citrix netscaler application switch

Citrix NetScaler Application Switch

Command Reference Guide

Citrix Systems, Inc.

© CITRIX SYSTEMS, INC., 2005. ALL RIGHTS RESERVED. NO PART OF THIS DOCU-MENT MAY BE REPRODUCED OR TRANSMITTED IN ANY FORM OR BY ANY MEANS OR USED TO MAKE DERIVATIVE WORK (SUCH AS TRANSLATION, TRANSFORMA-TION, OR ADAPTATION) WITHOUT THE EXPRESS WRITTEN PERMISSION OF CITRIX SYSTEMS, INC.

ALTHOUGH THE MATERIAL PRESENTED IN THIS DOCUMENT IS BELIEVED TO BE AC-CURATE, IT IS PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IM-PLIED. USERS MUST TAKE ALL RESPONSIBILITY FOR THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS MANUAL.

CITRIX SYSTEMS, INC. OR ITS SUPPLIERS DO NOT ASSUME ANY LIABILITY THAT MAY OCCUR DUE TO THE USE OR APPLICATION OF THE PRODUCT(S) DESCRIBED IN THIS DOCUMENT. INFORMATION IN THIS DOCUMENT IS SUBJECT TO CHANGE WITH-OUT NOTICE. COMPANIES, NAMES, AND DATA USED IN EXAMPLES ARE FICTITIOUS UNLESS OTHERWISE NOTED.

The following information is for FCC compliance of Class A devices: This equipment has been test-ed and found to comply with the limits for a Class A digital device, pursuant to part 15 of the FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio-frequency energy and, if not installed and used in accordance with the instruction man-ual, may cause harmful interference to radio communications. Operation of this equipment in a res-idential area is likely to cause harmful interference, in which case users will be required to correct the interference at their own expense.

Modifying the equipment without Citrix' written authorization may result in the equipment no longer complying with FCC requirements for Class A digital devices. In that event, your right to use the equipment may be limited by FCC regulations, and you may be required to correct any interference to radio or television communications at your own expense.

You can determine whether your equipment is causing interference by turning it off. If the interfer-ence stops, it was probably caused by the NetScaler Request Switch™ 9000 Series equipment. If the NetScaler equipment causes interference, try to correct the interference by using one or more of the following measures:

Move the NetScaler equipment to one side or the other of your equipment.

Move the NetScaler equipment farther away from your equipment.

Plug the NetScaler equipment into an outlet on a different circuit from your equipment. (Make sure the NetScaler equipment and your equipment are on circuits controlled by different circuit breakers or fuses.)

Modifications to this product not authorized by Citrix Systems, Inc., could void the FCC approval and negate your authority to operate the product.

BroadCom is a registered trademark of BroadCom Corporation. Fast Ramp, NetScaler, and NetScal-er Request Switch are trademarks of Citrix Systems, Inc. Linux is a registered trademark of Linus

Torvalds. Internet Explorer, Microsoft, PowerPoint, Windows and Windows product names such as Windows NT are trademarks or registered trademarks of the Microsoft Corporation. NetScape is a registered trademark of Netscape Communications Corporation. Red Hat is a trademark of Red Hat, Inc. Sun and Sun Microsystems are registered trademarks of Sun Microsystems, Inc. Other brand and product names may be registered trademarks or trademarks of their respective holders.

Software covered by the following third party copyrights may be included with this product and will also be subject to the software license agreement: Copyright 1998 © Carnegie Mellon University. All rights reserved. Copyright © David L. Mills 1993, 1994. Copyright © 1992, 1993, 1994, 1997 Henry Spencer. Copyright © Jean-loup Gailly and Mark Adler. Copyright © 1999, 2000 by Jef Pos-kanzer. All rights reserved. Copyright © Markus Friedl, Theo de Raadt, Niels Provos, Dug Song, Aaron Campbell, Damien Miller, Kevin Steves. All rights reserved. Copyright © 1982, 1985, 1986, 1988-1991, 1993 Regents of the University of California. All rights reserved. Copyright © 1995 Tatu Ylonen, Espoo, Finland. All rights reserved. Copyright © UNIX System Laboratories, Inc. Copyright © 2001 Mark R V Murray. Copyright 1995-1998 © Eric Young. Copyright © 1995,1996,1997,1998. Lars Fenneberg. Copyright © 1992. Livingston Enterprises, Inc. Copyright © 1992, 1993, 1994, 1995. The Regents of the University of Michigan and Merit Network, Inc. Copyright © 1991-2, RSA Data Security, Inc. Created 1991. Copyright © 1998 Juniper Networks, Inc. All rights reserved. Copyright © 2001, 2002 Networks Associates Technology, Inc. All rights reserved. Copyright (c) 2002 Networks Associates Technology, Inc. Copyright 1999-2001© The Open LDAP Foundation. All Rights Reserved. Copyright © 1999 Andrzej Bialecki. All rights re-served. Copyright © 2000 The Apache Software Foundation. All rights reserved. Copyright (C) 2001-2003 Robert A. van Engelen, Genivia inc. All Rights Reserved. Copyright (c) 1997-2004 Uni-versity of Cambridge. All rights reserved. Copyright (c) 1995. David Greenman. Copyright (c) 2001 Jonathan Lemon. All rights reserved. Copyright (c) 1997, 1998, 1999. Bill Paul. All rights reserved. Copyright (c) 1994-1997 Matt Thomas. All rights reserved. Copyright © 2000 Jason L. Wright. Copyright © 2000 Theo de Raadt. Copyright © 2001 Patrik Lindergren. All rights re-served.

Part No. NS-CRG-61-1105

Last Updated: December 2005

Contents

Introduction ..........................................................................1-1
How to use This Reference 1-1Command Conventions 1-1

Command Line Overview 1-2

AAA Commands .....................................................................2-1

stat aaa 2-2show aaa stats 2-4add aaa user 2-5rm aaa user 2-6set aaa user 2-7show aaa user 2-8add aaa group 2-10rm aaa group 2-11show aaa group 2-12bind aaa user 2-14unbind aaa user 2-15bind aaa group 2-16unbind aaa group 2-18set aaa radiusparams 2-19

show aaa radiusparams 2-21set aaa ldapparams 2-23show aaa ldapparams 2-25set aaa tacacsparams 2-27show aaa tacacsparams 2-29set aaa nt4params 2-30show aaa nt4params 2-31set aaa certparams 2-32show aaa certparams 2-33set aaa parameter 2-34show aaa parameter 2-35show aaa session 2-36kill aaa session 2-38

Auditing Commands...............................................................3-1

stat audit 3-2show audit stats 3-3add audit syslogaction 3-4rm audit syslogaction 3-5show audit syslogaction 3-6add audit syslogpolicy 3-7rm audit syslogpolicy 3-8

show audit syslogpolicy 3-9set audit syslogpolicy 3-10set audit syslogparams 3-11show audit syslogparams 3-12unset audit syslogparams 3-13show audit messages 3-14

i

Contents

Authentication Commands.....................................................4-1

add authentication radiusaction 4-2rm authentication radiusaction 4-4show authentication radiusaction 4-5add authentication ldapaction 4-6rm authentication ldapaction 4-8show authentication ldapaction 4-9add authentication tacacsaction 4-10rm authentication tacacsaction 4-12show authentication tacacsaction 4-13add authentication nt4action 4-14rm authentication nt4action 4-15add authentication certaction 4-16show authentication certaction 4-17rm authentication certaction 4-18show authentication nt4action 4-19add authentication localpolicy 4-20rm authentication localpolicy 4-21show authentication localpolicy 4-22set authentication localpolicy 4-23add authentication radiuspolicy 4-24

ii

rm authentication radiuspolicy 4-25show authentication radiuspolicy 4-26set authentication radiuspolicy 4-27add authentication certpolicy 4-28set authentication certpolicy 4-29show authentication certpolicy 4-30rm authentication certpolicy 4-31add authentication ldappolicy 4-32rm authentication ldappolicy 4-33show authentication ldappolicy 4-34set authentication ldappolicy 4-35add authentication tacacspolicy 4-36rm authentication tacacspolicy 4-37show authentication tacacspolicy 4-38set authentication tacacspolicy 4-39add authentication nt4policy 4-40rm authentication nt4policy 4-41show authentication nt4policy 4-42set authentication nt4policy 4-43

Authorization Commands.......................................................5-1

add authorization policy 5-2rm authorization policy 5-4

show authorization policy 5-5set authorization policy 5-6

Base Commands ....................................................................6-1

sync 6-2add server 6-3disable server 6-4enable server 6-5rm server 6-6show server 6-7

add service 6-8bind service 6-12disable service 6-13enable service 6-14rm service 6-15set service 6-16


Contents

show service 6-19unbind service 6-23stat service 6-24add monitor 6-26bind monitor 6-30enable monitor 6-31disable monitor 6-32rm monitor 6-33set monitor 6-34show monitor 6-38unbind monitor 6-42add vlan 6-43bind vlan 6-44rm vlan 6-46show vlan 6-47stat vlan 6-49unbind vlan 6-51clear interface 6-52disable interface 6-53enable interface 6-54


reset interface 6-55set interface 6-56show interface 6-58stat interface 6-63show channel 6-66add channel 6-70set channel 6-72bind channel 6-74unbind channel 6-75rm channel 6-76add location 6-77show location 6-78rm location 6-80set locationparameter 6-81show locationparameter 6-83add locationfile 6-85show locationfile 6-86rm locationfile 6-87clear locationdata 6-88install 6-89

Integrated Caching Commands..............................................7-1

add cache policy 7-2

rm cache policy 7-4show cache policy 7-5bind cache global 7-7unbind cache global 7-8show cache global 7-9add cache contentgroup 7-11rm cache contentgroup 7-15set cache contentgroup 7-16show cache contentgroup 7-21expire cache contentgroup 7-25flush cache contentgroup 7-26show cache forwardProxy 7-27

add cache forwardProxy 7-28

rm cache forwardProxy 7-29show cache object 7-30expire cache object 7-34flush cache object 7-35set cache parameter 7-36show cache parameter 7-38show cache stats 7-39stat cache 7-40

iii

Contents

CLI Commands ......................................................................8-1

help 8-2man 8-4quit 8-5exit 8-6set cli mode 8-7show cli mode 8-8set cli prompt 8-9clear cli prompt 8-10show cli prompt 8-11

iv

@ 8-12alias 8-13builtins 8-14end 8-15history 8-16unalias 8-17while 8-18config 8-19

Compression Commands........................................................9-1

stat cmp 9-2show cmp stats 9-5add cmp action 9-6rm cmp action 9-8show cmp action 9-9add cmp policy 9-11

rm cmp policy 9-13show cmp policy 9-14set cmp policy 9-16bind cmp global 9-18unbind cmp global 9-20show cmp global 9-21

Cache Redirection Commands..............................................10-1

add cr policy 10-2rm cr policy 10-4show cr policy 10-6add cr vserver 10-8bind cr vserver 10-11set cr vserver 10-12

rm cr vserver 10-15enable cr vserver 10-16disable cr vserver 10-17show cr vserver 10-18unbind cr vserver 10-22unset cr vserver 10-23

Content Switching Commands .............................................11-1

add cs policy 11-2rm cs policy 11-4show cs policy 11-5set cs policy 11-7add cs vserver 11-8

bind cs vserver 11-10set cs vserver 11-11rm cs vserver 11-13enable cs vserver 11-14disable cs vserver 11-15


Contents

show cs vserver 11-16stat cs vserver 11-20


unbind cs vserver 11-22

DNS Commands ...................................................................12-1

stat dns 12-2show dns stats 12-6add dns addRec 12-7rm dns addRec 12-8show dns addRec 12-9add dns cnameRec 12-10rm dns cnameRec 12-11show dns cnameRec 12-12add dns mxRec 12-13rm dns mxRec 12-14set dns mxRec 12-15show dns mxRec 12-16add dns nsRec 12-18rm dns nsRec 12-19

show dns nsRec 12-20set dns parameter 12-21show dns parameter 12-22add dns soaRec 12-23set dns soaRec 12-25rm dns soaRec 12-27show dns soaRec 12-28add dns suffix 12-30rm dns suffix 12-31show dns suffix 12-32add dns nameserver 12-33rm dns nameserver 12-34show dns nameserver 12-35flush dns proxyRecords 12-36

DoS Commands....................................................................13-1

add dos policy 13-2rm dos policy 13-3

set dos policy 13-4show dos policy 13-5

Filter Commands..................................................................14-1

add filter action 14-2rm filter action 14-4show filter action 14-5add filter policy 14-7rm filter policy 14-9

show filter policy 14-10set filter policy 14-12bind filter global 14-14unbind filter global 14-15show filter global 14-16

GSLB Commands..................................................................15-1

add gslb site 15-2
set gslb site 15-4
v

Contents

rm gslb site 15-5show gslb site 15-6add gslb service 15-8set gslb service 15-11rm gslb service 15-13show gslb service 15-14add gslb vserver 15-17set gslb vserver 15-20rm gslb vserver 15-23enable gslb vserver 15-24disable gslb vserver 15-25show gslb vserver 15-26

vi

bind gslb vserver 15-29unbind gslb vserver 15-30set gslb parameter 15-31show gslb parameter 15-32add gslb policy 15-33rm gslb policy 15-34set gslb policy 15-35show gslb policy 15-36add gslb action 15-37rm gslb action 15-38set gslb action 15-39show gslb action 15-40

Load Balancing Commands ..................................................16-1

bind lb group 16-2show lb group 16-3set lb group 16-5unbind lb group 16-7add lb vserver 16-8bind lb vserver 16-13enable lb vserver 16-14disable lb vserver 16-15

set lb vserver 16-16rm lb vserver 16-20show lb vserver 16-21stat lb vserver 16-26unbind lb vserver 16-28show lb route 16-29add lb route 16-30rm lb route 16-31

NetScaler Commands...........................................................17-1

stat ns 17-2stat ns bridge 17-27stat ns node 17-28show ns stats 17-33add ns arp 17-34disable ns arp 17-35enable ns arp 17-36rm ns arp 17-37send ns arp 17-38show ns arp 17-39

show ns bridgetable 17-41set ns bridgetable 17-42save ns config 17-43set ns config 17-44unset ns config 17-46show ns config 17-47show ns ns.conf 17-49clear ns config 17-50config ns 17-51show ns runningconfig 17-52


Contents

add ns acl 17-53rm ns acl 17-55enable ns acl 17-56disable ns acl 17-57set ns acl 17-58show ns acl 17-60clear ns acls 17-62apply ns acls 17-63stat ns acl 17-64force ns failover 17-66force ns sync 17-67disable ns feature 17-68enable ns feature 17-69show ns feature 17-70show ns info 17-71add ns ip 17-72show ns ip 17-75set ns ip 17-78enable ns ip 17-81disable ns ip 17-82rm ns ip 17-83disable ns mode 17-84enable ns mode 17-85show ns mode 17-86add ns fis 17-87bind ns fis 17-88unbind ns fis 17-89rm ns fis 17-90show ns fis 17-91show ns ci 17-92


bind ns node 17-93unbind ns node 17-94add ns node 17-95set ns node 17-96rm ns node 17-98show ns node 17-99show ns license 17-101show ns rnat 17-102set ns rnat 17-103clear ns rnat 17-104add ns route 17-105set ns route 17-107unset ns route 17-109clear ns route 17-111rm ns route 17-112show ns route 17-113set ns spparams 17-115show ns spparams 17-116set ns tcpbufparam 17-117show ns tcpbufparam 17-118show ns version 17-119set ns weblogparam 17-120show ns weblogparam 17-121set ns rateControl 17-122show ns rateControl 17-123reboot 17-124shutdown 17-125set ns rpcnode 17-126show ns rpcnode 17-127

Policy Commands.................................................................18-1

add policy expression 18-2set policy expression 18-3rm policy expression 18-4

show policy expression 18-5add policy map 18-6rm policy map 18-8

vii

Contents

show policy map 18-9

viii

Performance Queuing Commands........................................19-1

show pq binding 19-2add pq policy 19-3rm pq policy 19-5

set pq policy 19-6show pq policy 19-8

Protocols Commands ...........................................................20-1

stat protocol tcp 20-2stat protocol http 20-9stat protocol icmp 20-12

stat protocol ip 20-15stat protocol udp 20-19

Routing Commands..............................................................21-1

vtysh 21-2set router ospf 21-3unset router ospf 21-5show router ospf 21-7set router rip 21-8unset router rip 21-9show router rip 21-10set router bgp 21-11

show router bgp 21-13unset router bgp 21-14add router bgp 21-16clear router bgp 21-18add router map 21-19set router map 21-20unset router map 21-21show router map 21-22

SureConnect Commands ......................................................22-1

set sc parameter 22-2show sc parameter 22-3add sc policy 22-4

rm sc policy 22-6set sc policy 22-7show sc policy 22-8

SNMP Commands.................................................................23-1

stat snmp 23-2show snmp stats 23-4enable snmp alarm 23-5disable snmp alarm 23-6

set snmp alarm 23-7unset snmp alarm 23-9show snmp alarm 23-10add snmp community 23-11


Contents

rm snmp community 23-12show snmp community 23-13add snmp manager 23-14rm snmp manager 23-15show snmp manager 23-16set snmp mib 23-17


show snmp mib 23-18add snmp trap 23-20rm snmp trap 23-21show snmp trap 23-22show snmp oid 23-23

SSL Commands ....................................................................24-1

stat ssl 24-2show ssl stats 24-9create ssl cert 24-10add ssl certkey 24-13bind ssl certkey 24-15link ssl certkey 24-17rm ssl certkey 24-18show ssl certkey 24-19unbind ssl certkey 24-22unlink ssl certkey 24-24update ssl certkey 24-25show ssl certlink 24-27create ssl certreq 24-28add ssl cipher 24-30bind ssl cipher 24-32

rm ssl cipher 24-34show ssl cipher 24-35create ssl crl 24-37add ssl crl 24-39rm ssl crl 24-42set ssl crl 24-43show ssl crl 24-46create ssl dhparam 24-49

create ssl dsakey 24-50set ssl fips 24-52reset ssl fips 24-54show ssl fips 24-55create ssl fipskey 24-57rm ssl fipskey 24-58show ssl fipskey 24-59import ssl fipskey 24-61export ssl fipskey 24-63create ssl rsakey 24-64convert ssl pkcs12 24-66convert ssl pkcs8 24-68set ssl service 24-69show ssl service 24-75set ssl vserver 24-79

show ssl vserver 24-84create ssl wrapkey 24-88rm ssl wrapkey 24-89show ssl wrapkey 24-90init ssl fipsSIMsource 24-91init ssl fipsSIMtarget 24-92enable ssl fipsSIMtarget 24-93enable ssl fipsSIMsource 24-94

System Commands ..............................................................25-1

batch 25-2
ping 25-3
ix

Contents

traceroute 25-5grep 25-7shell 25-9scp 25-10add system cmdPolicy 25-11rm system cmdPolicy 25-12set system cmdPolicy 25-13show system cmdPolicy 25-14add system user 25-15set system user 25-16rm system user 25-17

x

show system user 25-18bind system user 25-19unbind system user 25-20add system group 25-21rm system group 25-22show system group 25-23bind system group 25-24unbind system group 25-25bind system global 25-26unbind system global 25-27show system global 25-28

Tunnel Commands ...............................................................26-1

add tunnel trafficpolicy 26-2rm tunnel trafficpolicy 26-3show tunnel trafficpolicy 26-4set tunnel trafficpolicy 26-6

bind tunnel global 26-7unbind tunnel global 26-8show tunnel global 26-9

SSLVPN Commands..............................................................27-1

stat vpn 27-2show vpn stats 27-4add vpn vserver 27-5show vpn vserver 27-7set vpn vserver 27-10rm vpn vserver 27-11enable vpn vserver 27-12disable vpn vserver 27-13bind vpn vserver 27-14unbind vpn vserver 27-15add vpn intranetapplication 27-16show vpn intranetapplication 27-18rm vpn intranetapplication 27-20bind vpn global 27-21unbind vpn global 27-22

show vpn global 27-23add vpn trafficpolicy 27-24rm vpn trafficpolicy 27-25show vpn trafficpolicy 27-26set vpn trafficpolicy 27-27add vpn trafficaction 27-28rm vpn trafficaction 27-29show vpn trafficaction 27-30add vpn url 27-31rm vpn url 27-32show vpn url 27-33add vpn sessionpolicy 27-34rm vpn sessionpolicy 27-35show vpn sessionpolicy 27-36set vpn sessionpolicy 27-37


Contents

add vpn sessionaction 27-38rm vpn sessionaction 27-43show vpn sessionaction 27-44set vpn parameter 27-48unset vpn parameter 27-53show vpn parameter 27-56

xi

Contents

xii

Introduction

Welcome to the Command Reference Guide. This reference covers all aspects of using the Command Line Interface in the configuration and operation of the system. For information on accessing your system's Command Line Interface, please refer to the installation chapter in the Installation and Configuration Guide before continuing on from this point.

1.1 How to use This ReferenceThis command reference is organized in two chapters:

• Chapter 1: The Command Line Overview which explains how to use the Command Line Interface.

• Chapter 2: Alphabetically ordered descriptions of all of the commands.

If you are unfamiliar with using the system, you should start with the CLI usage chapter to familiarize yourself with the interface after reviewing the fol-lowing section on document conventions. Otherwise, this document serves as the primary source of information on the commands available in the NSCLI and may be accessed at any arbitrary point as your needs dictate.

1.2 Command ConventionsThese conventions are used to describe the commands in this guide.

Convention Alerts You To

command Command and argument names can be entered in any combination of upper and lower case characters. In this document command and argument names are sometimes displayed in upper and lower case. This is for readability and does not reflect the way in which the commands must be entered.

command argument This typeface represents a command argument.

screen text Text with this typeface represents information on a screen, as well as the names of directories, files, and commands.

Command Reference Guide 1-1

Introduction

Note When entering the argument, neither the brackets nor the vertical bars are included.

1.3 Command Line OverviewThis section discusses the usage of the Command Line Interface. The discus-sion is broken up in to two sections, basic and advanced CLI usage. The basic section covers all of the rudimentary aspects of the CLI which provides the information necessary for basic CLI usage. The advanced usage section expands on the remaining features of the Command Line Interface which allow you to further control and enhance your sessions but are not required for day to day operation.

1.3.1 Basic Command Line Usage

This section discusses the essential instruction necessary for basic command line usage with the system. Start with this section if you are unfamiliar with the CLI.

1.3.1.1 Understanding the Command Structure

Most commands adhere to the general format shown here.

action groupname entity <entityname> [-parameter]

An action is the task that the command is performing such as an add or set action. The groupname is the functional area or feature where the action is being taken such as dns or lb. An entity is the specific type of object such as a vserver that the command is being issued against. The entityname is the name given to an entity instance that the command is being issued upon. If an entity instance is being created with the issued command, such as with the add action, the entityname will be a name of your choosing. Lastly, the parameters

<key name>+<key name> Keyboard key names appear within angle brackets. A plus sign appears between keys you must press simultaneously.

text in italics Italic type emphasizes text or indicates new terms.

Square Brackets ( [ ] ) Arguments that are contained within square brackets are optional. Arguments that are not contained within brackets are required

Angle Brackets (< >) Arguments within angle brackets are variable place holders. Replace these with values appropriate for your configuration.

Vertical Bars ( | ) When arguments are separated by vertical bars, either argument can be specified.

1-2 Command Reference Guide

Introduction

applicable to the command are listed. The actual number and type of available parameters will vary by command.

1.3.1.2 Getting Help in the CLI

The help command offers a quick way to get more information on commands. The command can return help on specific commands, groups of commands, or the entire set of nscli commands.

By typing help alone on the command line, the system will print a brief gen-eral help message as shown here.

> help

nscli - command-line interface to NetScaler

Try :

help <commandName> for full usage of a specific command

help <groupName> for brief usage of a group of commands

help -all for brief usage of all nscli commands

The command groups are:

basic aaa authenti-cation

authorization cache cli

cmp cr cs

dns dos filter

gslb lb ns

policy pq router

snmp sc ssl

system tunnel vpn

Done

>

And by entering help help, you will see the following output which shows the syntax for the help command.

