix] [-forcedTimeout] [-forcedTimeoutWarning]
DescriptionUse this command to unset parameters for the SSL VPN feature.
Arguments
httpPortClears any HTTP port entries excluding port 80.
winsIPUnsets the configured WINS server IP address.
dnsVserverNameUnsets the configured DNS vserver .
sessTimeoutClears the YPN session timeout setting.
clientSecurityUnsets the configured client security check.
clientSecurityGroupUnsets the configured client security group.
authorizationGroupUnsets the configured authorization group.
Command Reference Guide 27-53
unset vpn parameter
clientIdleTimeoutClears the client idle time out.
allProtocolProxyRemoves the all proxy IP address.
httpProxyRemoves the HTTP proxy IP address.
ftpProxyRemoves the FTP proxy IP address.
socksProxyRemoves the SOCKS proxy IP address.
gopherProxyRemoves the Gopher proxy IP address.
sslProxyRemoves the HTTPS proxy IP address.
proxyExceptionRemoves the Proxy Exception configuration.
forceCleanupRemoves all the configured force clean up options.
clientOptionsRemoves Windows VPN client button and/or menu options configuration.
clientConfigurationRemoves Windows VPN client tab options configuration.
loginScriptRemoves the login script patameter.
logoutScriptRemoves the logout script patameter.
homePageRemoves the configured client home page parameter.
27-54 Command Reference Guide
unset vpn parameter
iipDnsSuffixRemoves the configured IntranetIP DNS suffix.
forcedTimeoutRemoves the configured Forced Timeout
forcedTimeoutWarningRemoves the configured Forced Timeout Warning
Related Commandsset vpn parametershow vpn parameter
Command Reference Guide 27-55
show vpn parameter
show vpn parameter
Synopsisshow vpn parameter
DescriptionUse this command to display the configured vpn parameters.
Arguments
Output
name
httpPort
winsIP
dnsVserverName
sessTimeout
clientSecurity
clientSecurityGroup
splitTunnel
spoofIIP
27-56 Command Reference Guide
show vpn parameter
killConnections
transparentInterception
windowsClientType
defaultAuthorizationAction
authorizationGroup
clientIdleTimeout
clientidletimeoutwarning
proxy
allProtocolProxy
httpProxy
ftpProxy
socksProxy
gopherProxy
sslProxy
Command Reference Guide 27-57
show vpn parameter
proxyException
clientCleanupPrompt
forceCleanup
clientOptions
clientConfiguration
ssoswitch to turn on the SSO engine.
useMIPEnables or disables the use of MIP for the session
useIIPControls how the intranet IP module is configured for usage. Options: SPILLOVER specifies that iip is ON and when we can't assign an intranet IP to an entity, which has other instances active, we spill over to using Mapped IP. NOSPILLOVER specifies that iip is ON and when we can't assign intranet IP to an entity, which has other instances active, then we initiate transfer login. OFFnspecifies that intranet IP module won't be activated for this entity.
clientDebug
loginScriptLogin script path.
logoutScriptLogout script path.
homePage
27-58 Command Reference Guide
show vpn parameter
iipDnsSuffix
forcedTimeout
forcedTimeoutWarning
Related Commandsset vpn parameterunset vpn parameter
Command Reference Guide 27-59
show vpn parameter
27-60 Command Reference Guide