> help help


Introduction

Usage: help [(commandName) | (<groupName> | [-all]) |]

Done

>

If you need help on using a specific command or command group, utilize the syntax shown above substituting that command or group name you need help for.By specifying the command name, the CLI feedback will provide you with a full listing of the command's syntax along with an expansion on those parame-ters with limited sets of options.If you enter a group name, the CLI will print a full list of the commands that belong to that group. The output below shows an example of using this help method for the add vserver command.

> help add vserver

Usage: add vserver <vServerName>@ <serviceType> [<IPAddress> @

<port> -range <positive_integer>] [-cacheType <cacheType>]

[-backupVServerName <string>] [-redirectURL <URL>]

[-cacheable ( YES | NO )] [-cltTimeout <secs>]

[-soMethod ( CONNECTION | NONE )]

[-soPersistence ( ENABLED | DISABLED )]

[-soPersistenceTimeOut <positive_integer>]

[-soThreshold <positive_integer>] [-state (

ENABLED | DISABLED )]

where:

<serviceType> = ( HTTP | FTP | TCP | UDP | SSL | SSL_BRIDGE |

SSL_TCP | NNTP | DNS | DHCPRA | ANY )

<cacheType> = ( TRANSPARENT | REVERSE | FORWARD )

Done

>

The question mark <?> can also be used to get help in the CLI. By typing a question mark alone, the system will print out a listing of all the actions avail-able from the top level command structure.


Introduction

1.3.1.3 Getting Help with Man Pages

The command line interface has it’s own set of man pages similar to those tra-ditionally found in UNIX and UNIX like operating systems. This system returns the same command reference information as is found in this guide. To use this help feature, issue the man command using the name of the command you wish to view information on as the argument.

Once the first screen is displayed, you may scroll through the page either a screen at a time or line by line. To advance line by line, press the <Enter> key. To advance to the next screen use the space bar.

When viewing commands with man, to exit the page before reaching the end of it, press the <Q> key.

1.3.1.4 Using Command Completion

When working on the command line, you can use both the <Tab> key or the <?> key for command completion and assistance. For example, typing show e followed by entering the <Tab> key will complete the command as show expression. If, after typing <Tab> once and no completion is displayed, then hit <Tab> once more and the system will offer you a set of possible comple-tions.After the output is displayed, you are returned to the prompt with the portion of the command that was previously entered so that you may continue where you left off at.

Using the question mark key offers a slightly different completion options.You may enter a question mark at any point on the command line and the system will provide you with a list of all possible completions that are recognized from that point forward. The following example illustrates this usage with the enable command.

> enable <?>

acl fipsSIMsource mode service

alarm fipsSIMtarget monitor snmp ...

arp interface ns ... ssl ...

feature ip server vserver

> enable

Once the possible completions are printed, you are again returned to the com-mand line with your previous entry still at the prompt for you to work with. Note that the question mark you type is not echoed at the CLI prompt.

Any entries in the output that are followed by the ellipsis, such as the ssl com-mand shown in the previous example’s output, have further command comple-tion levels beyond this point in the hierarchy.


Introduction

1.3.1.5 Utilizing Command Abbreviations and Shortcuts

Another way to shorten command line input is to use command abbreviations. The CLI command abbreviation feature allows you to enter partial commands. To use this feature, you need only enter enough of the command's key words such that each of them is uniquely identifiable by the CLI. For example, to shorten the command add lb vserver, you may enter as little as ad lb vs and the CLI will correctly interpret your command.

Note however, that for command group names you may not abbreviate them. In many cases you may leave them out entirely though. This is possible wher-ever command usage makes the group implicit, such as with the snmp and system group names when the entity type being acted upon is unique to the group. For example, there are no other entities of the community type outside of the snmp command group so issuing the add community command, rather than add snmp community, implicitly places this command in the snmp com-mand group.

This behavior is also illustrated with the system group and its entities. The user entity type exists in the system command group as well as the aaa com-mand group therefore the user entity is not unique to the system group. So if you are issuing an action against a system user, such as an add command, you must specify the system group type so that the CLI will interpret your command as being directed at a system user, not an aaa user. The CLI will alert you in those cases where the group type is omitted incorrectly with an "ERROR: No such command" message.

More examples of using these shortcuts are shown in Table 1.1

Table 1-1 Sample Command Abbreviations.

Abbreviated Command CLI Interpreted Command

cl r clear ns rnat

sh ve show ns version

se vpn p set vpn parameters

f f force ns failover

rm mx rm dns mxRec

ad lb vs add lb vserver

ad pol exp

a e

add policy expression


Introduction

1.3.1.6 Navigating Command Output

Often times, you will find that the screen output from the NSCLI will span mul-tiple screens. When an output stream pauses at the first screen’s worth of out-put with --More-- displayed, you can navigate the remaining output with keystrokes.

• To cancel viewing the remaining output, press the <Q> key or use <Ctrl>+<C> to abort the command.

• To stream the remaining output without pauses, press the <C> key. • To advance through the output one screen at a time press any other key.

1.3.1.7 Understanding Error Feedback

When a CLI command is entered with invalid arguments, an error message is displayed, possibly preceded by an indication of the location of the error within the command line. After most errors, a short version of the command usage is also displayed.

For example, typing the following command at the prompt:

> add vserver vs 1 htto 10.101.4.99 80

Returns the following error messages:

add vserver vs1 htto 10.101.4.99 80

^^^^

ERROR: invalid argument value [serviceType, htto]

The carats ("^^^^"), if present, indicate the location of the error in the com-mand line.

Note The CLI will alert you if you try to configure a disabled or unlicensed feature. If you attempt to configure disabled features, your configurations will be applied, however they will have no effect on the runtime behavior of the system until the feature is enabled. If you attempt to configure an unlicensed feature, the system will return an error.

1.3.1.8 Accessing the Command History

The command line maintains a per user command entry history across ses-sions. This history maintains the last 100 user entered commands. Note that the history does not record sequentially duplicated commands. You may loop through the history on the command line by using the up and down arrow keys on your keyboard. You can recall the entire history log using the history com-mand. A sample of the history log output is shown here.

> history


Introduction

1 21:31 sh version

2 21:31 man save ns config

3 21:31 builtins

4 21:32 help authentication

5 21:44 help

6 21:52 history

7 21:53 exit

8 21:53 history

>

You can also recall specific entries from within the history using the exclama-tion mark, or bang character (!). Use the ! in combination with either the desired history event number or an offset from the current event number to recall a specific history entry.

1.3.2 Advanced Command Line Usage

This section illustrates the remaining advanced features of the Command Line Interface.

1.3.2.1 Understanding NSCLI Built-ins

The Command Line Interface has several tools, or builtins, at your disposal for use within CLI sessions. To view these builtins use the builtins command. In addition to the previously mentioned history builtin tool, the use of other built-ins can be used as discussed in the following sections.

1.3.2.2 Compounding CLI Commands

The nscli supports using the semicolon (;) character to enter multiple com-mands. To use this function, simply enter a semicolon between commands on the command line. The commands will be executed in order of entry.

1.3.2.3 Using grep, more, and the Pipe Operator

To help in managing and navigating command output the nscli supports the standard UNIX grep and more commands as well as the pipe operator ( | ). For the grep and more commands refer to the man pages in the nscli for complete usage details.

The pipe operator is used in the nscli as it is on standard UNIX shells to redi-rect command output into another command, commonly with the grep and more commands.


Introduction

1.3.2.4 Applying Formatting Options

In the nscli, most show commands have an implicit –format argument. This argument formats the command’s output in one of three ways.

Normally the show server command outputs to the screen as shown here.

> show server

2 servers:

1) Name: s1 IPAddress: 10.10.10.11

State: ENABLED

2) Name: s2 IPAddress: 10.10.10.12

State: ENABLED

Done

>

With the -format input option, the show server command prints in the com-mand form that it would be input to the CLI, as shown here.

> show server -format input

2 servers:

add server s1 10.10.10.11

add server s2 10.10.10.12

Done

>

The second formatting option, -format hierarchical, prints in a Cisco-like hier-archical format.

> show server -format hierarchical

2 servers:

server s1

IPAddress: 10.10.10.11

server s2

IPAddress: 10.10.10.12

Done

>

And the third type of formatting option, -format xhierarchical, prints the out-put in a Juniper-like hierarchical format


Introduction

> show server -format xhierarchical

2 servers:

server s1 {

IPAddress 10.10.10.11;

}

server s2 {

IPAddress 10.10.10.12;

}

Done

>

1.3.2.5 Creating and Using Aliases

In order to allow you to customize your own command shortcuts, the system supports using aliases. To create a command alias you will need to use the alias command followed by the desired alias name and the command you wish to alias. For example, to create an alias for the show system users command you would enter the command as shown below.

> alias users show system users

To use the new alias, specify it as you would any other command.

> users

1 Configured system user:

1) User name: nsroot

Done

>

And to view the established aliases, use the alias command alone on the com-mand line.

> alias

users (show system users)

>

To delete an alias, use the unalias command.

> unalias users

>


Introduction

1.3.2.6 Customizing the CLI Prompt

By default for all users, the CLI prompt is marked by the > character. You may customize the prompt to display differently using the set cli prompt command. The possible settings and parameters are listed in the following table followed by an example use of the command.

Table 1-2 Prompt Settings

Example:

> set cli prompt "%[T] %u@%h"

Done

[22:23] nsroot@localhost>

Notice that you need to enclose the parameter in double quotes. You may chain multiple parameters together in addition to arbitrary strings and spaces to further customize the prompt. To do this, just include the desired string and parameters within a single double quoted string, as shown in the above exam-ple. If you would like to reset the prompt back to the system default, use the clear cli prompt command.

To ensure that your prompt setting is retained across sessions, save your con-figuration once your desired prompt is set. This command prompt setting will apply only to the current system user.

1.3.2.7 Using the @ Range Operator

Many CLI commands allow for the creation and manipulation of a range of entities. Any command that has the @ symbol in its parameter listing is one of these commands. The presence of the range operator means that the argu-ment it follows may be used with a range specification in order to act on a

Parameter Prompt Displays

%! Current history event number

%u User name

%h, %m Configured hostname

%t Current system time

%T Current system time in 24 hour format

%d Current date


Introduction

consecutive array of entities. To use these arguments with a range, you sim-ply specify the argument normally and follow it with a bracketed range.

For example, the command for creating a range of five load balancing vservers would use the following syntax:

> add lb vserver httpvserve[1-5] http 192.168.1.1[1-5] 80

Notice that the IP address argument also specifies an address range. When adding a range of entities as shown here, dependant arguments must have a matching range specified as well. The command will return an error if the ranges differ. When you use an add command with the range option as shown here, the system will create 5 vservers with IP addresses ranging from 192.168.1.11 to 192.168.1.15.

When alternately deleting a range of entities, the same methodology applies. To remove the range of vservers created in this example, you would issue the following command:

> rm vserver httpvserve[1-5]

Done

>

Note If a range of entities created with the range operation is somehow broken, such as via the manual removal of one or more of the entities, using the correspond-ing rm or set commands with a range operation against the range will not com-plete successfully.

1.3.2.8 Executing Looped Commands

The nscli allows for the use of UNIX shell style loops for repeated execution of commands. The example here uses this functionality to create ten http vserv-ers with IP addresses 1.1.1.25 to 1.1.1.34.

> @ n = 10

> @ x = 25

> while ($n)

add vserver test$n http 1.1.1.$x 80

@ n--

@ x++

end

Done

Done

Done


Introduction

Done

Done

Done

Done

Done

Done

Done

>

The primary keywords available in the nscli for using this feature are while, end, and the @ operator. More details on these keywords are available in the respective man pages for each of them as well as their Command Reference descriptions in this reference.


Introduction


AAA Commands

This chapter covers the AAA commands.


stat aaa

stat aaa

Synopsisstat aaa [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays aaa statistics

Counters

Authentication failures (authfails)Count of authentication failures

Authentication successes (authsucc)Count of authentication successes

Non HTTP authorization failures (atznonhtpf)Count of non HTTP connections that failed authorization

HTTP authorization failures (atzhtpf)Count of HTTP connections that failed authorization

Non HTTP authorization successes (atznonhtps)Count of non HTTP connections that succeeded authorization

HTTP authorization successes (atzhtps)Count of HTTP connections that succeeded authorization

AAA sessions (totsess)Count of all AAA sessions

Timed out AAA sessions (totsessto)Count of AAA sessions that have timed out

Current AAA sessions (totcursess)Count of current AAA sessions


stat aaa

Related Commands


show aaa stats

show aaa stats

Synopsisshow aaa stats - alias for 'stat aaa'

Descriptionshow aaa stats is an alias for stat aaa

Related Commandsstat aaa


add aaa user

add aaa user

Synopsisadd aaa user <userName> [-password <string>]

DescriptionThis command adds a user and the authorization compound expression for the user to the LDAP/RADIUS server.

Arguments

userNameSpecifies the name of the user.

passwordSpecifies the password of the user. If the password option is not provided then the CLI will prompt the user to enter the password. The password entered by this method is not displayed to the user. Currently, the hidden password is not implemented. If the password is not specified the username is taken as the default password.

Exampleadd expression p4port VPNPORT == 1666 add expression whizbangport VPNPORT == 7676 add expression only_finance_url URL == /finance* add expression only_finance_svc VPNIP == 10.100.3.44 add aaa user johndoe -HttpRule "only_finance_svc && only_finance_url" -ActionHttp allow -NonHttpRule "p4port || whizbangport" -ActionNonHttp allow The above examples provide the following privileges to user johndoe HTTP: Only access to URLs prefixed with /finance are allowed and access is restricted to finance application server with IP address 10.100.3.44. Non-HTTP: Only access to Perforce and Whizbang Â applications is allowed

Related Commandsrm aaa userset aaa usershow aaa user


rm aaa user

rm aaa user

Synopsisrm aaa user <userName>

DescriptionThis command removes a user from the LDAP server added by the add aaa user CLI command.

Arguments

userNameSpecifies the name of the user in the LDAP server.

Related Commandsadd aaa userset aaa usershow aaa user


set aaa user

set aaa user

Synopsisset aaa user <userName> <password>

DescriptionThis command sets the password for an existing user

Arguments

userNameSpecifies the name of the user.

passwordSpecifies the password of the user. If the password option is not provided then the CLI will prompt the user to enter the password. The password entered by this method is not displayed to the user. Currently, the hidden password is not implemented. If the password is not specified the username is taken as the default password.

Exampleset aaa user johndoe password abcd The above command sets johndoe password to abcd

Related Commandsadd aaa userrm aaa usershow aaa user


show aaa user

show aaa user

Synopsisshow aaa user [<userName>] [-loggedin]

DescriptionThis command displays the AAA users who have been added using the add aaa user command.

Arguments

userNameSpecifies the user name. When user name is specified the CLI displays the LDAP or the RADIUS user entry details and groups to which the user belongs.

loggedinSpecifies the loggedin flag. When this flag is turned on, the CLI displays the names of all logged in users.When used with a user name, the CLI displays whether the user is logged in or not.

Output

groupName

policy

priority

intranetApplicationSpecifies the intranet vpn application.

urlNameSpecifies the intranet url.


show aaa user

intranetipSpecifies the Intranet IP bound to the user

netmaskSpecifies the netmask for the Intranet IP

ExampleExample > show aaa user joe UserName: joe IntranetIP: 10.102.1.123 Bound to groups: GroupName: engg Done >

Related Commandsadd aaa userrm aaa userset aaa user


add aaa group

add aaa group

Synopsisadd aaa group <groupName>

DescriptionThis command adds a group and the authorization compound expression for the group to the LDAP/RADIUS server.

Arguments

groupNameSpecifies the name of the group.

ExampleTo add a group group_ad and set the HTTP rule and action to deny HTTP access in the 192.30.*.* network: add aaa group group_ad -HttpRule exp_source -ActionHttp deny

Related Commandsrm aaa groupshow aaa group


rm aaa group

rm aaa group

Synopsisrm aaa group <groupName>

DescriptionThis command removes a group from the LDAP server added by the add aaa group CLI command.

Arguments

groupNameSpecifies the name of the group in the LDAP server. Note:The user sessions belonging to the group will be removed. The user has to login again.

Related Commandsadd aaa groupshow aaa group


show aaa group

show aaa group

Synopsisshow aaa group [<groupName>] [-loggedin]

DescriptionThis command displays the AAA group that have been added using the add aaa group command.

Arguments

groupNameSpecifies the group name. When the group name is specified the CLI displays the LDAP or the RADIUS group entry details and the users bound to the group.

loggedinSpecifies the loggedin flag. When this flag is turned on, the CLI displays the names of groups which has atleast one user logged in.When used with a group name, the CLI lists the users, within the group, who are logged in.

Output

userName

policy

priority


urlNameSpecifies the intranet url


show aaa group

intranetipSpecifies the Intranet IP(s) bound to the group

netmaskSpecifies the netmask for the Intranet IP

Example> show aaa group engg GroupName: engg Bound AAA users: UserName: joe UserName: jane Intranetip IP: 10.102.10.0 Netmask: 255.255.255.0 Done >

Related Commandsadd aaa grouprm aaa group


bind aaa user

bind aaa user

Synopsisbind aaa user <userName> [-policy <string> [-priority <positive_integer>]] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> [<netmask>]]

DescriptionThis command is used to bind a policy or intranetip or intranetapplication or url to an user.

Arguments

userNameSpecifies the user name.

policySpecifies a policy to be bound to aaa user.



intranetipSpecifies the IP address to be bound to this user which will be used for Intranet access

ExampleTo bind intranetip to the user joe: bind aaa user joe -intranetip 10.102.1.123

Related Commandsunbind aaa user


unbind aaa user

unbind aaa user

Synopsisunbind aaa user <userName> [-policy <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> [<netmask>]]

DescriptionThis command is used to unbind a policy or intranetip or intranetapplication or url from an user

Arguments

userNameSpecifies the user name.

policySpecifies a policy to be unbound to aaa user.



intranetipSpecifies the Intranet IP to be unbound

Exampleunbind aaa user joe -intranetip 10.102.1.123

Related Commandsbind aaa user


bind aaa group

bind aaa group

Synopsisbind aaa group <groupName> [-userName <string>] [-policy <string> [-priority <positive_integer>]] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]

DescriptionThis command is used to bind an User or Intranet IP or Policy or Intranet Application to a group.

Arguments

groupNameSpecifies the group name.

userNameSpecifies user to with whom the group is bound. If the user belongs to multiple groups, during authorization of a service all the group expressions are evaluated to take a suitable action.

policySpecifies a policy to be bound to aaa group.



intranetipSpecifies the ip-block or the IP address to be bound with this group which will be used by the users belong to this group while accessing Intranet resources

ExampleTo bind Intranet IP to the group engg: bind aaa group engg -intranetip 10.102.10.0 255.255.255.0


bind aaa group

Related Commandsunbind aaa group


unbind aaa group

unbind aaa group

Synopsisunbind aaa group <groupName> [-userName <string> ...] [-policy <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]

DescriptionThis command is used to unbind an User or Intranet IP or Policy or Intranet Application from a group.

Arguments

groupNameSpecifies the group name.

userNameSpecifies user to be unbound from the group.

policySpecifies the policy to be unbound from aaa group,



intranetipSpecifies the Intranet IP to be unbound from the group

Example unbind aaa group engg -intranetip 10.102.10.0 255.255.255.0

Related Commandsbind aaa group


set aaa radiusparams


Synopsisset aaa radiusparams [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] -radKey <string> [-radNASip ( ENABLED | DISABLED )] [-radNASid <string>] [-radVendorID <positive_integer>] [-radAttributeType <positive_integer>] [-passEncoding <passEncoding>]

DescriptionThis command sets the global variables for the RADIUS server. It is used globally in SSL-VPN across all Vservers unless a vserver specific configuration is done using authentication policies.

Arguments

serveripSpecifies the IP address of the RADIUS server.

serverportSpecifies the port number on which the RADIUS server is running. The default port number is 1812. Default value: 1812

authTimeoutSpecifies the maximum number of seconds for which NetScaler 9000 system would wait for a response from the RADUIS server. Default value: 3

radKeySpecifies the key shared between the client and the server. This information is required for the Netscaler system to communicate with the RADIUS server.

radNASipIf enabled, the Netscaler's IP address (NSIP) is sent as the "nasip" as part of the Radius protocol to the server. Possible values: ENABLED, DISABLED



radNASidIf configured, this string will be sent to the RADIUS server as the "nasid" as part of the Radius protocol.

radVendorIDSpecifies the Vendor ID for Radius group extraction.

radAttributeTypeSpecifies the Attribute type for Radius group extraction.

passEncodingThis option specifies how password should be encoded in the radius packets from the netscaler to the radius server.Valid options are PAP default, CHAP, MSCHAPv1, MSCHAPv2. Possible values: pap, chap, mschapv1, mschapv2 Default value: PAP

ExampleTo configure the default RADIUS parameters: set aaa radiusparams -serverip 192.30.1.2 -radkey sslvpn

Related Commandsadd authentication radiusactionset aaa ldapparamsset aaa parametershow aaa radiusparams


show aaa radiusparams


Synopsisshow aaa radiusparams

DescriptionThis command displays the configured RADIUS parameters.

Arguments

Output

serverip

serverport

radKey

groupAuthName

authTimeout

radNASip

radNASid

IPAddress



Example> show aaa radiusparams Configured RADIUS parameters Server IP: 127.0.0.2 Port: 1812 key: secret Timeout: 10 Done >

Related Commandsset aaa radiusparams


set aaa ldapparams

set aaa ldapparams

Synopsisset aaa ldapparams [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] [-ldapBase <string>] [-ldapBindDn <string>] [-ldapBindDnPassword <string>] [-ldapLoginName <string>] [-searchFilter <string>] [-groupAttrName <string>] [-subAttributeName <string>] [-secType <secType>]

DescriptionThis command sets the global variables for the LDAP server. It is used globally in SSL-VPN across all Vservers unless a vserver specific configuration is done using authentication policies.

Arguments

serveripSpecifies the IP address of the LDAP server. The default value is localhost.

serverportSpecifies the port number on which the LDAP server is running. The default port number for LDAP server is 389. Default value: 389

authTimeoutSpecifies the maximum number of seconds for which the NetScaler system would wait for a response from the LDAP server. Default value: 3

ldapBaseSpecifies the base or the node from where the ldapsearch should start. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.

ldapBindDnSpecifies the full distinguished name that is used to bind to the LDAP server.

ldapBindDnPasswordSpecifies the password that is used to bind to the LDAP server.


set aaa ldapparams

ldapLoginNameSpecifies the name attribute used by the Netscaler system to query the external LDAP server or an Active Directory.

searchFilterString to be combined with the default LDAP user search string to form the value. For example, vpnallowed=true with ldaploginame "samaccount" and user-supplied username "bob" would yield the LDAP search string "(&(vpnallowed=true)(samaccount=bob)".

groupAttrNameSpecifies the Attribute name for group extraction from LDAP server

subAttributeNameSpecifies the Sub-Attribute name for group extraction from LDAP server

secTypeSpecifies if the communication between the NetScaler 9000 and the LDAP server should encrypted or not. The following values for this parameter: PLAINTEXT: No encryption required. TLS: For using TLS protocol to communicate. SSL: For using SSL Protocol to communicate. Possible values: PLAINTEXT, TLS, SSL Default value: PLAINTEXT

ExampleTo configure authentication in the LDAP server running at 192.40.1.2: set aaa ldapparams -serverip 192.40.1.2 -ldapbase "dc=netscaler,dc=com" -ldapBindDN "cn=Manager,dc=netscaler,dc=com" -ldapBindDnPassword secret -ldaploginname uid

Related Commandsadd authentication ldapactionset aaa radiusparamsset aaa parametershow aaa ldapparams


show aaa ldapparams

show aaa ldapparams

Synopsisshow aaa ldapparams

DescriptionThis command displays the configured LDAP parameters.

Arguments

Output

serverip

serverport

authTimeout

ldapBindDn

ldapLoginName

ldapBase

secType

searchFilter

groupAttrNameSpecifies the Attribute name for group extraction from LDAP server


show aaa ldapparams

subAttributeNameSpecifies the Sub-Attribute name for group extraction from LDAP server

groupAuthName

Example> show aaa ldapparams Configured LDAP parameters Server IP: 127.0.0.1 Port: 389 Timeout: 1 BindDn: cn=Manager,dc=florazel,dc=com login: uid Base: dc=florazel,dc=com Secure Type: PLAINTEXT Done >

Related Commandsset aaa ldapparams


set aaa tacacsparams


Synopsisset aaa tacacsparams [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] [-tacacsSecret <string>] [-authorization ( ON | OFF )] [-accounting ( ON | OFF )]

DescriptionThis command sets the global variables for the TACACS+ server. It is used globally in SSL-VPN across all Vservers unless a vserver specific configuration is done using authentication policies.

Arguments

serveripSpecifies the IP address of the TACACS+ server.

serverportSpecifies the port on which the TACACS+ server is running. The default port is 49. Default value: 49

authTimeoutSpecifies the maximum number of seconds for which the NetScaler system would wait for a response from the TACACS+ server. Default value: 3

tacacsSecretSpecifies the key shared between the client and the server. This information is required for the Netscaler system to communicate with the TACACS+ server.

authorizationSpecifies whether this TACACS+ server should be used for streaming authorization. Possible values: ON, OFF

accountingSpecifies weahter this TACACS+ server should be sent accounting messages. Possible values: ON, OFF



ExampleTo configure a TACACS+ server running at 192.168.1.20 set aaa tacacsparams -serverip 192.168.1.20 -tacacssecret secret

Related Commandsadd authentication tacacsactionset aaa radiusparamsset aaa parametershow aaa tacacsparams


show aaa tacacsparams

show aaa tacacsparams

Synopsisshow aaa tacacsparams

DescriptionDisplay configured AAA TACACS+ server parameters.

Arguments

Output

serverip

serverport

authTimeout

tacacsSecret

authorization

accounting

Example> sh aaa tacacsparams Configured TACACS parameter Server IP: 192.168.1.20 Port: 49 Timeout: 1 secs Done

Related Commandsset aaa tacacsparams


set aaa nt4params

set aaa nt4params

Synopsisset aaa nt4params [-serverip <ip_addr>] [-nt4ServerName <string>] [-nt4DomainName <string>] [-nt4AdminUser <string>] [-nt4AdminPasswd <string>]

DescriptionThis command sets defines an NT4 authentication server.

Arguments

serveripSpecifies the IP address of the NT4 server.

nt4ServerNameThe name of the NT4 server

nt4DomainNameThe domain name of the NT4 server

nt4AdminUserUsername of an NT4 Domain Administrator

nt4AdminPasswdPassword of the NT4 Domain Administrator

ExampleTo configure a NT4 server running at 192.168.1.21 set aaa nt4params -serverip 192.168.1.21

Related Commandsshow aaa nt4params


show aaa nt4params

show aaa nt4params

Synopsisshow aaa nt4params

DescriptionDisplay configured AAA NT4 server parameters.

Output

serverip

nt4ServerName

nt4DomainName

nt4AdminUser

nt4AdminPasswd

Related Commandsset aaa nt4params


set aaa certparams

set aaa certparams

Synopsisset aaa certparams [-userNameField <string>] [-groupNameField <string>]

DescriptionThis command sets the global variables for a certificate policy. It is used globally in SSL-VPN across all Vservers unless a vserver specific configuration is done using authentication policies.

Arguments

userNameFieldSpecifies which field in the client certificate to extract the username from. Should be of the format <field:subfield>. Allowed values for field are "Subject" and "Issuer".

groupNameFieldSpecifies which field in the certificate to extract the group from. Should be of the format <field:subfield>. Allowed values for field are "Subject" and "Issuer".

ExampleTo configure the default certificate parameters: set aaa certparams -userNameField "Subject:CN" -groupNameField "Subject:OU"

Related Commandsadd authentication certactionset aaa parametershow aaa certparams


show aaa certparams

show aaa certparams

Synopsisshow aaa certparams

DescriptionThis command displays the configured CERT parameters.

Arguments

Output

twoFactorSpecifies whether two factor authentication is on.

userNameFieldSpecifies which field in the certificate to extract the username from.

groupNameFieldSpecifies which field in the certificate to extract the group from.

Related Commandsset aaa certparams


set aaa parameter

set aaa parameter

Synopsisset aaa parameter [-defaultAuthType <defaultAuthType>] [-maxAAAUsers <positive_integer>]

DescriptionThis command sets the global AAA parameters. Use this command to override the default LDAP authentication.

Arguments

defaultAuthTypeSpecifies the default type of authentication server. If nothing is specified the default value is set to LDAP. Possible values: LOCAL, LDAP, RADIUS, TACACS, NT4, CERT

maxAAAUsersSpecifies the maximum number of concurrent users allowed to login into the NetScaler 9000 at any given instant of time. The default number of users is 5.

Exampleset aaa parameter -defaultAuthType RADIUS -maxAAAUSers 100

Related Commandsshow aaa parameter


show aaa parameter

show aaa parameter

Synopsisshow aaa parameter

DescriptionThis command displays the AAA parameters which have been configured using the set aaa parameter command.

Arguments

Output

defaultAuthType

maxAAAUsers

Example> show aaa parameter Configured AAA parameters DefaultAuthType: LDAP MaxAAAUsers: 5 Done >

Related Commandsset aaa parameter


show aaa session

show aaa session

Synopsisshow aaa session [-userName <string>] [-groupName <string>] [-intranetip <ip_addr|*> [<netmask>]]

DescriptionThis command displays the connections initated by the user

Arguments

userNameSpecifies the user name. When the group name is specified the CLI lists the connections initiated by the specified user.

groupNameSpecifies the group name. When the group name is specified the CLI lists the connections initiated by the all the logged-in user within the group.

intranetipIntranet IP address. The command lists all connections whose sessions are using the named intranet IP address

Output

publicIPClient's public IP address

publicPortClient's public port

IPAddressNetscaler's IP address

portNetscaler's port


show aaa session

privateIPClient's private/mapped IP address

privatePortClient's private/mapped port

destIPDestination IP address

destPortDestination port

intranetipSpecifies the Intranet IP

Example> show aaa connection ClintIp (ClientPort) -> ServerIp(ServerPort) ------------------------- ---------------------------- User Name: Joe 10.102.0.39 (2318 ) -> 10.102.4.245 (443 ) 10.102.0.39 (2320 ) -> 10.102.4.245 (443 ) 10.102.0.39 (2340 ) -> 10.102.4.245 (443 ) Done >

Related Commandskill aaa session


kill aaa session

kill aaa session

Synopsiskill aaa session [-userName <string>] [-groupName <string>] [-intranetip <ip_addr|*> [<netmask>]] [-all]

DescriptionThis command kills the user sessions

Arguments

userNameSpecifies the user name. The system will terminate the session initiated by the named user.

groupNameSpecifies the group name. The system will terminate the sessions of all the users within the named group.

intranetipIntranet IP address. The system will terminate all sessions using the named intranet IP address

allThe system will terminate the sessions of all the users, who are currently logged in.

Examplekill aaa session -user joe

Related Commandsshow aaa session


Auditing Commands

This chapter covers the auditing commands.


stat audit

stat audit

Synopsisstat audit [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays audit statistics

Counters

Audit logs sent to syslog server(s) (LogSnd)Count of audit log messages sent to all the configured syslog servers.

Audit log messages generated (LogGen)Count of audit log messages generated.

NAT allocation failed (Ernatpcb)NAT allocation failed

Nsb allocation failed (Ernsb)Nsb allocation failed

Memory allocation failed (Ermem)Memory allocation for audit context failed

Port allocation failed (Erport)Port allocation failed.

NAT lookup failed (Hshmiss)NAT lookup failed.

Context not found (Ctxntfnd)Context not found.

Related Commands


show audit stats

show audit stats

Synopsisshow audit stats - alias for 'stat audit'

Descriptionshow audit stats is an alias for stat audit

Related Commandsstat audit


add audit syslogaction

add audit syslogaction

Synopsisadd audit syslogaction <name> <serverip> [-serverport <port>] -logLevel <logLevel> ... [-dateformat ( MMDDYYYY | DDMMYYYY )]

DescriptionUse this command to add an syslog action

Arguments

nameThe name of the SYSLOG action to be added.

serveripThe IP address of the syslog server.

serverportThe port on which Syslog Server is running. Default value: 514

logLevelSpecifies the audit log level.

dateformatSpecifies the date format. Possible values: MMDDYYYY, DDMMYYYY Default value: MMDDYYYY

Related Commandsrm audit syslogactionshow audit syslogaction


rm audit syslogaction

rm audit syslogaction

Synopsisrm audit syslogaction <name>

DescriptionUse this to remove a previously created syslog action. Note that an action cannot be removed as long as it is configured in a policy.

Arguments

nameThe name of the action to be removed.

Related Commandsadd audit syslogactionshow audit syslogaction


show audit syslogaction

show audit syslogaction

Synopsisshow audit syslogaction

DescriptionUse this command to display details of the configured SYSLOG action(s).

Arguments

Output

Related Commandsadd audit syslogactionrm audit syslogaction


add audit syslogpolicy

add audit syslogpolicy

Synopsisadd audit syslogpolicy <name> <rule> <action>

DescriptionUse this command to add a SYS LOG policy. The policy defines the conditions under which the specified SYS LOG server is to be used for logging.

Arguments

nameThe name to assign to the new SYS LOG policy.

ruleThe name of the rule, or expression, the policy is to use.

actionThe name of the SYS LOG action the policy is to use.

Related Commandsrm audit syslogpolicyshow audit syslogpolicyset audit syslogpolicy


rm audit syslogpolicy

rm audit syslogpolicy

Synopsisrm audit syslogpolicy <name>

DescriptionUse this to remove an audit SYS LOG policy.

Arguments

nameThe name of the SYS LOG policy to remove.

Related Commandsadd audit syslogpolicyshow audit syslogpolicyset audit syslogpolicy


show audit syslogpolicy

show audit syslogpolicy

Synopsisshow audit syslogpolicy [<name>]

DescriptionUse this to display configured SYS LOG policies.

Arguments

nameThe name of the policy to display. If this option is not provided, all the configured SYS LOG policies will be displayed.

Output

name

rule

action

Related Commandsadd audit syslogpolicyrm audit syslogpolicyset audit syslogpolicy


set audit syslogpolicy

set audit syslogpolicy

Synopsisset audit syslogpolicy <name> [-rule <expression>] [-action <string>]

DescriptionUse this command to change properties of a SYS LOG policy.

Arguments

nameThe name of the policy to be modified.

ruleThe new rule to be associated with the policy.

actionThe new SYS LOG action to be associated with the policy.

Related Commandsadd audit syslogpolicyrm audit syslogpolicyshow audit syslogpolicy


set audit syslogparams

set audit syslogparams

Synopsisset audit syslogparams [-serverip <ip_addr>] [-serverport <port>] [-dateformat ( MMDDYYYY | DDMMYYYY )] [-logLevel <logLevel> ...]

DescriptionUse this command to set default SYS LOG parameters

Arguments

serveripThe IP address of the syslog server. Default value: 127.0.0.1

serverportThe port on which Syslog Server is running. Default value: 514

dateformatSpecifies the date format. Possible values: MMDDYYYY, DDMMYYYY Default value: MMDDYYYY

logLevelSpecifies the audit log level for which messages should be logged. Default value: EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL

Related Commandsshow audit syslogparamsunset audit syslogparams


show audit syslogparams

show audit syslogparams

Synopsisshow audit syslogparams

DescriptionUse this to display configured SYS LOG params.

Arguments

Output

serverip

serverport

dateformat

logLevelSpecifies the audit log level.

Related Commandsset audit syslogparamsunset audit syslogparams


unset audit syslogparams

unset audit syslogparams

Synopsisunset audit syslogparams [-serverip] [-serverport] [-logLevel]

DescriptionUse this command to unset syslog parameters

Arguments

serveripUnsets the IP address of the syslog server.

serverportUnsets the port of the syslog server to default 514.

logLevelUnsets the audit log level, so no message is logged.

Related Commandsset audit syslogparamsshow audit syslogparams


show audit messages

show audit messages

Synopsisshow audit messages [-logLevel <logLevel> ...] [-numOfMesgs <positive_integer>]

DescriptionUse this command to display the most recent audit log messages

Arguments

logLevelThe log level filter.

numOfMesgsSpecifies the number of log messages to be printed. The default is 20. Maximum value can be 256 Default value: 20

Output

valueAudit message

Related Commands


Authentication Commands

This chapter covers the authentication commands.


add authentication radiusaction


Synopsisadd authentication radiusaction <name> [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] -radKey <string> [-radNASip ( ENABLED | DISABLED )] [-radNASid <string>] [-radVendorID <positive_integer>] [-radAttributeType <positive_integer>] [-passEncoding <passEncoding>]

DescriptionUse this command to add a profile for a RADIUS server. The profile contains all the configuration data necessary to communicate with a RADIUS server.

Arguments

nameThe name of the RADIUS action to be added.

serveripThe IP address of the RADIUS server.

serverportThe port on which RADIUS Server is running. The default is 1812. Default value: 1812

authTimeoutThe maximum number of seconds for which NetScaler system will wait for a response from the RADIUS server. Default value: 3

radKeyThe key shared between the client and the server. This information is required for the NetScaler system to communicate with the RADIUS server.

radNASipIf enabled, the Netscaler's IP address (NSIP) is sent as the "nasip" according to the RADIUS protocol to the server. Possible values: ENABLED, DISABLED



radNASidIf configured, this string is sent to the RADIUS server as the "nasid" according to the RADIUS protocol.

radVendorIDThe Vendor ID for using RADIUS group extraction.

radAttributeTypeThe Attribute type for using RADIUS group extraction.

passEncodingThis option specifies how password should be encoded in the radius packets from the netscaler to the radius server.Valid options are PAP default, CHAP, MSCHAPv1, MSCHAPv2. Possible values: pap, chap, mschapv1, mschapv2 Default value: PAP

Related Commandsrm authentication radiusactionshow authentication radiusaction


rm authentication radiusaction

rm authentication radiusaction

Synopsisrm authentication radiusaction <name>

DescriptionUse this to remove a previously created RADIUS action. Note that an action cannot be removed as long as it is configured in a policy.

Arguments


Related Commandsadd authentication radiusactionshow authentication radiusaction


show authentication radiusaction

show authentication radiusaction

Synopsisshow authentication radiusaction

DescriptionUse this command to display details of the configured RADIUS action(s).

Arguments

Output

Related Commandsadd authentication radiusactionrm authentication radiusaction


add authentication ldapaction


Synopsisadd authentication ldapaction <name> [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] [-ldapBase <string>] [-ldapBindDn <string>] [-ldapBindDnPassword <string>] [-ldapLoginName <string>] [-searchFilter <string>] [-groupAttrName <string>] [-subAttributeName <string>] [-secType <secType>]

DescriptionUse this command to add a profile for an LDAP server. The profile contains all the configuration data necessary to communicate with the LDAP server..

Arguments

nameThe name for the new LDAP action.

serveripThe IP address of the LDAP server. The default value is localhost.

serverportThe port number on which the LDAP server is running. The default port number is 389. Default value: 389

authTimeoutThe maximum number of seconds for which the NetScaler system will wait for a response from the LDAP server. Default value: 3

ldapBaseThe base, or node, from where the ldapsearch should start. If the LDAP server is running locally, the default value of base is dc=netscaler, dc=com.

ldapBindDnThe full distinguished name that is used to bind to the LDAP server. The default value of the bindDN is cn=Manager,dc=netscaler,dc=com.



ldapBindDnPasswordThe password that is used to bind to the LDAP server.

ldapLoginNameThe name attribute used by the NetScaler system to query the external LDAP server or an Active Directory.

searchFilterString to be combined with the default LDAP user search string to form the value. For example, vpnallowed=true with ldaploginame "samaccount" and user-supplied username "bob" would yield the LDAP search string "(&(vpnallowed=true)(samaccount=bob)".

groupAttrNameThe Attribute name for group extraction from LDAP server.

subAttributeNameThe Sub-Attribute name for group extraction from LDAP server.

secTypeThisn option specifies if communication between the NetScaler 9000 system and the authentication server should be encrypted or not. The following values for this parameter are valid: PLAINTEXT: No encryption required. TLS: For using TLS protocol to communicate. SSL: For using SSL Protocol to communicate. Possible values: PLAINTEXT, TLS, SSL Default value: PLAINTEXT

Related Commandsrm authentication ldapactionshow authentication ldapaction


rm authentication ldapaction

rm authentication ldapaction

Synopsisrm authentication ldapaction <name>

DescriptionUse this command to remove an LDAP action. Note that an action cannot be removed as long as it is configured in a policy.

Arguments

nameThe name of the LDAP action to be removed.

Related Commandsadd authentication ldapactionshow authentication ldapaction


show authentication ldapaction

show authentication ldapaction

Synopsisshow authentication ldapaction

DescriptionUse this to display details of the configured LDAP action(s).

Arguments

Output

ldapBindDn

ldapLoginName

ldapBase

searchFilter

groupAttrName

subAttributeName

secType

Related Commandsadd authentication ldapactionrm authentication ldapaction


add authentication tacacsaction


Synopsisadd authentication tacacsaction <name> [-serverip <ip_addr>] [-serverport <port>] [-authTimeout <positive_integer>] [-tacacsSecret <string>] [-authorization ( ON | OFF )] [-accounting ( ON | OFF )]

DescriptionUse this command to add a profile for a TACACS+ server. The profile contains all the configuration data necessary to communicate with the TACACS+ server.

Arguments

nameThe name for the new TACACS+ action.

serveripThe IP address of the TACACS+ server.

serverportThe port on which the TACACS+ server is running. The default port is 49. Default value: 49

authTimeoutThe maximum number of seconds for which the NetScaler system will wait for a response from the TACACS+ server. Default value: 3

tacacsSecretThe key shared between the client and the server. This information is required for the NetScaler system to communicate with the TACACS+ server.

authorizationSpecifies whether this TACACS+ server should be used for streaming authorization. Possible values: ON, OFF



accountingSpecifies whether this TACACS+ server should be sent accounting messages. Possible values: ON, OFF

Related Commandsrm authentication tacacsactionshow authentication tacacsaction


rm authentication tacacsaction

rm authentication tacacsaction

Synopsisrm authentication tacacsaction <name>

DescriptionUse this to remove a TACACS+ action. Note that an action cannot be removed as long as it is configured in a policy.

Arguments

nameThe name of TACACS+ action to be removed.

Related Commandsadd authentication tacacsactionshow authentication tacacsaction


show authentication tacacsaction

show authentication tacacsaction

Synopsisshow authentication tacacsaction

DescriptionUse this to display details of the configured TACACS+ action(s).

Arguments

Output

tacacsSecret

authorizationSpecifies whether this TACACS+ server should be used for streaming authorization.

accountingSpecifies weahter this TACACS+ server should be sent accounting messages.

Related Commandsadd authentication tacacsactionrm authentication tacacsaction


add authentication nt4action

add authentication nt4action

Synopsisadd authentication nt4action <name> [-serverip <ip_addr>] [-nt4ServerName <string>] [-nt4DomainName <string>] [-nt4AdminUser <string>] [-nt4AdminPasswd <string>]

DescriptionUse this command to add a profile for an NT4 server. The profile contains all the configuration data necessary to communicate with the NT4 server.

Arguments

nameThe name for the new NT4 action.

serveripThe IP address of the NT4 server.

nt4ServerNameThe name of the NT4 server

nt4DomainNameThe domain name of the NT4 server

nt4AdminUserThe username of an NT4 Domain Administrator

nt4AdminPasswdThe password of the NT4 Domain Administrator

Related Commandsrm authentication nt4actionshow authentication nt4action


rm authentication nt4action

rm authentication nt4action

Synopsisrm authentication nt4action <name>

DescriptionUse this to remove an NT4 action. Note that an action cannot be removed as long as it is configured in a policy.

Arguments

nameThe name of the NT4 action to be removed.

Related Commandsadd authentication nt4actionshow authentication nt4action


add authentication certaction

add authentication certaction

Synopsisadd authentication certaction <name> [-twoFactor ( ON | OFF )] [-userNameField <string> [-groupNameField <string>]]

DescriptionThis command adds a certificate action.

Arguments

nameThe name of the CERT action to be added.

twoFactorSpecifies whether two factor authentication is on. Two factor authentication means client certificate authentication followed by password authentication. Possible values: ON, OFF Default value: OFF

userNameFieldSpecifies which field in the client certificate to extract the username from. Should be of the format <field:subfield>. Allowed values for field are "Subject" and "Issuer".

Exampleadd authentication certaction -twoFactor ON -userNameField "Subject:CN" -groupNameField "Subject:OU"

Related Commandsadd aaa certparamadd authentication certpolicyshow authentication certactionrm authentication certaction


show authentication certaction

show authentication certaction

Synopsisshow authentication certaction

DescriptionThis command displays the details of configured CERT action(s).

Arguments

Output

twoFactorSpecifies whether two factor authentication is on.

userNameFieldSpecifies which field in the certificate to extract the username from.

groupNameFieldSpecifies which field in the certificate to extract the group from.

Related Commandsadd authentication certactionrm authentication certaction


rm authentication certaction

rm authentication certaction

Synopsisrm authentication certaction <name>

DescriptionUse this to remove an cert action. Note that an action cannot be removed as long as it is configured in a policy.

Arguments

nameThe name of the NT4 action to be removed.

Related Commandsadd authentication certactionshow authentication certaction


show authentication nt4action

show authentication nt4action

Synopsisshow authentication nt4action

DescriptionUse this to display the details of the configured NT4 action(s).

Arguments

Output

nt4ServerName

nt4DomainName

nt4AdminUser

Related Commandsadd authentication nt4actionrm authentication nt4action


add authentication localpolicy

add authentication localpolicy

Synopsisadd authentication localpolicy <name> <rule>

DescriptionUse this command to add an authentication LOCAL policy. The policy defines the conditions under which the kernel will authenticate the user.

Arguments

nameThe name to assign to the new authentication LOCAL policy.


Related Commandsrm authentication localpolicyshow authentication localpolicyset authentication localpolicy


rm authentication localpolicy

rm authentication localpolicy

Synopsisrm authentication localpolicy <name>

DescriptionUse this to remove an authentication LOCAL policy.

Arguments

nameThe name of the LOCAL policy to remove.

Related Commandsadd authentication localpolicyshow authentication localpolicyset authentication localpolicy


show authentication localpolicy

show authentication localpolicy

Synopsisshow authentication localpolicy [<name>]

DescriptionUse this to display configured LOCAL policies.

Arguments

nameThe name of the policy to display. If this option is not provided, all the configured LOCAL policies will be displayed.

Output

name

rule

Related Commandsadd authentication localpolicyrm authentication localpolicyset authentication localpolicy


set authentication localpolicy

set authentication localpolicy

Synopsisset authentication localpolicy <name> [-rule <expression>]

DescriptionUse this command to change properties of a LOCAL policy.

Arguments



Related Commandsadd authentication localpolicyrm authentication localpolicyshow authentication localpolicy


add authentication radiuspolicy

add authentication radiuspolicy

Synopsisadd authentication radiuspolicy <name> <rule> [<reqAction>]

DescriptionUse this command to add an authentication RADIUS policy. The policy defines the conditions under which the specified RADIUS server is to be used for authentication.

Arguments

nameThe name to assign to the new authentication RADIUS policy.


reqActionThe name of the RADIUS action the policy is to use.

Related Commandsrm authentication radiuspolicyshow authentication radiuspolicyset authentication radiuspolicy


rm authentication radiuspolicy

rm authentication radiuspolicy

Synopsisrm authentication radiuspolicy <name>

DescriptionUse this to remove an authentication RADIUS policy.

Arguments

nameThe name of the RADIUS policy to remove.

Related Commandsadd authentication radiuspolicyshow authentication radiuspolicyset authentication radiuspolicy


show authentication radiuspolicy

show authentication radiuspolicy

Synopsisshow authentication radiuspolicy [<name>]

DescriptionUse this to display configured RADIUS policies.

Arguments

nameThe name of the policy to display. If this option is not provided, all the configured RADIUS policies will be displayed.

Output

name

rule

reqAction

Related Commandsadd authentication radiuspolicyrm authentication radiuspolicyset authentication radiuspolicy


set authentication radiuspolicy

set authentication radiuspolicy

Synopsisset authentication radiuspolicy <name> [-rule <expression>] [-reqAction <string>]

DescriptionUse this command to change properties of a RADIUS policy.

Arguments



reqActionThe new RADIUS action to be associated with the policy.

Related Commandsadd authentication radiuspolicyrm authentication radiuspolicyshow authentication radiuspolicy


add authentication certpolicy

add authentication certpolicy

Synopsisadd authentication certpolicy <name> <rule> [<reqAction>]

DescriptionUse this command to add an authentication cert policy. The policy defines the conditions under which the specified cert action is to be used for authentication.

Arguments

nameThe name for the new policy.


reqActionThe cert action to associate with the policy.

Related Commandsset authentication certpolicyshow authentication certpolicyrm authentication certpolicy


set authentication certpolicy

set authentication certpolicy

Synopsisset authentication certpolicy <name> [-rule <expression>] [-reqAction <string>]

DescriptionUse this command to change the properties of a CERT policy.

Arguments


ruleThe new rule to associate with the policy.

reqActionThe new cert action to associate to the policy.

Related Commandsadd authentication certpolicyshow authentication certpolicyrm authentication certpolicy


show authentication certpolicy

show authentication certpolicy

Synopsisshow authentication certpolicy [<name>]

DescriptionUse this to display configured CERT policies.

Arguments

nameThe name of the policy to display. If this option is not provided, all of the configured policies are shown.

Output

nameThe name of the policy displayed.

ruleThe rule associated with the policy.

reqActionThe cert action associated with the policy.

Related Commandsadd authentication certpolicyset authentication certpolicyrm authentication certpolicy


rm authentication certpolicy

rm authentication certpolicy

Synopsisrm authentication certpolicy <name>

DescriptionUse this to remove an CERT authentication policy.

Arguments

nameThe name of the CERT policy to be removed.

Related Commandsadd authentication certpolicyset authentication certpolicyshow authentication certpolicy


add authentication ldappolicy

add authentication ldappolicy

Synopsisadd authentication ldappolicy <name> <rule> [<reqAction>]

DescriptionUse this command to add an authentication LDAP policy. The policy defines the conditions under which the specified LDAP server is to be used for authentication.

Arguments

nameThe name for the new policy.


reqActionThe LDAP action to associate with the policy.

Related Commandsrm authentication ldappolicyshow authentication ldappolicyset authentication ldappolicy


rm authentication ldappolicy

rm authentication ldappolicy

Synopsisrm authentication ldappolicy <name>

DescriptionUse this to remove an LDAP authentication policy.

Arguments

nameThe name of the LDAP policy to be removed.

Related Commandsadd authentication ldappolicyshow authentication ldappolicyset authentication ldappolicy


show authentication ldappolicy

show authentication ldappolicy

Synopsisshow authentication ldappolicy [<name>]

DescriptionUse this to display configured LDAP policies.

Arguments

nameThe name of the policy to display. If this option is not provided, all of the configured policies are shown.

Output

name

rule

reqAction

Related Commandsadd authentication ldappolicyrm authentication ldappolicyset authentication ldappolicy


set authentication ldappolicy

set authentication ldappolicy

Synopsisset authentication ldappolicy <name> [-rule <expression>] [-reqAction <string>]

DescriptionUse this to change properties of an LDAP policy.

Arguments

nameThe name of the policy to be changed.


reqActionThe new LDAP action to associate with the policy.

Related Commandsadd authentication ldappolicyrm authentication ldappolicyshow authentication ldappolicy


add authentication tacacspolicy

add authentication tacacspolicy

Synopsisadd authentication tacacspolicy <name> <rule> [<reqAction>]

DescriptionUse this command to add an authentication TACACS+ policy. The policy defines the conditions under which the specified TACACS+ server is to be used for authentication.

Arguments

nameThe name of the new TACACS+ policy.


reqActionThe name of the TACACS+ action to be associated with the policy.

Related Commandsrm authentication tacacspolicyshow authentication tacacspolicyset authentication tacacspolicy


rm authentication tacacspolicy

rm authentication tacacspolicy

Synopsisrm authentication tacacspolicy <name>

DescriptionUse this command to remove a TACACS+ policy.

Arguments

nameThe name of the TACACS+ policy to be removed.

Related Commandsadd authentication tacacspolicyshow authentication tacacspolicyset authentication tacacspolicy


show authentication tacacspolicy

show authentication tacacspolicy

Synopsisshow authentication tacacspolicy [<name>]

DescriptionUse this to display the configured TACACS+ policies.

Arguments

nameThe name of the TACACS+ policy to display. If this option is not given, all of the configured TACACS+ policies are shown.

Output

name

rule

reqAction

Related Commandsadd authentication tacacspolicyrm authentication tacacspolicyset authentication tacacspolicy


set authentication tacacspolicy

set authentication tacacspolicy

Synopsisset authentication tacacspolicy <name> [-rule <expression>] [-reqAction <string>]

DescriptionUse this command to change the properties of a TACACS+ policy.

Arguments



reqActionThe new TACACS+ action to associate to the policy.

Related Commandsadd authentication tacacspolicyrm authentication tacacspolicyshow authentication tacacspolicy


add authentication nt4policy

add authentication nt4policy

Synopsisadd authentication nt4policy <name> <rule> [<reqAction>]

DescriptionUse this command to add an authentication NT4 policy. The policy defines the conditions under which the specified NT4 server is to be used for authentication.

Arguments

nameThe name for the new NT4 policy.


reqActionThe NT4 action the policy is to use.

Related Commandsrm authentication nt4policyshow authentication nt4policyset authentication nt4policy


rm authentication nt4policy

rm authentication nt4policy

Synopsisrm authentication nt4policy <name>

DescriptionUse this command to remove an NT4 policy.

Arguments

nameThe name of the NT4 policy to remove.

Related Commandsadd authentication nt4policyshow authentication nt4policyset authentication nt4policy


show authentication nt4policy

show authentication nt4policy

Synopsisshow authentication nt4policy [<name>]

DescriptionUse this command to display NT4 policies.

Arguments

nameThe name of the NT4 policy to be displayed. If this option is not given, all the configured NT4 policies will be shown.

Output

name

rule

reqAction

Related Commandsadd authentication nt4policyrm authentication nt4policyset authentication nt4policy


set authentication nt4policy


Synopsisset authentication nt4policy <name> [-rule <expression>] [-reqAction <string>]

DescriptionUse this command to change the properties of an NT4 policy.

Arguments

nameThe name of the NT4 policy to be modified.

ruleThe name of the new rule to be associated with the policy.

reqActionThe name of the NT4 action to be associated with the policy.

Related Commandsadd authentication nt4policyrm authentication nt4policyshow authentication nt4policy


Authorization Commands

This chapter covers the authorization commands.


add authorization policy


Synopsisadd authorization policy <name> <rule> <action>

DescriptionUse this command to add an authorization policy. Authorization policies are used to authorize access to resources for AAA users and AAA groups through the SSL VPN. By default, the SSLVPN is configured to allow access to all resources. Authorization policies can be used to alter this default action. (This can be modified for a SSLVPN session through vpn session policy. See "add vpn sessionpolicy"). Access to some resources can selectively be altered to DENY by binding one (or more) authorization policies to the AAA user (or AAA group). Once bound, an authorization policy acts on all incoming AAA user requests for resources. If the authorization policy's rule is evaluated to TRUE, the associated action (ALLOW/DENY) is applied. If the rule is evaluated to be FALSE, negation of the action applied implicitly. Multiple authorization policies may also be bound to AAA users and AAA groups and with different priorities (see "bind aaa user/group"). If the policies are of different priorities the policies are sorted internally according to the priority in descending order. During evaluation of those policies the following principles are applied: 1. DENY has the highest priority and takes effect immediately. 2. ALLOW has next highest priority. It waits for any other DENY (explicit) from a authorization policy of same priority. 3. Implicit DENY has 3rd. highest priority. It waits for both explicit ALLOW/DENY of *any* priority. 4. Implicit ALLOW has lowest priority, waits for explicit ALLOW/DENY of any priority and Implict DENY of same priority.

Arguments

nameThe name for the new authorization policy.

ruleThe rule or expression for conditional evaluation of the policy. This rule can be an expression specified by "add policy expression." or it may be an inline expression.



actionThe action to be taken when the expression is satisfied. The allowed actions are ALLOW or DENY.

ExampleExample: Consider the following authorization policy, "author-policy", add authorization policy author-policy "URL == /*.gif" DENY bind aaa user foo -policy author-policy If the user "foo" now logs in through the SSL VPN and makes any other request except "gif", the rule will be evaluated to FALSE, and the negetion of DENY, i.e. ALLOW, will be applied. So all those resource will implicitly be allowed to access. If "foo" tries to accesss "abc.gif" this access will be denied.

Related Commandsrm authorization policyshow authorization policyset authorization policy


rm authorization policy

rm authorization policy

Synopsisrm authorization policy <name>

DescriptionUse this command to remove a configured authorization policy.

Arguments

nameThe name of the authorization policy to be removed.

Related Commandsadd authorization policyshow authorization policyset authorization policy


show authorization policy

show authorization policy

Synopsisshow authorization policy

DescriptionUse this command to display all the configured authorization policies .

Arguments

Output

nameThe name of the policy.

ruleRule of the policy.

actionAuthorization action associated with the policy. It can be either ALLOW or DENY.

Related Commandsadd authorization policyrm authorization policyset authorization policy


set authorization policy

set authorization policy

Synopsisset authorization policy <name> [-rule <expression>] [-action <string>]

DescriptionUse this command to modify the rule or action value of a configured authorization policy.

Arguments

nameThe name of the authorization policy to be modified.

ruleThe new rule to be associated with the authorization policy.

actionThe new action to be associated with the authorization policy.

Related Commandsadd authorization policyrm authorization policyshow authorization policy


Base Commands

This chapter covers the base commands.


sync

sync

Synopsissync [<Mode> ...]

DescriptionThe sync command is used to synchronize SSL Certificates, SSL CRL lists, and SSL VPN bookmarks from the primary node to the secondary node in a high-availability pair. The node in primary state is always considered authoritative. Files are copied from primary to secondary overwriting all differences, even when the command is invoked from a node in secondary state. The sync command supports three modes; all, bookmarks, and ssl. The following paths correspond to the synchronization mode: Mode Paths all /nsconfig/ssl/ /var/vpn/bookmarks/ ssl /nsconfig/ssl/ bookmarks /var/vpn/bookmarks/

Arguments

ModeSync mode all, bookmark, or ssl.

Examplesync all

Related Commands


add server

add server

Synopsisadd server <name>@ (<IPAddress>@ | <domain>) [-state ( ENABLED | DISABLED )]

DescriptionUse this command to add a physical server on the NetScaler system. This is a prerequisite for configuring Load Balancing, Cache Redirection, Content Switching, and SureConnect.

Arguments

nameSpecifies the server's name. The server name can be up to 31 characters long.

IPAddressSpecifies the IP address of the server.

domainThe domain name of the server for which a service needs to be added. If IP Address has been specified, the domain name does not need to be specified

stateThe initial state of the service. Possible values: ENABLED, DISABLED Default value: ENABLED

Related Commandsadd servicedisable serverenable serverrm servershow server


disable server

disable server

Synopsisdisable server <serverName>@ [<delay>]

DescriptionThis command disables all services (that have been configured in the NetScaler 9000 system) for the specified server. Services can be enabled with the enable service command.

Arguments

serverNameSpecifies the name of the server (created with the add server command) for which services will be disabled.

delaySpecifies time in seconds after which all services in this server are brought down

Exampledisable server web_svr 30

Related Commandsadd servicedisable serviceadd serverenable serverrm servershow server


enable server

enable server

Synopsisenable server <serverName>@

DescriptionUse this command to enable a server. When a server is enabled, all the services under this server are also enabled. Note: A server when added to the NetScaler system is enabled by default. On disabling a server, all the services that under this server are also disabled.

Arguments

serverNameSpecifies the server name.

Related Commandsshow serviceenable serviceadd serverdisable serverrm servershow server


rm server

rm server

Synopsisrm server <name>@ ...

DescriptionUse this command to remove a server entry from the NetScaler system.

Arguments

nameSpecifies the name of the server to be removed.

Examplerm server web_svr

Related Commandsrm serviceadd serverdisable serverenable servershow server


show server

show server

Synopsisshow server [<serverName>]

DescriptionUse this command to view the name and IP address of a particular physical server configured on the NetScaler system.

Arguments

serverNameThe name of the server to be displayed.If servername is specifed, then all the services under that server will be displayed

Output

IPAddress

state

domain

Exampleshow server web_svr

Related Commandsshow serviceadd serverdisable serverenable serverrm server


add service

add service

Synopsisadd service <name>@ (<serverName>@ | <IP>@) <serviceType> <port> [-clearTextPort <port>] [-cacheType <cacheType>] [-state ( ENABLED | DISABLED )]

DescriptionUse this command to add a service to the NetScaler 9000 system. Each server can have multiple services. To add multiple services, use this command repeatedly. Note:Each time a service is added, it must have a unique port number specified.

Arguments

nameThe name of the service. This name must not exceed 31 characters

serverNameSpecifies the name of the server (created with the add server command) for which a service will be added.

IPSpecifies the IP address of the server for which a service will be added.

serviceTypeSpecifies the type of service that is being added. Supported protocols are: HTTP - To load balance web servers and to provide connection multiplexing, latency improvement, and other content and TCP protection benefits for HTTP traffic. FTP - To load balance FTP servers. In this mode, the NetScaler 9000 system provides TCP protection benefits, protection against SYN attacks, and surge protection. TCP - To host any other TCP protocols that are not HTTP, FTP, NNTP, or SSL. In this mode, the NetScaler 9000 system provides TCP protection benefits, protection against SYN attack, and surge protection UDP - To load balance servers with UDP-based services (other than DNS) SSL - To provide end to end encryption while providing SSL acceleration. SSL_BRIDGE - To load balance SSL servers. SSL_TCP - To offload SSL traffic for TCP applications. NNTP - To load balance NNTP servers. DNS - To load balance DNS servers. ADNS: To create


add service

an authoritative DNS service. ANY - To load balance a service type not listed above (for example, for IP traffic when load balancing firewalls). Note:The NNTP service is for cache redirection. Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, RPCSVR, DNS, ADNS, SNMP, DHCPRA, ANY

portSpecifies the port number to be used for the service.

clearTextPortSpecifies the clear-text port number where the clear-text data is sent. Used with SSL offload service

cacheTypeSpecifies the cache type option supported by the cache server. The options are: TRANSPARENT, REVERSE and FORWARD. Possible values: TRANSPARENT, REVERSE, FORWARD

maxClientSpecifies the maximum number of open connections to the service.

maxReqSpecifies the maximum number of requests that can be sent on a persistent connection to the service.

cacheableSpecifies whether a virtual server (used in the NetScaler 9000 system's load balancing or content switching feature) routes a request to the virtual server (used in transparent cache redirection) on the same NetScaler 9000 system before sending it to the configured servers. The virtual server used for transparent cache redirection determines if the request to the cache servers or configured servers. Note:Do not specify this argument if -cacheType cacheType is specified. This argument is disabled by default. Possible values: YES, NO Default value: NO

cipEnables or disables insertion of the Client IP header for the service. Possible values: ENABLED, DISABLED


add service

cipHeaderSpecifies the client IP header. If client IP insertion is enabled and the client IP header is not specified then the value that has been set by the set ns config CLI command will be used as the Client IP header.

usipEnables or disables the use of client's IP Address as the source IP Address while connecting to this server. By default, the NetScaler 9000 system uses a mapped IP address for its server connection; however, you can use this option, so that the client's IP address is used when the NetScaler 9000 system communicates with the server. Possible values: YES, NO

scSpecifies whether SureConnect is enabled on this service. Note:This parameter is supported for legacy purposes only, it has no effect on this CLI command and the only valid value is OFF. Possible values: ON, OFF Default value: OFF

spSpecifies whether surge protection needs to be enabled on this service. Possible values: ON, OFF Default value: OFF

cltTimeoutThe idle time in seconds after which the client connection is terminated.

svrTimeoutThe idle time in seconds after which the server connection is terminated.

serveridA positive integer to identify the service. Used when the persistency type is set to Custom Server ID.

CKAThe state of the Client Keep-Alive feature for the service. Possible values: YES, NO

TCPBThe state of the TCP Buffering feature for this service. Possible values: YES, NO

CMPThe state of the HTTP Compression feature for this service. Possible values: YES, NO


add service

maxBandwidthA positive integer that identifies the maximum bandwidth in kbps allowed for this service

accessDownUse this option to allow access to disabled or down services. If enabled, all packets to this service are bridged, else they are dropped. Possible values: YES, NO Default value: NO

monThresholdSpecifies the monitoring threshold. Default value: 0

stateThe state of the service after it is added. Possible values: ENABLED, DISABLED Default value: ENABLED

Exampleadd service http_svc 10.102.1.112 http 80

Related Commandsbind servicedisable serviceenable servicerm serviceset serviceshow serviceunbind servicestat service


bind service

bind service

Synopsisbind service <serviceName>@ -policyName <string>

DescriptionUse this command to bind a policy to a service. Notes: 1. This command does not support SureConnect policies. 2.This command only works for services that are not bound to virtual servers. If you attempt to bind a policy to a service that is already bound to a virtual server, the error message "Binding invalid policy" is displayed.

Arguments

serviceNameThe name of the service to which the policy is to be bound.

policyNameThe name of the DoS protection policy to be bound to the service. For DoS protection to work on a service, an appropriate policy needs to be bound to it.

Related Commandsadd servicedisable serviceenable servicerm serviceset serviceshow serviceunbind servicestat service


disable service

disable service

Synopsisdisable service <serviceName>@ [<delay>]

DescriptionUse this command to disable a service.

Arguments

serviceNameThe name of the service that needs to be disabled.

delayThe time in seconds for a graceful shutdown. During this period, new connections or requests are still sent to this service for clients who already have persistent sessions on the NetScaler system. Connections or requests from fresh or new clients who do not have a persistence sessions yet on the NetScaler system are not sent to this service. They are load balanced among other available services. After the delay time has passed, no new requests or connections are sent to this service.

Exampledisable service http_svc 10

Related Commandsadd servicebind serviceenable servicerm serviceset serviceshow serviceunbind servicestat service


enable service

enable service

Synopsisenable service <name>@

DescriptionUse this command to enable a service.

Arguments

nameThe name of the service that needs to be enabled.

Exampleenable service http_svc

Related Commandsenable vserveradd servicebind servicedisable servicerm serviceset serviceshow serviceunbind servicestat service


rm service

rm service

Synopsisrm service <name>@

DescriptionUse this command to remove a service from the NetScaler system.

Arguments

nameThe name of the service that needs to be removed.

Examplerm service http_svc

Related Commandsadd servicebind servicedisable serviceenable serviceset serviceshow serviceunbind servicestat service


set service

set service

Synopsisset service <name>@ [-maxClient <positive_integer>] [-maxReq <positive_integer>] [-cacheable ( YES | NO )] [-cip ( ENABLED | DISABLED ) [<cipHeader>]] [-usip ( YES | NO )] [-sc ( ON | OFF )] [-sp ( ON | OFF )] [-cltTimeout <secs>] [-svrTimeout <secs>] [-serverid <positive_integer>] [-CKA ( YES | NO )] [-TCPB ( YES | NO )] [-CMP ( YES | NO )] [-maxBandwidth <positive_integer>] [-accessDown ( YES | NO )] [-monThreshold <positive_integer>] [-weight <positive_integer> <monitorName>]

DescriptionUse this command to modify the attributes of an existing service

Arguments

nameThe name of the service whose attributes need to be changed.

maxClientSpecifies the maximum number of open connections to the service.

maxReqSpecifies the maximum number of requests that can be sent on a persistent connection to the service.

cacheableSpecifies whether a virtual server (used in the NetScaler 9000 system's load balancing or content switching feature) routes a request to the virtual server (used in transparent cache redirection) on the same NetScaler 9000 system before sending it to the configured servers. The virtual server used for transparent cache redirection determines if the request to the cache servers or configured servers. Note:Do not specify this argument if -cacheType cacheType is specified. This argument is disabled by default. Possible values: YES, NO Default value: NO


set service

cipEnables or disables insertion of the Client IP header for the service. Possible values: ENABLED, DISABLED

usipEnables or disables the use of client's IP Address as the source IP Address while connecting to this server. By default, the NetScaler 9000 system uses a mapped IP address for its server connection; however, you can use this option, so that the client's IP address is used when the NetScaler 9000 system communicates with the server. Possible values: YES, NO

scSpecifies whether SureConnect is to be enabled on this service. Possible values: ON, OFF

spSpecifies whether surge protection needs to be enabled on this service. Possible values: ON, OFF Default value: OFF

cltTimeoutThe idle time in seconds after which the client connection is terminated.

svrTimeoutThe idle time in seconds after which the server connection is terminated.

serveridA positive integer to identify the service. Used when the persistency type is set to Custom Server ID.

CKAThe state of the Client Keep-Alive feature for the service. Possible values: YES, NO

TCPBThe state of the TCP Buffering feature for this service. Possible values: YES, NO

CMPThe state of the HTTP Compression feature for this service. Possible values: YES, NO

maxBandwidthA positive integer that identifies the maximum bandwidth in kbps allowed for this service


set service

accessDownUse this option to allow access to disabled or down services. If enabled, all packets to this service are bridged, else they are dropped. Possible values: YES, NO Default value: NO

monThresholdSpecifies the monitoring threshold. Default value: 0

weightThe weight for the specified monitor.

Exampleset service http_svc -maxClient 100

Related Commandsadd servicebind servicedisable serviceenable servicerm serviceshow serviceunbind servicestat service


show service

show service

Synopsisshow service [<serviceName> | -all]

DescriptionUse this command to display the services configured on the NetScaler system. This command either lists all services or displays complete information about a particular service.

Arguments

serviceNameThe name of the service to be displayed.

allUse this option to display both the configured and dynamically learned services. If you do not use this option, only the configured services are displayed.

Output

serverName

serviceType

port

value

clearTextPort

gslb


show service

cacheType

maxClient

maxReq

cacheable

cip

cipHeader

usip

scSpecifies whether SureConnect is enabled on this service or not.

sp

cltTimeout

svrTimeout

publicIP

publicPort

serverid


show service

CKA

TCPB

CMP

maxBandwidth

accessDown

svrState

IPAddress

monitorName

monThreshold

monState

ExampleAn example of the output of the show service -all command is as follows: 4 configured services: 1) svc1 (10.124.99.12:80) - HTTP State: UP Max Conn: 0 Max Req: 0 Use Source IP: NO Client Keepalive(CKA): NO TCP Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED 2) svc_3 (10.100.100.3:53) - DNS State: UP Max Conn: 0 Max Req: 0 Use Source IP: NO Client Keepalive(CKA): NO TCP Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED 3) tsvc1 (77.45.32.45:80) - HTTP State: UP Max Conn: 0 Max Req: 0 Use Source IP: NO Client Keepalive(CKA): NO TCP


show service

Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED 4) foosvc (10.124.99.13:7979) - HTTP State: UP Max Conn: 0 Max Req: 0 Use Source IP: NO Client Keepalive(CKA): NO TCP Buffering(TCPB): NO HTTP Compression(CMP): NO Idle timeout: Client: 180 sec Server: 360 sec Client IP: DISABLED

Related Commandsadd servicebind servicedisable serviceenable servicerm serviceset serviceunbind servicestat service


unbind service

unbind service

Synopsisunbind service <serviceName>@ -policyName <string>

DescriptionUse this command to unbind a policy from a service.

Arguments

serviceNameThe name of the service.

policyNameName of the policy to be unbound.

Related Commandsadd servicebind servicedisable serviceenable servicerm serviceset serviceshow servicestat service


stat service

stat service

Synopsisstat service [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplays the stats of a service

Arguments

name

Output

Counters

IP address (IP)The ip address at which the service is running.

Port (port)The port at which the service is running.

StateCurrent state

Service type (Type)The type of the service.

Current client connections (ClntConn)The number of current client connections to the vserver

Current server connections (SvrConn)The number of current connections to the real servers behind the vserver.

Requests (Req)The total number of requests.


stat service

Responses (Rsp)Number of responses

Request bytes (Reqb)The total number of request bytes.

Response bytes (Rspb)Number of response bytes

Maximum server connections (MaxConn)The maximum open connections allowed on this service.

Requests in surge queue (surgeQ)The number requests in the surge queue.

Connections in reuse pool (ReuseP)The number requests in the idle queue/ reuse pool.

Average server TTFB (svrTTFB)The average TTFB between the netscaler and the server.

Related Commandsadd servicebind servicedisable serviceenable servicerm serviceset serviceshow serviceunbind service


add monitor

add monitor

Synopsisadd monitor <monitorName> <type>

DescriptionUse this command to add a monitor to the NetScaler 9000 system. This command exists in two parts. The first part of the command creates the monitor and the second enables the user to add response codes to the HTTP monitor type.

Arguments

monitorNameThe name of the monitor to be added.

typeThe type of monitor that is being added. Possible values: PING, TCP, HTTP, TCP-ECV, HTTP-ECV, UDP-ECV, DNS, FTP, LDNS-PING, LDNS-TCP, LDNS-DNS, RADIUS, USER, HTTP-INLINE

actionUse this option to specify the action to be taken in INLINE monitors. Possible values: NONE, LOG, DOWN Default value: DOWN

respcodeThe response codes. For the probe to succeed, the HTTP/RADIUS response from the server must be of one of the types specified.

httprequestThe HTTP request that is sent to the server (for example, "HEAD /file.html"). Default value: \007

sendThe string that is sent to the service. Applicable to TCP-ECV, HTTP-ECV, and UDP-ECV monitor types. Default value: \007


add monitor

recvThe string that is expected from the server to mark the server as UP. Applicable to TCP-ECV, HTTP-ECV, and UDP-ECV monitor types.

queryThe DNS query (domain name) sent to the DNS service that is being monitored. Default value: \007

querytypeSpecifies the type of DNS query that is sent. Possible values: Address, Zone

userNameUsername on the FTP/RADIUS server. This user name is used in the probe.

passwordPassword used in FTP/RADIUS server monitoring.

radKeyThe radius key

radNASidThe NAS ID to be used in Radius monitoring

radNASipThe NAS IP to be used in Radius monitoring

LRTMEnables or disables response time calculation of probes Possible values: ENABLED, DISABLED

scriptNameThe path and name of the script to execute.

scriptArgsThe string that are put in the POST data - they are copied to the request verbatim

dispatcherIPThe IP Address of the dispatcher to which the probe is sent

dispatcherPortThe port of the dispatcher to which the probe is sent


add monitor

intervalThe frequency (in seconds) at which the probe is sent to a service. The interval should be greater than the response timeout. Default value: 5

resptimeoutThe interval for which the NetScaler system waits before it marks the probe as FAILED. The response timeout should be less than the value specified in -interval parameter. The UDP-ECV monitor type does not decide the probe failure by the response timeout. NetScaler 9000 system considers the probe successful for UDP-ECV monitor type, when the server response matches the criteria set by the -send and -recv options or if the response is not received from the server (unless the -reverse option is set to yes). Note:The -send option specifies what data is to be sent to the server in the probe and -recv specifies the server response criteria for the probe to succeed. The probe failure is caused by the ICMP port unreachable error from the service. Default value: 2

retriesThe number of consecutive probes failures after which the NetScaler system marks the service as DOWN. Default value: 3

downtimeThe duration in seconds for which the NetScaler system waits to make the next probe once the service is marked as DOWN. Default value: 30

destIPThe IP address to which the probe is sent. If the destination IP address is set to 0, the destination IP address is that of the server to which the monitor is bound.

destPortThe TCP/UDP port to which the probe is sent. If the destination port is set to 0, the destination port is of the service to which the monitor is bound. For a USER monitor, however, this will be the port sent in the HTTP request to the dispatcher. This option is ignored if the monitor is of the PING type.

stateThe state of the monitor. The valid states are ENABLED and DISABLED. If the monitor is disabled, this monitor-type probe is not sent for all services. If the monitor is bound, the state of this monitor is not taken into account when the service of this state is determined. Possible values: ENABLED, DISABLED Default value: ENABLED


add monitor

reverseUse this option to specify whether the probe's criterion is checked for success directly or in reverse. Possible values: YES, NO Default value: NO

transparentSpecifies whether the monitor is enabled for transparent devices, such as firewalls, based on the responsiveness of the services behind them. If the monitoring of transparent devices is enabled, the destination IP address should be specified. The probe is sent to the specified destination IP address using the MAC address of the transparent device. Possible values: YES, NO Default value: NO

secureUse this option to enable the secure monitoring of services. SSL handshake will be done on the TCP connection established. Applicable only for TCP based monitors. Possible values: YES, NO Default value: NO

Exampleadd monitor http_mon http

Related Commandsenable monitordisable monitorrm monitorset monitorshow monitor


bind monitor

bind monitor

Synopsisbind monitor <monitorName> (<serviceName>@ [-state ( ENABLED | DISABLED )] [-weight <positive_integer>])

DescriptionUse this command to bind a monitor to a service. Multiple monitors can be bound to the service. The server's state is determined by the state of all the bound monitors using the AND condition. All monitor's probes have to succeed for the service to be in the UP state.

Arguments

monitorNameThe name of the monitor to be bound.

serviceNameThe name of the service to which the monitor is to be bound.

Examplebind monitor http_mon http_svc

Related Commandsunbind monitor


enable monitor

enable monitor

Synopsisenable monitor <serviceName>@ [<monitorName>]

DescriptionUse this command to enable the monitor that is bound to a specific service. If no monitor name is specified, all monitors bound to the service are enabled.

Arguments

serviceNameThe name of the service to which the monitor is bound.

monitorNameThe name of the monitor that is to be enabled.

Exampleenable monitor http_svc http_mon

Related Commandsadd serviceadd monitordisable monitorrm monitorset monitorshow monitor


disable monitor

disable monitor

Synopsisdisable monitor <serviceName>@ [<monitorName>]

DescriptionUse this command to disable the monitor for a service. If the monitor name is not specified, all monitors bound to the service are disabled.

Arguments

serviceNameThe name of the service being monitored.

monitorNameThe name of the monitor to be disabled.

Exampledisable monitor http_svc http_mon

Related Commandsadd serviceadd monitorenable monitorrm monitorset monitorshow monitor


rm monitor

rm monitor

Synopsisrm monitor <monitorName> <type> [-respcode <int[-int]> ...]

DescriptionUse this command to remove either a specified monitor or response code for the HTTP monitor. While the response codes for a specified monitor are removed, the monitor itself is not removed. Built-in monitors can not be removed.

Arguments

monitorNameThe name of the monitor to be removed.

typeThe type of monitor being removed. Possible values: PING, TCP, HTTP, TCP-ECV, HTTP-ECV, UDP-ECV, DNS, FTP, LDNS-PING, LDNS-TCP, LDNS-DNS, RADIUS, USER, HTTP-INLINE

respcodeThe response codes to be deleted from the response codes list of the HTTP monitor.

Examplerm monitor http_mon http

Related Commandsadd monitorenable monitordisable monitorset monitorshow monitor


set monitor

set monitor

Synopsisset monitor <monitorName> <type> [-action <action>] [-respcode <int[-int]> ...] [-httprequest <string>] [-send <string>] [-recv <string>] [-query <string>] [-querytype ( Address | Zone )] [-userName <string>] [-password <string>] [-radKey <string>] [-radNASid <string>] [-radNASip <ip_addr>] [-LRTM ( ENABLED | DISABLED )] [-scriptName <string>] [-scriptArgs <string>] [-dispatcherIP <ip_addr>] [-dispatcherPort <port>] [-interval <integer>] [-resptimeout <integer>] [-retries <integer>] [-downtime <integer>] [-destIP <ip_addr>] [-destPort <port>] [-state ( ENABLED | DISABLED )] [-reverse ( YES | NO )] [-transparent ( YES | NO )] [-secure ( YES | NO )]

DescriptionUse this command to modify the parameters of a specific monitor.

Arguments

monitorNameThe name of the monitor that is being set.

typeSpecifies the type of monitor that is being modified. Possible values: PING, TCP, HTTP, TCP-ECV, HTTP-ECV, UDP-ECV, DNS, FTP, LDNS-PING, LDNS-TCP, LDNS-DNS, RADIUS, USER, HTTP-INLINE

actionUse this option to specify the action to be taken in INLINE monitors. Possible values: NONE, LOG, DOWN Default value: DOWN

respcodeSets (substitutes existing) response codes. The HTTP response from the server must be of one of the types specified for the probe to succeed.


set monitor

httprequestSpecifies HTTP request string, sent to the server. For example "HEAD /file.html".

sendApplicable to TCP-ECV, HTTP-ECV and UDP-ECV monitor types only. This parameter specifies the string that is sent to the service.

recvApplicable to TCP-ECV, HTTP-ECV and UDP-ECV monitor types only. This parameter specifies the response string that is expected from the service.

querySpecifies the DNS query (domain name) sent to the DNS service that is being monitored.

querytypeSpecifies whether the address or zone type of DNS query is sent. Possible values: Address, Zone

userNameSpecifies username on the FTP/RADIUS server. This user name is used in the probe.

passwordSpecifies the password used to probe FTP/RADIUS server.

radKeyThe radius key

radNASidThe NAS ID to be used in Radius monitoring

radNASipThe NAS IP to be used in Radius monitoring

LRTMEnables or disables response time calculation of probes Possible values: ENABLED, DISABLED

scriptNameThe path and name of the script to execute.


set monitor

scriptArgsThe string that are put in the POST data - they are copied to the request verbatim

dispatcherIPThe IP Address of the dispatcher to which the probe is sent

dispatcherPortThe port of the dispatcher to which the probe is sent

intervalSpecifies how often (in seconds) the probe is sent to a service. The interval should be greater than the response timeout.

resptimeoutSpecifies how long the NetScaler 9000 system waits before it considers the probe has failed. The exception is UDP-ECV monitor type. In this case, the NetScaler 9000 system considers the probe successful if the response comes and matches the criteria or if response does not come. A failed probe is one that initiates an ICMP port unreachable error from the service. The response timeout should be less than the value specified in the -interval parameter.

retriesSpecifies the number of consecutive probes to be sent before the NetScaler 9000 system considers the service to be down.

downtimeSpecifies the time period for which the NetScaler 9000 system waits to send a probe after the service state is marked DOWN.

destIPSpecifies the destination IP address to which the probe is sent. You can either specify an IP address or select * to select any IP address. Note:If the destination IP address is set to 0, the destination IP address is that of the server to which the monitor is bound.

destPortSpecifies the TCP/UDP port to which the probe is sent. You can either specify a specific port number or select * to select any port number. Notes: 1.If the destination port is set to 0, the destination port is of the service to which the monitor is bound. 2.This option is ignored if the monitor is of the PING type.


set monitor

stateSpecifies whether the monitor is enabled or disabled. If the monitor is disabled, this monitor-type probe is not sent for all services. If the monitor is bound, the NetScaler 9000 system does not consider the state of this monitor to determine service. Possible values: ENABLED, DISABLED

reverseSpecifies whether the probe's criteria is checked for success directly or reverse. Possible values: YES, NO

transparentSpecifies whether the monitor is enabled for transparent devices, such as firewalls, based on the responsiveness of the services behind them. If the monitoring of transparent devices is enabled, the destination IP address (destip) should be specified. The probe is sent to the specified destination IP address using the MAC address of the transparent device. Possible values: YES, NO

secureEnables the secure monitoring of services. SSL handshake will be done on the TCP connection established. Applicable only for TCP based monitors. Possible values: YES, NO

Exampleset monitor http_mon http -respcode 100

Related Commandsadd monitorenable monitordisable monitorrm monitorshow monitor


show monitor

show monitor

Synopsisshow monitor [<monitorName>]

DescriptionUse this command to display the parameters for the specified monitor. If the monitor_name argument is not specified, a list of all existing monitors is displayed.

Arguments

monitorNameThe name of the monitor for which parameters are to be shown.

Output

monitorName

type

interval

resptimeout

retries

downtime

destIP


show monitor

destPort

state

reverse

transparent

secure

action

respcode

httprequest

send

recv

query

querytype

userName

password


show monitor

radKey

radNASid

radNASip

LRTM

lrtm_conf

scriptName

scriptArgs

dispatcherIP

dispatcherPort

ExampleAn example of the show monitor command output is as follows: 8 configured monitors: 1) Name.......: ping Type......: PING State....ENABLED 2) Name.......: tcp Type......: TCP State....ENABLED 3) Name.......: http Type......: HTTP State....ENABLED 4) Name.......: tcp-ecv Type......: TCP-ECV State....ENABLED 5) Name.......: http-ecv Type......: HTTP-ECV State....ENABLED 6) Name.......: udp-ecv Type......: UDP-ECV State....ENABLED 7) Name.......: dns Type......: DNS State....ENABLED 8) Name.......: ftp Type......: FTP State....ENABLED

Related Commandsadd monitorenable monitor


show monitor

disable monitorrm monitorset monitor


unbind monitor

unbind monitor

Synopsisunbind monitor <monitorName> <serviceName>@

DescriptionUse this command to unbind a specified monitor from the service.

Arguments

monitorNameThe name of the monitor to be unbound.

serviceNameThe service name (added with the add service command) from which the monitor is to be unbound.

Exampleunbind monitor http_mon http_svc

Related Commandsbind monitor


add vlan

add vlan

Synopsisadd vlan <id>

DescriptionThis command creates a VLAN. Each VLAN is identified by a VID (integer from 1-4094). The VLAN created is empty (without members). This VLAN is not active until interfaces are bound to it. VLAN 1 is created by default and cannot be added or deleted.

Arguments

idSpecifies the VID. The value ranges from 2 to 4094.

Related Commandsbind vlanrm vlanshow vlanstat vlanunbind vlan


bind vlan

bind vlan

Synopsisbind vlan <id> [-ifnum <interface_name> ... [-tagged]] [-IPAddress <ip_addr> <netmask>]

DescriptionThis command binds an interface or an ip address to a VLAN. An interface can be bound to a VLAN as a tagged or an untagged interface. Adding an interface as an untagged member (default) deletes it from its current native VLAN and adds it to the new VLAN. If an interface is added as a tagged member to a VLAN, it still remains a member of its native VLAN.

Arguments

idSpecifies the virtual LAN ID.

ifnumSpecifies the interface name represented in the <slot/port> notation. For example 1/1. Use the show interface CLI command to view the NetScaler 9000 system interfaces.

IPAddressThis argument gives an IP address thst is to be assigned to the VLAN. An entry for this subnet is to be added in the routing table prior to the issue of this command. Overlapping subnets are not allowed. Each VLAN can have only a single IP address assigned to it. The VLAN specified by id should already have been created by the add command. The IP address specified can be used as the default gateway among the hosts in the subnet to allow for IP forwarding between VLANs. In a high availability configuration, this IP address is shared by the NetScaler 9000 systems and is active in the master. CAUTION:DO NOT specify an IP address for VLAN 1.

Related Commandsadd vlanrm vlanshow vlan


bind vlan

stat vlanunbind vlan


rm vlan

rm vlan

Synopsisrm vlan <id>

DescriptionRemoves the VLAN created by the add vlan command. Once the VLAN is removed, its interfaces become members of VLAN 1.

Arguments

idSpecifies the VID. Enter a number from 2 to 4094.

Related Commandsadd vlanbind vlanshow vlanstat vlanunbind vlan


show vlan

show vlan

Synopsisshow vlan [<id>] show vlan stats - alias for 'stat vlan'

DescriptionThis command displays the configured VLANs. If id is specified, then only that particular VLAN information is displayed. If it is not specified, all configured VLANs are displayed.

Arguments

idSpecifies the VID (VLAN identification number). Enter an integer from 1 to 4094.

Output

id

IPAddress

netmask

rnat

portbitmap

tagbitmap

ifaces


show vlan

tagIfaces

ExampleAn example of the output of the show vlan command is as follows: 3 configured VLANs: 1) VLAN ID: 1 Member Interfaces : 0/1 1/1 1/4 Tagged: None 2) VLAN ID: 2 IP: 10.250.0.254 Mask: 255.255.0.0 ReverseNAT: YES Member Interfaces : 1/2 Tagged: None 3) VLAN ID: 3 IP: 10.251.0.254 Mask: 255.255.0.0 ReverseNAT: YES Member Interfaces : 1/3 Tagged: None

Related Commandsadd vlanbind vlanrm vlanstat vlanunbind vlan


stat vlan

stat vlan

Synopsisstat vlan [<id>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionShows statistics for one or all VLANs.

Arguments

idSpecifies the VID (VLAN identification number). Enter an integer from 1 to 4094.

Output

Counters

Packets received (RxPkts)Number of packets received on the VLAN.

Bytes received (RxBytes)Number of bytes received on the VLAN.

Packets sent (TxPkts)Number of packets transmitted on the VLAN.

Bytes sent (TxBytes)Number of bytes transmitted on the VLAN.

Packets dropped (DropPkts)Number of packets dropped on the VLAN.

Broadcast pkts sent & received (BcastPkt)Number of Broadcast packets sent and received by the VLAN.

Examplestat vlan 1


stat vlan

Related Commandsadd vlanbind vlanrm vlanshow vlanunbind vlan


unbind vlan

unbind vlan

Synopsisunbind vlan <id> [-ifnum <interface_name> ... [-tagged]] [-IPAddress]

DescriptionThis command unbinds the specified interface from the VLAN. If the interface was an untagged member of this VLAN, it is added to the default VLAN (VLAN 1).

Arguments

idSpecifies the virtual LAN (VLAN) id.

ifnumSpecifies the interface number represented in the <slot/port> notation. For example, 1/1. Use the show interface CLI command to view the NetScaler 9000 system interfaces.

IPAddressClears the IP address of the VLAN.

Related Commandsadd vlanbind vlanrm vlanshow vlanstat vlan


clear interface

clear interface

Synopsisclear interface <id>

DescriptionThis command clears the statistics of the specified interface. It does not reset the interface. Note:Resetting the interface will not clear the statistics.

Arguments

idSpecifies the number of the interface to be cleared.

Related Commandsdisable interfaceenable interfacereset interfaceset interfaceshow interfacestat interface


disable interface

disable interface

Synopsisdisable interface <id>

DescriptionThis command disables the interface specified by the ifnum argument. Interface monitoring for high availability mode is also disabled. The NetScaler 9000 system does not receive or transmit any packets on this interface and LCD indicator does not shows "link down" alerts for this disabled interface. Note:To see the status of an interface, use the show interface command.

Arguments

idThe number of the interface to be disabled.

Related Commandsclear interfaceenable interfacereset interfaceset interfaceshow interfacestat interface


enable interface

enable interface

Synopsisenable interface <id>

DescriptionAll interfaces are enabled by default. If the interface is disabled, use this command to enable it. As soon as interface is enabled, the high availability monitoring for this interface will also be activated using the set interface -hamonitor on command.

Arguments

idSpecifies the interface name that needs to be enabled.

Related Commandsclear interfacedisable interfacereset interfaceset interfaceshow interfacestat interface


reset interface

reset interface

Synopsisreset interface <id>

DescriptionThis command forces a reset of the specified interface. The interface saves the configured settings of duplex, speed, and so on. Interface breaks the connection and then tries to reestablish the link using the current settings. If Ethernet autonegotiation is enabled for this interface then resulting link state depends on the counterpart Ethernet port settings.

Arguments

idSpecifies the number of the interface to be reset.

Related Commandsclear interfacedisable interfaceenable interfaceset interfaceshow interfacestat interface


set interface

set interface

Synopsisset interface <id> [-speed <speed>] [-duplex <duplex>] [-flowcontrol <flowcontrol>] [-autoneg ( DISABLED | ENABLED )] [-hamonitor ( ON | OFF )] [-trunk ( ON | OFF )]

DescriptionThis command sets attributes for the NetScaler 9000 system interface specified by the ifnum variable.

Arguments

idSpecifies the number of the interface.

speedSpecifies the Ethernet speed for the interface specified by ifnum. The default setting is AUTO. This means that the NetScaler 9000 system will attempt auto-negotiate or auto-sense the line speed on this interface when this interface is brought up. The other Ethernet speed settings that you can enter are 10, 100, or 1000 Mbps. Setting a speed other than AUTO on an interface requires the device at the other end of the link to be configured identically. Mismatching speed and/or duplex configurations on two ends will lead to link errors, packet losses, and so on. It must be avoided. Some interfaces do not support certain speeds. If you try to set a speed on an interface that does not support it, it is reported as an error. Possible values: AUTO, 10, 100, 1000

duplexSpecifies the duplex mode for the interface. The default setting is AUTO. This means that the NetScaler 9000 system will attempt auto-negotiate for the duplex mode on this interface when this interface is brought up. Other duplex modes you can specify are half and full duplex. NetScaler 9000 system recommends that the speed remain as AUTO. If you need to force the duplex mode, then set both the duplex mode and speed manually identically on both side of the link. Possible values: AUTO, HALF, FULL


set interface

flowcontrolSpecifies the required 802.3x flow control for the NetScaler 9000 system interface. You can specify OFF (the default), RX, TX, RXTX and ON (which means "forced RXTX"). For Fast Ethernet interfaces, only OFF is available. 802.3x specification does not define the flow control for speeds 10 and 100 MB but Gigabit Ethernet interfaces still support it for all three possible speeds. Real flow control status depend on the auto-negotiation results. Option ON still use the auto-negotiation to give the peer opportunity to negotiate the flow control but then force the two-way flow control for this interface. As for any other link parameters mismatches it sometimes can cause problems and should be avoided and checked throughly. Possible values: OFF, RX, TX, RXTX

autonegThis option controls the auto negotiation feature for this interface (default is ENABLED). Possible values: DISABLED, ENABLED

hamonitorThis option is used for a high availability configuration to specify which interfaces to monitor for failing events. By default, this is set to ON for all interfaces. When ON, in a HA configuration the failover occurs when an interface fails. If an interface is not being used, or if failover is not required, select the value as OFF. Also if interface is not used in current configuration than it is advisable to completely disable it using the disable interface command. Possible values: ON, OFF

trunkThis option is used to select whether trunk mode is ON for this interface . By default, this is set to OFF for all interfaces. When ON, the traffic will be tagged for all vlans bound to this interface. If one wants 802.1q behaviour with backward compatibility the OFF setting for this variable. Possible values: ON, OFF Default value: OFF

Related Commandsclear interfacedisable interfaceenable interfacereset interfaceshow interfacestat interface


show interface

show interface

Synopsisshow interface [<id>] show interface stats - alias for 'stat interface'

DescriptionThis command shows the interface settings configured in the NetScaler 9000 system for the specified interface number. If ifnum is not specified, the settings are shown for all interfaces (in a brief format).

Arguments


Output

deviceName

unit

description

flags

mtu

vlan

mac


show interface

uptime

downtime

reqMedia

reqSpeed

reqDuplex

reqFlowcontrol

media

speed

duplex

flowcontrol

media

conndistr

macdistr

Mode


show interface

hamonitor

state

autoneg

autonegResult

tagged

trunk

taggedany

taggedautolearn

hangdetect

hangreset

rxpackets

rxbytes

rxerrors

rxdrops


show interface

txpackets

txbytes

txerrors

txdrops

inDisc

outDisc

fctls

hangs

ExampleThe output for the show interface command is as follows: 5 interfaces: 1) Interface 0/1 (NIC 0/bx0) Broadcom BCM5701A10 1000Base-T flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native vlan=1, eaddr=00:30:48:31:22:f6, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX 2) Interface 1/1 (NIC 1/bx1) 3Com 3C996BT Gigabit Server NIC flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native vlan=1, eaddr=00:04:76:ef:03:33, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX 3) Interface 1/3 (NIC 2/bx2) 3Com 3C996BT Gigabit Server NIC flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native vlan=3, eaddr=00:04:76:eb:d4:46, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX 4) Interface 1/2 (NIC 3/bx3) 3Com 3C996BT Gigabit Server NIC flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native


show interface

vlan=2, eaddr=00:04:76:ef:03:32, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX 5) Interface 1/4 (NIC 4/bx4) 3Com 3C996BT Gigabit Server NIC flags=0x24000 <disable, down, autoneg on, 802.1q support> mtu=1514, native vlan=1, eaddr=00:04:76:eb:cd:d0, uptime 2h24m03s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media AUTO, speed AUTO, duplex AUTO, fctl RXTX The output for the show interface 1/1 command is as follows: Interface 1/1 (NIC 1/bx1) 3Com 3C996BT Gigabit Server NIC flags=0x2c081 <ENABLE, UP, autoneg on, HAMONITOR ON, 802.1q support> mtu=1514, native vlan=1, eaddr=00:04:76:ef:03:33, uptime 2h24m33s Requested: media AUTO, speed AUTO, duplex AUTO, fctl RXTX Actual: media UTP, speed 1000, duplex FULL, fctl RXTX RX: Pkts(16010) Bytes(1386354) Errs(3) Drops(5261) TX: Pkts(17132) Bytes(2344334) Errs(0) Drops(0) NIC: InDisc(0) OutDisc(0) Fctls(0) Hangs(0)

Related Commandsclear interfacedisable interfaceenable interfacereset interfaceset interfacestat interface


stat interface

stat interface

Synopsisstat interface [<id>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplays the statistics of an interface

Arguments


Output

Counters

Bytes received (bRx)Number of bytes received by this interface

Packets received (PktRx)Number of packets received by this interface

Bytes transmitted (bTx)Number of bytes transmitted by this interface

Packets transmitted (PktTx)Number of packets transmitted by this interface

Multicast packets (McastPkt)Number of multicast packets received by this interface

Netscaler packets (NSPkt)Number of Netscaler packets received by this interface

Error packets received (ErRx)Number of erroneous packets received by this interface


stat interface

Error packets transmitted (ErTx)Number of erroneous packets transmitted by this interface

Megabits received (MbRx)Number of Megabits received by this interface

Megabits transmitted (MbTx)Number of Megabits transmitted by this interface

Link uptime (UpTime)Current link uptime

Link downtime (DnTime)Current link downtime

Received packets dropped (DrpRxPkt)Number of received packets dropped, by this interface

Packets dropped in Tx (DrpTxPkt)Number of packets dropped, in transmission, by this interface

Packets queued in Tx (TxQlen)Number of packets queued in transmission

NIC hangs (Hangs)Number of NIC hangs

Duplex mismatches (DupMism)Number of duplex mismatches registered

Buffer errors (BufErr)Number of buffer errors

High-priority packets queued (HpTxQlen)Number of high-priority packets queued for transmit

Low-priority packets queued (LpTxQlen)Number of low-priority packets queued for transmit

CRC errors (CRCErr)Number of CRC errors


stat interface

Inbound packets discarded (InDisc)Number of inbound error-free packets discarded

Outbound packets discarded (OutDisc)Number of outbound error-free packets discarded

Link re-initializations (LnkReint)Number of link re-initializations

Output non-unicast packets (ONonUPkt)Number of output non-unicast packets

Collisions in Tx (ErrTxCol)Number of collisions in transmission

Excess collisions in Tx (ErrExCol)Number of excess collisions in transmission

Late collisions in Tx (ErrLtCol)Number of late collisions in transmission

Carrier errors (ErrCarr)Number of carrier errors

Related Commandsclear interfacedisable interfaceenable interfacereset interfaceset interfaceshow interface


show channel

show channel

Synopsisshow channel [<id>]

DescriptionThis command shows the Link Aggregate channel settings configured in the NetScaler 9000 system for the specified channel. If channel is not specified, the settings are shown for all channels in a brief format.

Arguments

idLA channel name (in form LA/*)

Output

deviceName

unit

description

flags

mtu

vlan

mac


show channel

uptime

reqMedia

reqSpeed

reqDuplex

reqFlowcontrol

media

speed

duplex

flowcontrol

media

conndistr

macdistr

Mode

hamonitor


show channel

state

autoneg

autonegResult

tagged

trunk

taggedany

taggedautolearn

hangdetect

hangreset

rxpackets

rxbytes

rxerrors

rxdrops

txpackets


show channel

txbytes

txerrors

txdrops

inDisc

outDisc

fctls

hangs

Related Commandsadd channelset channelbind channelunbind channelrm channel


add channel

add channel

Synopsisadd channel <id> [-ifnum <interface_name> ...]

DescriptionThis command adds the specified Link Aggregate channel into NetScaler 9000 system.

Arguments


ifnumSpecifies interfaces to be bound to Link Aggregate channel.

stateSets initial state for the LA channel. Possible values: ENABLED, DISABLED Default value: ENABLED

ModeSets initital mode for the LA channel. Possible values: MANUAL, AUTO, DESIRED

conndistrEnables/disables 'connection' distribution mode for the LA channel. Possible values: DISABLED, ENABLED

macdistrSets specified 'MAC' distribution mode for the LA channel. Possible values: SOURCE, DESTINATION, BOTH

speedSets required speed for the LA channel. Possible values: AUTO, 10, 100, 1000

flowcontrolSets required flow control for the LA channel. Possible values: OFF, RX, TX, RXTX


add channel

hamonitorEnables/disables HA-monitoring for the LA channel. Possible values: ON, OFF

trunkThis option is used for to select whether port is trunk or not. By default, this is set to OFF for all interfaces. When ON, the port membership in all vlans will be tagged. If one wants 802.1q behaviour with native vlan use the OFF setting for this variable. Possible values: ON, OFF Default value: OFF

Related Commandsshow channelset channelbind channelunbind channelrm channel


set channel

set channel

Synopsisset channel <id> [-state ( ENABLED | DISABLED )] [-Mode <Mode>] [-conndistr ( DISABLED | ENABLED )] [-macdistr <macdistr>] [-speed <speed>] [-flowcontrol <flowcontrol>] [-hamonitor ( ON | OFF )] [-trunk ( ON | OFF )]

DescriptionThis command sets configuration of the specified Link Aggregate channel.

Arguments


stateEnables/disables packet processing for the LA channel. Possible values: ENABLED, DISABLED

ModeSets mode for the LA channel. Possible values: MANUAL, AUTO, DESIRED

conndistrEnables/disables 'connection' distribution mode for the LA channel. Possible values: DISABLED, ENABLED

macdistrSets specified 'MAC' distribution mode for the LA channel. Possible values: SOURCE, DESTINATION, BOTH

speedSets required speed for the LA channel. Possible values: AUTO, 10, 100, 1000

flowcontrolSets required flow control for the LA channel. Possible values: OFF, RX, TX, RXTX


set channel

hamonitorEnables/disables HA-monitoring for the LA channel. Possible values: ON, OFF

trunkThis option is used for to select whether this port is a trunk port or not. By default, this is set to OFF for all interfaces. When ON, all the vlans will be tagged. If one wants 802.1q with native vlan behaviour use the OFF setting for this variable. Possible values: ON, OFF Default value: OFF

Related Commandsshow channeladd channelbind channelunbind channelrm channel


bind channel

bind channel

Synopsisbind channel <id> <ifnum> ...

DescriptionThis command binds specified interfaces to the Link Aggregate channel.

Arguments


ifnumInterfaces to be bound to the LA channel.

Related Commandsshow channeladd channelset channelunbind channelrm channel


unbind channel

unbind channel

Synopsisunbind channel <id> <ifnum> ...

DescriptionThis command unbinds specified interfaces from the Link Aggregate channel.

Arguments


ifnumInterfaces to be unbound to the LA channel.

Related Commandsshow channeladd channelset channelbind channelrm channel


rm channel

rm channel

Synopsisrm channel <id>

DescriptionThis command removes the specified Link Aggregate channel from NetScaler 9000 system.

Arguments


Related Commandsshow channeladd channelset channelbind channelunbind channel


add location

add location

Synopsisadd location <ipfrom> <ipto> <preferredlocation>

DescriptionThis command is used for configuring Custom Location entries.

Arguments

ipfromSpecifies the start of the IP address range in dotted notation.

iptoSpecifies the end of the IP address range in dotted notation.

preferredlocationSpecifies the qualifiers in dotted notation for the ipaddress range mentioned.

ExampleAdd location 192.168.100.1 192.168.100.100 *.us.ca.san jose

Related Commandsshow locationrm location


show location

show location

Synopsisshow location [-IPAddress <ip_addr>]

DescriptionThis command displays custom location entries configured in Netscaler System.

Arguments

IPAddressWhen specified displays qualifier information for that IPAddress. If not specified all the custom entries will be displayed.

Output

ipfrom

ipto

preferredlocation

q1label

q2label

q3label

q4label


show location

q5label

q6label

Exampleshow location

Related Commandsadd locationrm location


rm location

rm location

Synopsisrm location <ipfrom> <ipto>

DescriptionThis command removes custom location entry configured in Netscaler System

Arguments

ipfromSpecifies the start of the IP address range in dotted notation.

iptoSpecifies the end of the IP address range in dotted notation.

Examplerm location 192.168.100.1 192.168.100.100

Related Commandsadd locationshow location


set locationparameter


Synopsisset locationparameter [-context ( geographic | custom )] [-q1label <string>] [-q2label <string>] [-q3label <string>] [-q4label <string>] [-q5label <string>] [-q6label <string>]

DescriptionThis command specifies the location parameters used for static proximity based load balancing

Arguments

contextSpecifies in which context static proximity decision has to be made. Possible values: geographic, custom

q1labelSpecifies the label for the 1st qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.

q2labelSpecifies the label for the 2nd qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.

q3labelSpecifies the label for the 3rd qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.

q4labelSpecifies the label for the 4th qualifier. These qulaifier labels characterize the locations. These locations are mapped with the IP addresses which is used for making static proximity decisions.





Exampleset locationparameter -context custom

Related Commandsshow locationparameter


show locationparameter


Synopsisshow locationparameter

DescriptionThis command displays the information about context and qualifier labels which are used for static proximity based load balancing.

Output

context

q1label

q2label

q3label

q4label

q5label

q6label

locationfile

format



custom

static

flags

status

Exampleshow locationparameter

Related Commandsset locationparameter


add locationfile

add locationfile

Synopsisadd locationfile <locationfile> [-format <format>]

DescriptionThis command loads static database into NetScaler System.

Arguments

locationfileSpecifies the name of the location file. The name of the file has to be given with the full path. If the fullpath is not given, then the default path /var/nsmap/ will considered as the path. In high availabilty mode, both the systems should have the static database stored in the same location

formatSpecifies the format of the location file. This optional argument is used to advise the NetScaler system on how to understand the file. where: format = netscaler, ip-country, ip-country-isp, ip-country-region-city, ip-country-region-city-isp, geoip-country, geoip-region, geoip-city, geoip-country-org, geoip-country-isp,geoip-city-isp-org . Possible values: netscaler, ip-country, ip-country-isp, ip-country-region-city, ip-country-region-city-isp, geoip-country, geoip-region, geoip-city, geoip-country-org, geoip-country-isp, geoip-city-isp-org Default value: netscaler

Exampleadd locationfile /var/nsmap/locationdb -format netscaler

Related Commandsshow locationfilerm locationfile


show locationfile

show locationfile

Synopsisshow locationfile

DescriptionDisplays the locationfile loaded in Netscaler System

Arguments

Output

locationfile

format

Exampleshow locationfile

Related Commandsadd locationfilerm locationfile


rm locationfile

rm locationfile

Synopsisrm locationfile

DescriptionThis command removes the location file loaded into the NetScaler system

Examplerm locationfile

Related Commandsadd locationfileshow locationfile


clear locationdata

clear locationdata

Synopsisclear locationdata

DescriptionThis command clears all the location information including the custom entries as well as the static database entries

Output

Exampleclear locationdata

Related Commands


install

install

Synopsisinstall <url>

DescriptionThe install command is used to install a version of Netscaler software on the system. The command takes a single argument consisting of a valid URL for the HTTP, HTTPS, FTP, and SFTP protocols. Local files may be specified using the file:// URL variation. http://[user]:[password]@host/path/to/file https://[user]:[password]@host/path/to/file sftp://[user]:[password]@host/path/to/file scp://[user]:[password]@host/path/to/file ftp://[user]:[password]@host/path/to/file file:///path/to/file

Arguments

urlhttp://[user]:[password]@host/path/to/file https://[user]:[password]@host/path/to/file sftp://[user]:[password]@host/path/to/file scp://[user]:[password]@host/path/to/file ftp://[user]:[password]@host/path/to/file file:///path/to/file

Exampleinstall http://host.netscaler.com/ns-6.0-41.2.tgz

Related Commands


install


Integrated Caching Commands

This chapter covers the Integrated Caching commands.


add cache policy

add cache policy

Synopsisadd cache policy <policyName> -rule <expression> -action <action>

DescriptionUse this command to create Integrated Cache policies. The newly created policy is in inactive state. Use the 'bind cache global' CLI command to activate the policy. The type of the policy is a function of whether it is a request or a response policy and the type of the specified action. CACHE or MAY_CACHE action : positive cachability policy NOCACHE or MAY_NOCACHE action : negative cachability policy INVAL action : Dynamic Invalidation Policy The order in which the policies are configured is significant. The significance is explained in the NetScaler 9000 System Installation and Configuration Guide.

Arguments

policyNameThe name of the new Integrated Cache policy.

ruleThe request/response rule that will trigger the given action. Both request and response rules cannot be specified for the same policy. The MAY_CACHE, MAY_NOCACHE and INVAL actions can only be specified with a request rule. A rule is specified using a single expression or a logical combination of expressions, called compound expression. Expressions can be combined using && and || operators. Refer to the add expression CLI command for information on creating expressions. Note:If a compound expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following are examples of valid expressions: ns_ext_cgi||ns_ext_asp "ns_non_get && (ns_header_cookie||ns_header_pragma)"

actionThe integrated cache action that has to be applied when the content that matches the rules is seen. The following actions can be used: CACHE, NOCACHE, MAY_CACHE,


add cache policy

MAY_NOCACHE, INVAL Possible values: CACHE, NOCACHE, MAY_CACHE, MAY_NOCACHE, INVAL

storeInGroupThe Content group to store the object when action directive is CACHE

invalGroupsThe Content group(s) to be invalidated when action directive is INVAL

invalObjectsThe Content group(s) in which the objects are to be invalidated when action directive is INVAL

Related Commandsrm cache policyshow cache policy


rm cache policy

rm cache policy

Synopsisrm cache policy <policyName>

DescriptionUse this command to remove the specified Integrated Cache policy.

Arguments

policyNameThe name of the cache policy that needs to be removed.

Related Commandsadd cache policyshow cache policy


show cache policy

show cache policy

Synopsisshow cache policy [<policyName>]

DescriptionUse this command to display all configured cache policies. It can also be used to display a single cache policy, by specifying the name of the policy. The following information is displayed for each cache policy: Name: Name of the policy Status: Active or Passive Request/Response rule: The rule used for selecting the content group Action: The integrated cache action that has to be applied when content matching the rules is received. Hits: The number of times content matching the request/response rule was received by the cache. When all the Integrated Cache policies are displayed then the display order within each group is same as the evaluation ordering of policies. There are three groups - Request policies, response policies and dynamic invalidation policies.

Arguments

policyNameThe name of the cache policy that has to be displayed. This parameter is optional.

Output

name

rule

action

storeInGroup

invalGroups


show cache policy

invalObjects

priority

hits

flags

precedeDefRules

Related Commandsadd cache policyrm cache policy


bind cache global

bind cache global

Synopsisbind cache global <policy> -priority <positive_integer> [-precedeDefRules ( YES | NO )]

DescriptionUse this command to activate a policy defined using the 'add cache policy' CLI command

Arguments

policyThe name of the Integrated Cache policy to be bound.

Related Commandsunbind cache globalshow cache global


unbind cache global

unbind cache global

Synopsisunbind cache global <policy>

DescriptionUse this command to inactivate the policy.

Arguments

policyThe name of the Integrated Cache policy to unbind

Related Commandsbind cache globalshow cache global


show cache global

show cache global

Synopsisshow cache global

DescriptionUse this command to display all the active policies

Output

policyName

rule

action

storeInGroup

invalGroups

invalObjects

priority

hits

flags


show cache global

precedeDefRules

Related Commandsbind cache globalunbind cache global


add cache contentgroup


Synopsisadd cache contentgroup <name> [-prefetchMaxPending <positive_integer>] [-alwaysEvalPolicies ( YES | NO )] [-pinned ( YES | NO )]

DescriptionUse this command to create a new content group

Arguments

nameThe name of the content group to be created

weakPosRelExpiryUse this parameter for responses with response codes between 200 and 299. Similar to -relExpiry but has lesser precedence. Default value: 3600

heurExpiryParamThe heuristic expiry time in percentage of the duration since the object was last modified Default value: 10

relExpiryThe relative expiry time in seconds

relExpiryMilliSecThe relative expiry time in milliseconds

absExpiryUpto 4 times in a day (local time) when all the objects in the content group must expire.

absExpiryGMTUpto 4 times in a day (GMT) when all the objects in the content group must expire.

weakNegRelExpiryUse this parameter for all negative responses. This value is used only if the expiry time could not be figured out from any other source. Default value: 600



hitParamsUse these parameters for parameterized hit evaluation of an object. Upto 128 parameters can be configured.

invalParamsUse these parameters for parameterized invalidation of an object. Upto 8 parameters can be configured.

ignoreParamValueCaseUse this parameter to specify whether to ignore case while comparing parameter values during parameterized hit evaluation. Parameter value case is always ignored during parameterized invalidation. Possible values: YES, NO Default value: NO

matchCookiesUse this parameter to specify whether to look for parameters in the Cookie header also Possible values: YES, NO Default value: NO

invalRestrictedToHostUse this parameter to specify whether Host header should be taken into account during parameterized invalidation. Possible values: YES, NO Default value: NO

pollEveryTimeUse this parameter to specify whether to poll every time for the objects in this content group Possible values: YES, NO Default value: NO

ignoreReloadReqUse this parameter to specify whether a request can force the system to reload a cached object from the origin. To guard against any Denial of Service attacks you should set this flag to YES. To get RFC compliant behavior you should set it to NO. Possible values: YES, NO Default value: YES

removeCookiesUse this parameter to specify whether to remove cookies from response Possible values: YES, NO Default value: YES

prefetchUse this parameter to specify whether Integrated Cache should attempt to refresh an object just when it is about to go stale. Possible values: YES, NO Default value: YES



prefetchPeriodThe duration in seconds just before the calculated expiry time of the object during which prefetch should be attempted

prefetchPeriodMilliSecThe duration in milliseconds just before the calculated expiry time of the object during which prefetch should be attempted

prefetchMaxPendingThe maximum number of outstanding prefetches on the contentgroup Default value: 0xFFFFFFFE

flashCacheUse this parameter to specify whether Integrated Cache should do flash cache Possible values: YES, NO Default value: NO

expireAtLastByteUse this parameter to specify whether Integrated Cache should expire the content immediately after receving the last body byte Possible values: YES, NO Default value: NO

insertViaUse this parameter to specify whether Integrated Cache should insert Via header Possible values: YES, NO Default value: YES

insertAgeUse this parameter to specify whether Integrated Cache should insert Age header Possible values: YES, NO Default value: YES

insertETagUse this parameter to specify whether Integrated Cache should insert ETag header Possible values: YES, NO Default value: YES

cacheControlUse this parameter to specify the Cache-Control header to be inserted

quickAbortSizeIf client aborts when the downloaded response size is less than or equal to quick-abort-size then Integrated Cache will stop downloading the response Default value: 4194303



minResSizeThe minimum size of the response. Default value: 0

maxResSizeThe maximum size of the response Default value: 80

memLimitThe memory limit in MB for the content group. The limit is not exact, at times a group's memory utilization can overshoot the limit only to stabilize later. Default value: 4095

ignoreReqCachingHdrsUse this parameter to specify whether to ignore the Cache-control and Pragma headers in the incoming request. Possible values: YES, NO Default value: YES

minHitsSpecify the minimum number of accesses for an object to be stored in Cache. Default value: 0

alwaysEvalPoliciesForces policy evaluation for each response arriving from origin. Possible values: YES, NO Default value: NO

pinnedSetting pinned to YES prevents IC from flushing objects from this contentgroup under memory pressure. Possible values: YES, NO Default value: NO

Related Commandsrm cache contentgroupset cache contentgroupshow cache contentgroupexpire cache contentgroupflush cache contentgroup


rm cache contentgroup

rm cache contentgroup

Synopsisrm cache contentgroup <name>

DescriptionUse this command to remove the specified content group.

Arguments

nameThe name of the content group to be removed.

Related Commandsadd cache contentgroupset cache contentgroupshow cache contentgroupexpire cache contentgroupflush cache contentgroup


set cache contentgroup


Synopsisset cache contentgroup <name> [-weakPosRelExpiry <secs> | -relExpiry <secs> | -relExpiryMilliSec <msecs> | -absExpiry <HH:MM> ... | -absExpiryGMT <HH:MM> ...] [-heurExpiryParam <positive_integer>] [-weakNegRelExpiry <secs>] [-hitParams <string> ...] [-invalParams <string> ...] [-ignoreParamValueCase ( YES | NO )] [-matchCookies ( YES | NO )] [-invalRestrictedToHost ( YES | NO )] [-pollEveryTime ( YES | NO )] [-ignoreReloadReq ( YES | NO )] [-removeCookies ( YES | NO )] [-prefetch ( YES | NO )] [-prefetchPeriod <secs> | -prefetchPeriodMilliSec <msecs>] [-prefetchMaxPending <positive_integer>] [-flashCache ( YES | NO )] [-expireAtLastByte ( YES | NO )] [-insertVia ( YES | NO )] [-insertAge ( YES | NO )] [-insertETag ( YES | NO )] [-cacheControl <string>] [-quickAbortSize <KBytes>] [-minResSize <KBytes>] [-maxResSize <KBytes>] [-memLimit <MBytes>] [-ignoreReqCachingHdrs ( YES | NO )] [-minHits <integer>] [-alwaysEvalPolicies ( YES | NO )] [-pinned ( YES | NO )]

DescriptionUse this command to modify attributes of the content group

Arguments

nameThe name of the content group whose attibutes are to be changed

weakPosRelExpiryUse this parameter for responses with response codes between 200 and 299. Similar to -relExpiry but has lesser precedence.



heurExpiryParamThe heuristic expiry time in percentage of the duration since the object was last modified

relExpiryThe relative expiry time in seconds

relExpiryMilliSecThe relative expiry time in milliseconds

absExpiryUpto 4 times in a day (local time) when all the objects in the content group must expire.

absExpiryGMTUpto 4 times in a day (GMT) when all the objects in the content group must expire.

weakNegRelExpiryUse this parameter for all negative responses. This value is used only if the expiry time could not be figured out from any other source.

hitParamsUse these parameters for parameterized hit evaluation of an object. Upto 128 parameters can be configured.

invalParamsUse these parameters for parameterized invalidation of an object. Upto 8 parameters can be configured.

ignoreParamValueCaseUse this parameter to specify whether to ignore case while comparing parameter values during parameterized hit evaluation. Parameter value case is always ignored during parameterized invalidation. Possible values: YES, NO

matchCookiesUse this parameter to specify whether to look for parameters in the Cookie header also Possible values: YES, NO

invalRestrictedToHostUse this parameter to specify whether Host header should be taken into account during parameterized invalidation. Possible values: YES, NO



pollEveryTimeUse this parameter to specify whether to poll every time for the objects in this content group Possible values: YES, NO

ignoreReloadReqUse this parameter to specify whether a request can force the system to reload a cached object from the origin. To guard against any Denial of Service attacks you should set this flag to YES. To get RFC compliant behavior you should set it to NO. Possible values: YES, NO

removeCookiesUse this parameter to specify whether to remove cookies from response Possible values: YES, NO

prefetchUse this parameter to specify whether Integrated Cache should attempt to refresh an object just when it is about to go stale. Possible values: YES, NO

prefetchPeriodUse this parameter to specify the duration in seconds just before the calculated expiry time of the object during which prefetch should be attempted

prefetchPeriodMilliSecUse this parameter to specify the duration in milliseconds just before the calculated expiry time of the object during which prefetch should be attempted

prefetchMaxPendingThe maximum number of outstanding prefetches on the contentgroup

flashCacheUse this parameter to specify whether Integrated Cache should do flash cache Possible values: YES, NO

expireAtLastByteUse this parameter to specify whether Integrated Cache should expire the content immediately after receving the last body byte Possible values: YES, NO

insertViaUse this parameter to specify whether Integrated Cache should insert Via header Possible values: YES, NO



insertAgeUse this parameter to specify whether Integrated Cache should insert Age header Possible values: YES, NO

insertETagUse this parameter to specify whether Integrated Cache should insert ETag header Possible values: YES, NO

cacheControlUse this parameter to specify whether the Cache-Control header to be inserted

quickAbortSizeIf client aborts when the downloaded response size is less than or equal to quick-abort-size then Integrated Cache will stop downloading the response

minResSizeThe minimum size of the response.

maxResSizeThe maximum size of the response

memLimitThe memory limit in MB for the content group. The limit is not exact, at times a group's memory utilization can overshoot the limit only to stabilize later.

ignoreReqCachingHdrsUse this parameter to specify whether to ignore the Cache-control and Pragma headers in the incoming request. Possible values: YES, NO

minHitsSpecify the minimum number of accesses for an object to be stored in Cache.

alwaysEvalPoliciesForces policy evaluation for each response arriving from origin. Possible values: YES, NO

pinnedSetting pinned to YES prevents IC from flushing objects from this contentgroup under memory pressure. Possible values: YES, NO



Related Commandsadd cache contentgrouprm cache contentgroupshow cache contentgroupexpire cache contentgroupflush cache contentgroup


show cache contentgroup


Synopsisshow cache contentgroup [<name>]

DescriptionUse this command to display all the content groups. It can also be used to display a single content group, by specifying the name of the content group.

Arguments

nameThe name of the content group that has to be displayed. This parameter is Optional.

Output

name

flags

relExpiry

relExpiryMilliSec

absExpiry

absExpiryGMT

heurExpiryParam



weakPosRelExpiry

weakNegRelExpiry

hitParams

invalParams

ignoreParamValueCase

matchCookies

invalRestrictedToHost

pollEveryTime

ignoreReloadReq

removeCookies

prefetch

prefetchPeriod

prefetchPeriodMilliSec

prefetchCur



prefetchMaxPending

flashCache

expireAtLastByte

insertVia

insertAge

insertETag

cacheControl

quickAbortSize

minResSize

maxResSize

memUsage

memLimit

ignoreReqCachingHdrs

cacheNon304Hits



cache304Hits

cacheCells

cacheGroupIncarnation

minHits

alwaysEvalPolicies

pinned

Related Commandsadd cache contentgrouprm cache contentgroupset cache contentgroupexpire cache contentgroupflush cache contentgroup


expire cache contentgroup

expire cache contentgroup

Synopsisexpire cache contentgroup <name>

DescriptionUse this command to expire the objects in the specified content group.

Arguments

nameThe name of the content group in which the objects are to be expired.

Related Commandsadd cache contentgrouprm cache contentgroupset cache contentgroupshow cache contentgroupflush cache contentgroup


flush cache contentgroup

flush cache contentgroup

Synopsisflush cache contentgroup <name> [-query <string>] [-host <string>]

DescriptionUse this command to flush the objects in the specified content group.

Arguments

nameThe name of the content group in which the objects are to be flushed.

queryIf query string is specified then selected objects in this group will be flushed using parameterized invalidation. Otherwise all the objects in this group will be flushed.

hostTo be set only if parameterized invalidation is being done. Objects belonging only to the specified host will be flushed. The host argument can be provided if and only if -invalRestrictedToHost is set to YES for given group.

Related Commandsadd cache contentgrouprm cache contentgroupset cache contentgroupshow cache contentgroupexpire cache contentgroup


show cache forwardProxy

show cache forwardProxy

Synopsisshow cache forwardProxy

DescriptionUse this command to display all forward proxies known to Integrated cache

Output

numCacheFwpxyNumber of forward proxies

IPAddressForward proxy IP

portForward proxy port

Related Commandsadd cache forwardProxyrm cache forwardProxy


add cache forwardProxy

add cache forwardProxy

Synopsisadd cache forwardProxy <IPAddress> <port>

DescriptionUse this command to add a forward proxy known to Integrated cache

Arguments

IPAddressThe IP address of the forward proxy.

portThe port of the forward proxy.

Related Commandsshow cache forwardProxyrm cache forwardProxy


rm cache forwardProxy

rm cache forwardProxy

Synopsisrm cache forwardProxy <IPAddress> <port>

DescriptionUse this command to remove a forward proxy known to Integrated cache

Arguments

IPAddressThe IP address of the forward proxy.

portThe port of the forward proxy.

Related Commandsshow cache forwardProxyadd cache forwardProxy


show cache object

show cache object

Synopsisshow cache object -url <URL> -host <string> [-port <port>] [-groupName <string>] [-httpMethod ( GET | POST )]

DescriptionUse this command to display the properties of a cached object.

Arguments

urlThe URL of the object to be displayed

hostThe host of the object to be displayed

portThe host port of the object to be displayed Default value: 80

groupNameThe name of the content group to be in which the cell is present

httpMethodThe HTTP request method which caused the object to be stored. Possible values: GET, POST Default value: GET

Output

url

host

port


show cache object

cacheResSize

cacheResHdrSize

httpStatus

cacheETag

cacheResLastMod

cacheControl

cacheResDate

contentgroup

destIP

destPort

cacheCellComplex

hitParams

hitValues

cacheCellReqTime


show cache object

cacheCellResTime

cacheCurAge

cacheCellExpires

cacheCellExpiresMilliSec

prefetch

prefetchPeriod

prefetchPeriodMilliSec

cacheCellCurReaders

cacheCellCurMisses

cacheCellHits

cacheCellMisses

cacheCellGzipCompressed

cacheCellDeflateCompressed

cacheCellHttp11


show cache object

cacheCellWeakEtag

cacheCellResBadSize

markerReason

cacheCellPollEveryTime

cacheCellEtagInserted

cacheCellReadyWithLastByte

cacheCellDestipVerified

cacheCellFwpxyObj

cacheCellBasefile

cacheCellMinHitFlag

cacheCellMinHit

httpMethod

Related Commandsexpire cache objectflush cache object


expire cache object

expire cache object

Synopsisexpire cache object -url <URL> -host <string> [-port <port>] [-groupName <string>] [-httpMethod ( GET | POST )]

DescriptionUse this command to expire a cached object.

Arguments

urlThe URL of the object to be expired

hostThe host of the object to be expired

portThe host port of the object to be expired Default value: 80



Related Commandsshow cache objectflush cache object


flush cache object

flush cache object

Synopsisflush cache object -url <URL> -host <string> [-port <port>] [-groupName <string>] [-httpMethod ( GET | POST )]

DescriptionUse this command to flush a cached object.

Arguments

urlThe URL of the object to be flushed

hostThe host of the object to be flushed

portThe host of the object to be flushed Default value: 80



Related Commandsshow cache objectexpire cache object


set cache parameter

set cache parameter

Synopsisset cache parameter [-memLimit <MBytes>] [-via <string>] [-verifyUsing <verifyUsing>] [-maxPostLen <positive_integer>] [-prefetchMaxPending <positive_integer>] [-enableBypass ( YES | NO )]

DescriptionUse this command to modify the global configuration of Integrated Cache.

Arguments

memLimitThe memory limit for Integrated Cache.

viaThe string that has to be inserted in the "Via" header. Via header is inserted in all responses served from a content group if its insertVia flag is set. The default via header string is: "NS-CACHE-6.0:<last octect of NetScaler's IP address>".

verifyUsingThe criteria for deciding whether a cached object can be served for an incoming HTTP request. a.If the value of this attribute is set to HOSTNAME, then URL , host name and host port values in the incoming HTTP request header must match before a cached object can be served. The IP address and the TCP port of the destination host are not matched. For certain deployments the HOSTNAME setting can be a security risk. A rogue client can access a rogue server via the Integrated Cache using the following HTTP request : GET / HTTP/1.1 Host: sensitive.foo.com Integrated Cache will store the rogue page served by the rogue server. Any subsequent client trying to access the root page from sensitive.foo.com will be served the rogue page. The HOSTNAME setting should only be set if it is certain that no rogue client can access a rogue server via the Integrated Cache. The YES setting can lead to more hits if DNS based load balancing is in use and the same content can be served by multiple backend servers. b.If the attribute is set to HOSTNAME_AND_IP, then the URL, host name, host port in the incoming HTTP request header and the IP address and TCP port of the destination server must match. c.If


set cache parameter

the attribute is set to DNS, then the URL, host name and host port in the incoming HTTP request and the TCP port should match. As far as the destination server's IP address is concerned, the hostname is used to do a DNS lookup and it is compared with the set of addresses returned by the DNS lookup. The default value of this attribute is DNS Possible values: HOSTNAME, HOSTNAME_AND_IP, DNS

maxPostLenThe maximum POST body size that IC should accumulate

prefetchMaxPendingThe maximum number of outstanding prefetches in IC

enableBypassIf set to NO then an incoming request will serve ahit if a matching object could be found in the cache storage regardless of the cacheability policy configuration. If set to YES then the bound request cacheability policies are evaluated before any hit selection in the cache storage is attempted. If the request happens to match a policy with NOCACHE action then the request will bypass all cache processing. This flag does not affect the processing of those requests that match any invalidation policy. Possible values: YES, NO

Related Commandsshow cache parameter


show cache parameter

show cache parameter

Synopsisshow cache parameter

DescriptionUse this command to display the global configuration of Integrated Cache.

Output

memLimit

useOnlyHostInReq

via

verifyUsing

maxPostLen

prefetchCur

prefetchMaxPending

enableBypass

Related Commandsset cache parameter


show cache stats

show cache stats

Synopsisshow cache stats - alias for 'stat cache'

Descriptionshow cache stats is an alias for stat cache

Related Commandsstat cache


stat cache

stat cache

Synopsisstat cache [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionUse this command to display the Integrated Cache statistics.

Counters

Requests (CacReq)Total requests. (= Total hits + Total misses)

Hits being served (CacHit)This number should be close to the number of hits being served currently.

Non-304 hits (Non304Hit)Total number of full responses served from the cache.

304 hits (304Hit)Total number of 304 Not Modified responses served from the cache.

Hits (TotHit)Total number of hits. (= 304 hits + Non-304 hits)

304 hit ratio(%) (Pct304Hit)Ratio of 304 hits to total hits expressed as percentage

Hit ratio(%) (PctHit)Cache hit ratio expressed as percentage. (= Hits / Requests)

Recent 304 hit ratio(%) (RPct304Hit)Recently recorded ratio of 304 hits to all hits expressed as percentage

Recent hit ratio(%) (RPctHit)Recently recorded cache hit ratio expressed as percentage


stat cache

Misses being handled (CurMiss)Number of clients that are being served by the origin via the cache. This number should be close to the number of requests being served at present and that had experienced a store-able miss. It does not include those requests that had experienced a non-store-able miss.

Misses (TotMiss)Total number of misses to the server

Storable misses (StrMiss)Total number of misses where the response was considered cacheable.

Non-storable misses (NStrMiss)Total number of misses where the response was considered non-cacheable.

Revalidations (Reval)Number of times cache generated a conditional request to the origin

Conversions to conditional req (FuToCon)Number of times cache converted a full request from the client to a conditional request to the origin

Storable miss ratio(%) (PStrMiss)Ratio of store-able misses to all misses expressed as percentage

Recent storable miss ratio(%) (RPctStMis)Recently recorded ratio of store-able misses to all misses expressed as percentage.

Successful reval ratio(%) (PSucRev)Percentage of times stored content was successfully revalidated by a 304 response rather than by a full response

Recent successful reval ratio(%) (RPSucRev)Recently recorded percentage of times stored content was successfully revalidated by a 304 response rather than by a full response

Successful revalidations (TSucRev)Total number of times stored content was successfully revalidated by a 304 Not Modified response from the origin


stat cache

Byte hit ratio(%) (PByHit)Cache byte hit ratio expressed as percentage. Here we define byte hit ratio as ((number of bytes served from the cache)/(total number of bytes served to the client)). This is the standard definition of Byte Hit Ratio. If compression is turned ON in NS then this ratio doesn't mean much. This might under or over estimate the origin-to-cache bandwidth saving (depending upon whether bytes served by CMP in NetScaler are more or less than compressed bytes served from the cache). If CMP is turned OFF in NS then this ratio is same as cachePercentOriginBandwidthSaved.

Recent byte hit ratio(%) (RPcByHit)Recently recorded cache byte hit ratio expressed as percentage. Here we define byte hit ratio as ((number of bytes served from the cache)/(total number of bytes served to the client)). This is the standard definition of Byte Hit Ratio. If compression is turned ON in NS then this ratio doesn't mean much. This might under or over estimate the origin-to-cache bandwidth saving (depending upon whether bytes served by CMP in NetScaler are more or less than compressed bytes served from the cache). If CMP is turned OFF in NS then this ratio is same as cacheRecentPercentOriginBandwidthSaved.

Largest response so far(B) (LarResp)Size of the largest response received so far

Bytes served by NetScaler (RespBy)Total number of HTTP response bytes served by NetScaler

Bytes served by cache (BySer)Total number of bytes served from the cache

Compressed bytes from cache (CmpBySer)Total number of compressed bytes served from the cache

Parameterized inval requests (PInReq)Total number of requests which performed parameterized invalidation. Parameterized invalidation happens when the INVAL policy has the invalObjects parameter specified.

Full inval requests (NPInReq)Total number of requests which performed full invalidation. Full invalidation happens when the INVAL policy has the invalGroups parameter specified.


stat cache

Inval requests (INStrMis)Total number of invalidation requests. This happens when an incoming request matches a cache INVAL policy. A request can perform both parameterized and full invalidarion.

Origin bandwidth saved(%) (POrBan)Percentage of bandwidth saved at the origin is given by ((number of extra bytes that would have been served by the origin if the cache were absent)/(extra bytes that would have been served by the origin + number of bytes served by the origin). With this definition we are able to show benefits of integrated compression. The assumption here is that all the compression has been done in NetScaler, otherwise the b/w saving might get over estimated.

Recent origin bandwidth saved(%) (RPOrBan)Recently Recorded Cache byte hit ratio expressed as percentage. Here we define byte hit ratio as ((number of extra bytes that would have been served by the origin)/(total number of bytes served to the client)). With this definition we are able to show benefits of integrated compression. The byte hit ratio can be greater than 1 because of integrated cmp. The assumption here is that all the compression has been done in NetScaler.

Expire at last byte (ExpLa)Total number of objects that were expired at last byte

Flashcache misses (FlMi)Total number of FlashCache misses

Flashcache hits (FlHi)Total number of FlashCache hits

Parameterized non-304 hits (PN304Hit)Total number of full responses served from cache for parameterized requests

Parameterized requests (PReq)Total number of parameterized requests

Parameterized 304 hits (P304Hit)Total number of 304 responses served from cache for parameterized requests

Total parameterized hits (PHit)Total number of hits for parameterized requests (= Parameterized 304 hits + Parameterized non-304 hits)


stat cache

Parameterized 304 hit ratio(%) (PP304Hit)Ratio of parameterized 304 hits to all parameterized hits expressed as a percentage

Recent parameterized 304 hit ratio(%) (RPPHit)Recently recorded ratio of parameterized 304 hits to all parameterized hits expressed as a percentage

Poll every time requests (PeReq)Total number of PET requests

Poll every time hits (PeHit)Total number of PET hits

Poll every time hit ratio(%) (PPeHit)Ratio of successful PET revalidations expressed as percentage

Maximum memory(KB) (MaxMem)Maximum size of Cache storage in kilobytes

Utilized memory(KB) (UtiMem)Current size of Cache storage in kilobytes

Cached objects (NumCac)Number of objects in the cache. This includes (1) objects fully download (2) objects being downloaded (3) objects expired but not yet removed (4) objects flushed but not yet removed

Memory allocation failures (ErrMem)Total number of times the cache failed to allocate memory to store transactions

Marker objects (NumMark)Number of marker objects in cache. A marker object is created in cache on two occasions. (1) When the size of the response exceeds the max and min response sizes specified on its contentgroup. (2) When minHits > 0 on the contentgroup and the object has not yet received minHits(minimum number of configured hits).

Related Commands


CLI Commands

This chapter covers the CLI commands.


help

help

Synopsishelp [(commandName) | <groupName> | -all]

DescriptionUse this command to display the help information for a specific CLI command, for a specific group of commands, or for all CLI commands.

Arguments

commandNameThe name of a specific command for which you want full usage information.

groupNameThe name of a command group for which you want basic usage information.

allUse this option to request basic usage information for all commands.

Example1.To view help information on adding a virtual server, enter the following CLI command: help add vserver Following information is displayed: Usage: add vserver <vServerName> <serviceType> [<IPAddress> port>] [-type ( CONTENT | ADDRESS )] [-cacheType <cacheType>] [-backupVServerName <string>] [-redirectURL <URL>] [-cacheable ( ON | OFF )] [-state ( ENABLED | DISABLED )] where: serviceType = ( HTTP | FTP | TCP | UDP | SSL | SSL_BRIDGE | SSL_TCP | NNTP| DNS | ANY ) <cacheType> = ( TRANSPARENT | REVERSE | FORWARD ) Done 2.To view help information about all DNS commands, enter the following command: help dns Following information is displayed: add addRec <hostname> <IPAddress> ... [-TTL <secs>] [-private <ip_addr>] rm addRec <hostname> [<IPAddress> ...] show addRec [<hostname> | -type <type>] add cnameRec <aliasName> <canonicalName> [-TTL <secs>] rm cnameRec <aliasName> show cnameRec [<aliasName> | -type <type>] add mxRec <domain> -mx <string> -pref <positive_integer> [-TTL <secs>] rm mxRec <domain> <mx> set mxRec <domain> -mx <string> [-pref <positive_integer>] [-TTL <secs>] show mxRec [<domain> | -type <type>] add nsRec <domain> [-p <string>] [-s <string>] [-TTL <secs>] rm nsRec


help

<domain> [-p <string> | -s <string>] show nsRec [<domain> | -type <type>] set dns parameter [-timeout <secs>] [-retries <positive_integer>] [-minTTL <secs>] [-maxTTL <secs>] [-TTL ( ENABLED | DISABLED )] show dns parameter add soaRec <domain> -contact <string> -serial <positive_integer> -refresh <secs> -retry <secs> -expire <secs> -minimum <secs>-TTL <secs> rm soaRec <domain> set soaRec <domain> [-contact <string>] [-serial <positive_integer>][-refresh <secs>] [-retry <secs>] [-expire <secs>] [-minimum <secs>][-TTL <secs>] show soaRec [<domain> | -type <type>] Done

Related Commands


man

man

Synopsisman [(commandName)]

DescriptionUse this command to invoke the man page for the specified command. You can either specify the command in full, or partially, if it is uniquely resolvable.

Arguments

commandNameThe name of the command.

Exampleman add vs

Related Commandsquitexit@aliasbuiltinsendhistoryunaliaswhileconfig


quit

quit

Synopsisquit

DescriptionUse this command to terminate the CLI. Note: typing <Ctrl>+<d> will also terminate the CLI.

Related Commandsmanexit@aliasbuiltinsendhistoryunaliaswhileconfig


exit

exit

Synopsisexit

DescriptionUse this command to back out one level in config mode, or to terminate the CLI when not in config mode. );

Related Commandsquit man@aliasbuiltinsendhistoryunaliaswhileconfig


set cli mode

set cli mode

Synopsisset cli mode [-page ( ON | OFF )] [-total ( ON | OFF )] [-color ( ON | OFF )] [-disabledFeatureAction <disabledFeatureAction>]

DescriptionUse this command to specify how the CLI displays command output.

Arguments

pageDetermines whether output that spans more than one screen is "paged". Specify ON to have display pause after each screenful of output. The default is OFF. Possible values: ON, OFF

totalDetermines whether CLI "show" commands display a total count of objects before displaying the objects themselves. The default is ON. Possible values: ON, OFF

colorSpecifies whether coloured output can be shown if the terminal supports it. Possible values: ON, OFF

disabledFeatureActionSpecifies what will happen when a configuration command is issued for a disabled feature, and can take one of the following values: NONE - the action is allowed and no warning message is issued; ALLOW - the action is allowed but a warning message is issued; DENY - the action is not allowed; HIDE - commands that configure disabled features are hidden, and the CLI behaves as if they did not exist. Possible values: NONE, ALLOW, DENY, HIDE

Related Commandsshow cli mode


show cli mode

show cli mode

Synopsisshow cli mode

DescriptionUse this command to display the current settings of the parameters that can be set with the 'set cli mode' command.

Related Commandsset cli mode


set cli prompt

set cli prompt

Synopsisset cli prompt <promptString>

DescriptionUse this command to customize the CLI prompt. To save a prompt so that it will be used by future CLI sessions, use the 'save cli settings' command.

Arguments

promptStringthe prompt string. The following special values can be used: %! - will be replaced by the history event number %u - will be replaced by the NetScaler user name %h - will be replaced by the NetScaler hostname %t - will be replaced by the current time %T - will be replaced by the current time (24 hr format) %d - will be replaced by the current date

Example> set cli prompt "%h %T" Done lb-ns1 15:16>

Related Commandsclear cli promptshow cli prompt


clear cli prompt

clear cli prompt

Synopsisclear cli prompt

DescriptionUse this command to return the CLI prompt to the default, a single '>'

Related Commandsset cli promptshow cli prompt


show cli prompt

show cli prompt

Synopsisshow cli prompt

DescriptionUse this command to display the current CLI prompt, with special values like '%h' unexpanded.

Example10.101.4.22 15:20> sh cli prompt CLI prompt is set to "%h %T" Done

Related Commandsset cli promptclear cli prompt


@

@

Synopsis@

DescriptionUse this command to assign a value to a variable.

Example@ n=5

Related Commandsmanquitexitaliasbuiltinsendhistoryunaliaswhileconfig


alias

alias

Synopsisalias <name> <commandName>

DescriptionUse this command to create a (shorter) alias for a (long) command.

Arguments

nameThe name of the alias.

commandNameThe name of the command to alias.

Examplealias s show ns info

Related Commandsmanquitexit@builtinsendhistoryunaliaswhileconfig


builtins

builtins

Synopsisbuiltins

DescriptionUse this command to display the available tcsh builtins.

Related Commandsmanquitexit@aliasendhistoryunaliaswhileconfig


end

end

Synopsisend

DescriptionUse this construct to end a tcsh command-loop statement.

Related Commandsmanquitexit@aliasbuiltinshistoryunaliaswhileconfig


history

history

Synopsishistory

DescriptionUse this command to display the command history.

Related Commandsmanquitexit@aliasbuiltinsendunaliaswhileconfig


unalias

unalias

Synopsisunalias <name>

DescriptionUse this command to remove an alias set by the 'alias' command.

Arguments

nameThe name of the alias to remove.

Examplealias s show ns info ; unalias s

Related Commandsmanquitexit@aliasbuiltinsendhistorywhileconfig


while

while

Synopsiswhile

DescriptionUse this construct to begin a tcsh command loop.

Example@ n=5 ; while ($n) show stats @ n-- end

Related Commandsmanquitexit@aliasbuiltinsendhistoryunaliasconfig


config

config

Synopsisconfig

Description

Related Commandsmanquitexit@aliasbuiltinsendhistoryunaliaswhile


config


Compression Commands

This chapter covers the compression commands.


stat cmp

stat cmp

Synopsisstat cmp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays compression statistics

Counters

HTTP compression requestsNumber of compression requests done

Compressed bytes transmittedNumber of compressed bytes transmitted

Compressible bytes receivedNumber of compressible bytes received

Compressed packets transmittedNumber of compressed packets transmitted

Compressible packets receivedNumber of compressible packets received

HTTP compression success ratioRatio of compressible data received to compressed data transmitted expressed as percentage.

HTTP compression ratioRatio of total data received to total data transmitted expressed as percentage.

Compressed bytes transmitted (TCmpTxB)Number of compressed bytes transmitted

Compressible bytes recieved (TCmpRxB)Number of compressible bytes recieved


stat cmp

Compressed packets transmitted (TCmpTxP)Number of compressed packets transmitted

Compressible packets recieved (TCmpRxP)Number of compressible packets recieved

Compression ratio (Uncmp:1) (TCmpRt)Compression ratio: transmitted data as fraction of received data.

Bandwidth saving (%) (BndSav)Bandwidth saving expressed as percentage.

Quantum compression (TCmpQuan)Number of times compression is done on recieveng quantum worth of data

Push flag compression (TCmpPush)Number of times compression is done on recieveng TCP PSH flag

End Of Input compression (TCmpEoi)Number of times compression is done on recieveng End Of Input (FIN packet)

Timer compression (TCmpTmr)Number of times compression is done on expiration of data accumulation timer

Decompressed bytes transmitted (DCmpTTxB)Number of decompressed bytes transmitted

Compressed bytes received (DCmpTRxB)Number of compressed bytes received

Decompressed packets transmitted (DCmpTTxP)Number of decompressed packets transmitted

Compressed packets received (DCmpTRxP)Total unmber of compressed packets received

Decompression ratio (Uncmp:1) (DTCmpRt)Compression ratio: received data as fraction of transmitted data.

Bandwidth saving (%) (DBndSav)Bandwidth saving expressed as percentage.


stat cmp

Wrong data (DCmpErrD)Number of data errors encoutered while decompressing

Less Data (DCmpErrL)Received less data than declared by protocol

More Data (DCmpErrM)Received more data than declared by protocol

Memory failures (DCmpMem)Number of memory faiures

Unknown (DCmpErrU)Unknown errors encountered

Related Commands


show cmp stats

show cmp stats

Synopsisshow cmp stats - alias for 'stat cmp'

Descriptionshow cmp stats is an alias for stat cmp

Related Commandsstat cmp


add cmp action

add cmp action

Synopsisadd cmp action <name> <cmptype> [-deltatype ( PERURL | PERPOLICY )]

DescriptionUse this command to create a compression action. The action thus created can be associated with the compression policy by using the "add cmp policy" command. The built-in compression actions NOCOMPRESS/COMPRESS/GZIP/DEFLATE/RESET are always present on the Netscaler system. NOCOMPRESS action could be used to define a policy that disables compression the matching policy. COMPRESS action could be used to enable compression for a specific policy. This action will do either GZIP/DEFLATE based on the browser. GZIP action could be used to enable GZIP compression for a specific policy. With this action, GZIP compression will be performed if the browser supports GZIP, other wise compression is disabled. DEFLATE action could used to enable DEFLATE compression for a specific policy. With this action, DEFLATE compression will be performed if the browser supports DEFLATE, otherwise compression is disabled. DELTA action could used to enable DELTA compression for a specific policy. With this action, DELTA compression will be performed if the browser supports javascript, otherwise compression is disabled.

Arguments

nameThe name of the compression action being added. This name must not exceed 31 characters.

cmptypeThe compression action to be performed. The valid values are NOCOMPRESS/COMPRESS/GZIP/DEFLATE/DELTA. Possible values: compress, gzip, deflate, delta, nocompress

deltatypedelta type may be required if delta compression action is defined Possible values: PERURL, PERPOLICY Default value: PERURL


add cmp action

Exampleadd cmp action nocmp NOCOMPRESS

Related Commandsrm cmp actionshow cmp action


rm cmp action

rm cmp action

Synopsisrm cmp action <name>

DescriptionUse this command to remove a compression action that was created using the "add cmp action" command.

Arguments

nameThe name of the compression action being removed.

Examplerm cmp action cmp_action_name

Related Commandsadd cmp actionshow cmp action


show cmp action

show cmp action

Synopsisshow cmp action

DescriptionUse this command to display the compression actions defined including the built-in actions. The information displayed includes the action name and action type.

Arguments

Output

name

cmptype

deltatype

ExampleExample 1 The following shows an example of the output of the show cmp action command when no custom cmp actions have been defined: > show cmp action 4 Compression actions: 1) Name: GZIP Compression Type: gzip 2) Name: NOCOMPRESS Compression Type: nocompress 3) Name: DEFLATE Compression Type: deflate 4) Name: DELTA Compression Type: delta 5) Name: COMPRESS Compression Type: compress Done Done Example 2 The following command creates a compression action: add cmp action nocmp NOCOMPRESS The following shows an example of the output of the show cmp action command after the previous command has been issued: > show cmp action 4 Compression actions: 1) Name: GZIP Compression Type: gzip 2) Name: NOCOMPRESS Compression Type: nocompress 3) Name: DEFLATE Compression Type: deflate 4) Name: DELTA Compression Type: delta 5) Name: COMPRESS Compression Type: compress 1 Compression action: 1) Name: nocmp Compression Type: nocompress Done


show cmp action

Related Commandsadd cmp actionrm cmp action


add cmp policy

add cmp policy

Synopsisadd cmp policy <name> -rule <expression> -resAction <string>

DescriptionUse this command to create a compression policy.

Arguments

nameThe name of the new compression policy.

ruleThe expression specifying the condition.

resActionThe name of the action to be performed. The string value can be a compression action created using the "add cmp action" command, or one of the following built-in actions: NOCOMPRESS action could be used to define a policy that disables compression the matching policy. COMPRESS action could be used to enable compression for a specific policy. This action will do either GZIP/DEFLATE based on the browser. GZIP action could be used to enable GZIP compression for a specific policy. With this action, GZIP compression will be performed if the browser supports GZIP, other wise compression is disabled. DEFLATE action could used to enable DEFLATE compression for a specific policy. With this action, DEFLATE compression will be performed if the browser supports DEFLATE, otherwise compression is disabled.

ExampleExample 1: add cmp policy pdf_cmp -rule "RES.HTTP.HEADER Content-Type CONTAINS application/pdf" -resAction COMPRESS After creating above compression policy, it can be activated by binding it globally: bind cmp global pdf_cmp With the configured pdf_cmp (name of the compression policy), the Netscaler system will perform compression for the pdf files. Example 2: The following compression disables compression for all the access from the specific subnet. add cmp policy local_sub_nocmp


add cmp policy

-rule "SOURCEIP == 10.1.1.0 -netmask 255.255.255.0" -rspaction NOCOMPRESS bind cmp global local_sub_nocmp

Related Commandsrm cmp policyshow cmp policyset cmp policy


rm cmp policy

rm cmp policy

Synopsisrm cmp policy <name>

DescriptionUse this command to remove a compression policy.

Arguments

nameThe name of the compression policy.

Examplerm cmp policy cmp_policy_name The "show cmp policy" command shows all cmp policies that are currently defined.

Related Commandsadd cmp policyshow cmp policyset cmp policy


show cmp policy

show cmp policy

Synopsisshow cmp policy [<name>]

DescriptionUse this command to display the compression policies created using the "add compression policy" command. For each cmp policy, the command output shows the cmp policy name, associated rule, action and statistics.

Arguments

nameThe name of the cmp policy.

Output

name

rule

reqAction

resAction

hits

txbytes

rxbytes


show cmp policy

Example> show cmp policy 4 Compression policies: 1) Name: ns_cmp_content_type Rule: ns_content_type Response action: COMPRESS Hits: 1 Bytes In:...4325 Bytes Out:... 1530 Bandwidth saving...64.62% Ratio 2.83:1 2) Name: ns_cmp_msapp Rule: (ns_msie && ns_msword || (ns_msexcel || ns_msppt)) Response action: COMPRESS Hits: 7 Bytes In:...796160 Bytes Out:... 197730 Bandwidth saving...75.16% Ratio 4.03:1 3) Name: ns_cmp_mscss Rule: (ns_msie && ns_css) Response action: COMPRESS Hits: 0 4) Name: ns_nocmp_mozilla_47 Rule: (ns_mozilla_47 && ns_css) Response action: NOCOMPRESS Hits: 0 Done Individual cmp policy can also be viewed by giving cmp policy name as argument: > show cmp policy ns_cmp_msapp Name: ns_cmp_msapp Rule: (ns_msie && ns_msword || (ns_msexcel || ns_msppt)) Response action: COMPRESS Hits: 7 Bytes In:...796160 Bytes Out:... 197730 Bandwidth saving...75.16% Ratio 4.03:1 Done

Related Commandsadd cmp policyrm cmp policyset cmp policy


set cmp policy

set cmp policy

Synopsisset cmp policy <name> [-rule <expression>] [-resAction <string>]

DescriptionUse this command to modify the rule and/or action of an existing cmp policy, created using the "add cmp policy" command. Use the "show cmp policy" command to view all the configured cmp policies.

Arguments

nameThe name of the cmp policy.

ruleThe expression specifying the condition.

resActionThe response action.

ExampleExample 1: add cmp policy pdf_cmp -rule "RES.HTTP.HEADER Content-Type CONTAINS application/pdf" -resAction COMPRESS After creating above compression policy, it can be activated by binding it globally: bind cmp global pdf_cmp With the configured pdf_cmp compression policy, the Netscaler system will perform compression for the pdf files. Later, to disable the pdf compression for the Internet Explorer, above compression policy can be changed by issuing below command, to exclude msie: set cmp policy pdf_cmp -rule "RES.HTTP.HEADER Content-Type CONTAINS application/pdf && RES.HTTP.HEADER User-Agent NOTCONTAINS MSIE" Changed cmp policy can be viewed by using following command: >show cmp policy pdf_cmp Name: pdf_cmp Rule: (RES.HTTP.HEADER Content-Type CONTAINS application/pdf && REQ.HTTP.HEADER User-Agent NOTCONTAINS MSIE) Response action: COMPRESS Hits: 2 Bytes In:...609284 Bytes Out:... 443998 Bandwidth saving...27.13% Ratio 1.37:1 Done


set cmp policy

Related Commandsadd cmp policyrm cmp policyshow cmp policy


bind cmp global

bind cmp global

Synopsisbind cmp global (<policyName> [-priority <positive_integer>]) [-state ( ENABLED | DISABLED )]

DescriptionUse this command to activate the compression policy globally. The compression policies are created using the "add cmp policy" command. The command "show cmp policy" shows all the existing compression policies and the command "show cmp global" shows all the globally active compression policies. Note that the compression license is required for compression feature to work. Use the "enable ns feature cmp" command to activate the feature. All the built-in compression policies are bound globally on enabling compression feature.

Arguments

policyNameThe name of the compression policy.

stateThe current state of the binding. Possible values: ENABLED, DISABLED Default value: ENABLED

Exampleadd cmp policy pdf_cmp -rule "RES.HTTP.HEADER Content-Type CONTAINS application/pdf" -resAction COMPRESS After creating above compression policy, it can be activated by binding it globally: bind cmp global pdf_cmp After binding pdf_cmp compression policy globally, the policy gets activated and the Netscaler system will perform compression for the pdf files. Globally active compression policies can be seen using command: > show cmp global 5 Globally Active Compression Policies: 1) Policy Name: ns_cmp_content_type Priority: 0 2) Policy Name: ns_nocmp_mozilla_47 Priority: 0 3) Policy Name: ns_cmp_mscss Priority: 0 4) Policy Name: ns_cmp_msapp Priority: 0 5) Policy Name: pdf_cmp Priority: 0 Done


bind cmp global

Related Commandsunbind cmp globalshow cmp global


unbind cmp global

unbind cmp global

Synopsisunbind cmp global <policyName>

DescriptionUse this command to deactivate an active compression policy. Use command "show cmp global" to see all the globally active compression policies.

Arguments

policyNameThe name of the compression policy.

ExampleGlobally active compression policies can be seen using command: > show cmp global 5 Globally Active Compression Policies: 1) Policy Name: ns_cmp_content_type Priority: 0 2) Policy Name: ns_nocmp_mozilla_47 Priority: 0 3) Policy Name: ns_cmp_mscss Priority: 0 4) Policy Name: ns_cmp_msapp Priority: 0 5) Policy Name: pdf_cmp Priority: 0 Done This globally active compression policy can be deactivated on Netscaler system by giving command: unbind cmp global pdf_cmp

Related Commandsbind cmp globalshow cmp global


show cmp global

show cmp global

Synopsisshow cmp global

DescriptionUse this command to display the globally active compression policies that have been activated.

Arguments

Output

policyName

priority

stateThe current state of the binding.

Example> show cmp global 4 Globally Active Compression Policies: 1) Policy Name: ns_cmp_content_type Priority: 0 2) Policy Name: ns_nocmp_mozilla_47 Priority: 0 3) Policy Name: ns_cmp_mscss Priority: 0 4) Policy Name: ns_cmp_msapp Priority: 0 Done

Related Commandsbind cmp globalunbind cmp global


show cmp global


Cache Redirection Commands

This chapter covers the cache redirection commands.


add cr policy

add cr policy

Synopsisadd cr policy <policyName> -rule <expression>

DescriptionThis command adds a cache redirection policy. The policy created can be associated with a cache redirection virtual server using the bind cr vserver CLI command.

Arguments

policyNameSpecifies the name of the new cache redirection policy.

ruleSpecifies a condition defined by an expression. When the condition is valid, the request is directed to the origin server. Expression logic is expression names, separated by the logical operators || and &&, and possibly grouped using parenthesis. Note:If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following are valid expressions: lns_ext_cgi||ns_ext_asp 2ns_non_get && (ns_header_cookie||ns_header_pragma)

Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionadd cr vserverbind cr vserverset cr vservershow cr vserverunbind cr vserver


add cr policy

unset cr vserverrm cr policyshow cr policy


rm cr policy

rm cr policy

Synopsisrm cr policy <policyName>

DescriptionThis command removes the specified Integrated Cache policy. Removing a positive cachability policy is also equivalent to removing the associated Content Group. Removing a Content Group will also flush all objects of that group in the Integrated Cache. Adding back the policy immediately after removing it might not take the system back to the original state. This is because the order of policy configuration is significant.

Arguments

policyNameSpecifies the name of the cache policy that needs to be removed. A positive cacheability policy/content group cannot be removed if it has been configured as the target of a dynamic invalidation policy. To remove the policy, you have to remove the dynamic invalidation policy and the action associated with the dynamic invalidation policy. The procedure is as follows: a.Enter the show cache action CLI command at the NetScaler prompt. This will display all cache actions. b.Identify the action in which the contentGroupPolicy attribute matches the policy you want to remove) Enter the show cache policy CLI command at the NetScaler prompt. c.Identify the policies with which the action chosen in step(b) is associated. d.Remove the policies identified in step (d) using the rm cache policy CLI command. e.Remove the action identified in step(b) using the rm cache action CLI command.

Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionadd cr vserver


rm cr policy

bind cr vserverset cr vservershow cr vserverunbind cr vserverunset cr vserveradd cr policyshow cr policy


show cr policy

show cr policy

Synopsisshow cr policy

DescriptionThis command displays all existing cache redirection policies.

Arguments

Output

policyName

rule

domain

vstype

Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionadd cr vserverbind cr vserverset cr vservershow cr vserver


show cr policy

unbind cr vserverunset cr vserveradd cr policyrm cr policy


add cr vserver

add cr vserver

Synopsisadd cr vserver <vServerName> <serviceType> [<IPAddress> <port> [-range <positive_integer>]] [-cacheType <cacheType>] [-state ( ENABLED | DISABLED )]

DescriptionThis command adds a cache redirection virtual server.

Arguments

vServerNameSpecifies the name of the cache redirection virtual server being added.

serviceTypeSpecifies the type of service handled by the virtual server. The valid service types are: HTTP, SSL, NNTP and SSL_TCP. Note:Use service type HTTP to configure content switching on this virtual server. Possible values: HTTP, SSL, NNTP

IPAddressSpecifies the IP address of the cache redirection virtual server. 1.To specify a specific virtual server address, type its numeric value. 2.To specify a wildcard virtual server address, type an asterisk (*). Default value: *

cacheTypeSpecifies the supported cache server type. Valid cache server types are: TRANSPARENT, REVERSE, FORWARD. Note:For this command to work you must select one of the cache type. Possible values: TRANSPARENT, REVERSE, FORWARD Default value: TRANSPARENT

redirectSpecifies the redirect policies: The valid redirect policies are: l.CACHE - Directs all requests to the cache. 2.POLICY - Applies cache redirection policy to determine whether the request should be directed to the cache or origin. This is the default setting. 3.ORIGIN - Directs all requests to the origin server. Possible values: CACHE, POLICY, ORIGIN Default value: POLICY


add cr vserver

precedenceThis argument is used only when configuring content switching on the specified virtual server. This is applicable only if both the URL and RULE-based policies have been configured on the same virtual server. It specifies the type of policy (URL or RULE) that takes precedence on the content switching virtual server. The default setting is RULE. lURL - In this case, the incoming request is matched against the URL-based policies before the rule-based policies. lRULE - In this case, the incoming request is matched against the rule-based policies before the URL-based policies. For all URL-based policies, the precedence hierarchy is: 1.Domain and exact URL 2.Domain, prefix and suffix 3.Domain and suffix 4.Domain and prefix 5.Domain only 6.Exact URL 7.Prefix and suffix 8.Suffix only 9.Prefix only 10.Default Possible values: RULE, URL Default value: RULE

arp

ghost

map

format

viaDetermines whether the NetScaler 9000 system inserts a Via: header in the HTTP requests. The default setting is ON. Possible values: ON, OFF Default value: ON

cacheVserverSpecifies the name of the default target cache virtual server to which requests are redirected.

dnsVserverNameSpecifies the name of the DNS virtual server used for resolving domain names coming to the forward proxy virtual server. Note:This parameter is applicable only to forward proxy virtual servers, not reverse and transparent.

destinationVServerSpecifies the destination virtual server for transparent or forward proxy cache redirection virtual server. All requests to the transparent or forward proxy cache redirection virtual server are directed to this destination virtual server.

domainSpecifies the default domain for reverse proxies. Domains are configured in the NetScaler 9000 system to direct the incoming request from a particular configured source domain to


add cr vserver

a particular configured target domain. There may be several configured pairs of source and target domains. You can select one of these pairs to be the default. This way, for an incoming request if a source domain is not present in host header or URL, the request is sent to the target domain of the selected default pair.

soPersistenceTimeOut

soThreshold

reuseSpecifies whether TCP connections to cache or origin servers are reused across client connections. Note:Specify this argument only if the service type argument is set to HTTP. The default setting is ON. If this argument is set to OFF and: -redirect is set to CACHE, TCP connections to the cache servers are not reused. -redirect is set to ORIGIN, TCP connections to the origin servers are not reused. -redirect is set to POLICY, TCP connections to the origin servers are not reused. If this argument is set to ON, connections are reused to both origin and cache servers. Possible values: ON, OFF Default value: ON

stateWhether the cache redirection virtual server is enabled or disabled. Possible values: ENABLED, DISABLED Default value: ENABLED

Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionset cr vservershow cr vserverunset cr vserver


bind cr vserver

bind cr vserver

Synopsisbind cr vserver <vServerName> -policyName <string> [<targetVserver>]

DescriptionFor the NetScaler 9000 system's cache redirection feature, this command binds the cache redirection policy to the cache redirection virtual server.

Arguments

vServerNameSpecifies the name of the cache redirection virtual server to which the cache redirection policy will be bound.

policyNameSpecifies the name of the cache redirection policy. This policy needs to be of the type map or cache redirection policy (created using the add policy map or add cr policy CLI commands).

targetVserverSpecifies an address-based virtual server that can only be specified for a map policy created using the add policy map command when the cache redirection virtual server is of the type REVERSE.

Related Commandsunbind cr vserver


set cr vserver

set cr vserver

Synopsisset cr vserver <vServerName> [-redirect <redirect>] [-precedence ( RULE | URL )] [-via ( ON | OFF )] [-cacheVserver <string>] [-dnsVserverName <string>] [-destinationVServer <string>] [-domain <string>] [-reuse ( ON | OFF )] [-backupVServerName <string>] [-redirectURL <URL>] [-cltTimeout <secs>]

DescriptionThis command changes the attributes of a configured cache redirection vserver.

Arguments

vServerNameSpecifies the name of the cache redirection virtual server being added.

redirectSpecifies the redirect policies: The valid redirect policies are: l.CACHE - Directs all requests to the cache. 2.POLICY - Applies cache redirection policy to determine whether the request should be directed to the cache or origin. This is the default setting. 3.ORIGIN - Directs all requests to the origin server. Possible values: CACHE, POLICY, ORIGIN Default value: POLICY

precedenceThis argument is used only when configuring content switching on the specified virtual server. This is applicable only if both the URL and RULE-based policies have been configured on the same virtual server. It specifies the type of policy (URL or RULE) that takes precedence on the content switching virtual server. The default setting is RULE. lURL - In this case, the incoming request is matched against the URL-based policies before the rule-based policies. lRULE - In this case, the incoming request is matched against the rule-based policies before the URL-based policies. For all URL-based policies, the precedence hierarchy is: 1.Domain and exact URL 2.Domain, prefix and suffix 3.Domain and suffix 4.Domain and prefix 5.Domain only 6.Exact URL 7.Prefix and suffix 8.Suffix only 9.Prefix only 10.Default Possible values: RULE, URL Default value: RULE


set cr vserver

viaDetermines whether the NetScaler 9000 system inserts a Via: header in the HTTP requests. The default setting is ON. Possible values: ON, OFF Default value: ON

cacheVserverSpecifies the name of the default target cache virtual server to which requests are redirected.

dnsVserverNameSpecifies the name of the DNS virtual server used for resolving domain names coming to the forward proxy virtual server. Note:This parameter is applicable only to forward proxy virtual servers, not reverse and transparent.

destinationVServerSpecifies the destination virtual server for transparent or forward proxy cache redirection virtual server. All requests to the transparent or forward proxy cache redirection virtual server are directed to this destination virtual server.

domainSpecifies the default domain for reverse proxies. Domains are configured in the NetScaler 9000 system to direct the incoming request from a particular configured source domain to a particular configured target domain. There may be several configured pairs of source and target domains. You can select one of these pairs to be the default. This way, for an incoming request if a source domain is not present in host header or URL, the request is sent to the target domain of the selected default pair.

reuseSpecifies whether TCP connections to cache or origin servers are reused across client connections. Note:Specify this argument only if the service type argument is set to HTTP. The default setting is ON. If this argument is set to OFF and: -redirect is set to CACHE, TCP connections to the cache servers are not reused. -redirect is set to ORIGIN, TCP connections to the origin servers are not reused. -redirect is set to POLICY, TCP connections to the origin servers are not reused. If this argument is set to ON, connections are reused to both origin and cache servers. Possible values: ON, OFF Default value: ON


set cr vserver

backupVServerName

redirectURL

cltTimeout

Related Commandsadd cr vservershow cr vserverunset cr vserver


rm cr vserver

rm cr vserver

Synopsisrm cr vserver <name>@ ...

DescriptionUse this command to remove a virtual server.

Arguments

nameThe name of the virtual server to be removed.

Examplerm vserver lb_vip

Related Commandsenable cr vserverdisable cr vserver


enable cr vserver

enable cr vserver

Synopsisenable cr vserver <name>@

DescriptionUse this command to enable a virtual server. Note:Virtual servers, when added, are enabled by default.

Arguments

nameThe name of the virtual server to be enabled.

Exampleenable vserver lb_vip

Related Commandsrm cr vserverdisable cr vserver


disable cr vserver

disable cr vserver

Synopsisdisable cr vserver <name>@

DescriptionUse this command to disable (makes out of service) a virtual server.

Arguments

nameThe name of the virtual server to be disabled. Notes: 1.The NetScaler 9000 system still responds to ARP and/or ping requests for the IP address of this virtual server. 2.As the virtual server is still configured in the NetScaler 9000 system, you can enable the virtual server using enable vserver CLI command.

Exampledisable vserver lb_vip

Related Commandsrm cr vserverenable cr vserver


show cr vserver

show cr vserver

Synopsisshow cr vserver [<name>]

DescriptionThis command displays the specified cache redirection virtual server or all the configured cache redirection virtual servers.

Arguments

nameThe name of the cache redirection virtual server to be shown.

Output

IPAddress

value

port

range

serviceType

type

state


show cr vserver

status

cacheType

redirect

precedence

redirectURL

authentication

homePage

dnsVserverName

domain

rule

policyName

serviceName

weight

cacheVserver


show cr vserver

backupVServerName

priority

cltTimeout

soMethod

soPersistence


soThreshold

reuse

destinationVServer

via

Related Commandsadd policy maprm policy mapshow policy mapadd policy expressionrm policy expressionshow policy expressionshow cs policyadd cr vserver


show cr vserver

set cr vserverunset cr vserver


unbind cr vserver

unbind cr vserver

Synopsisunbind cr vserver <vServerName> -policyName <string>

DescriptionThis command unbinds the specified cache redirection policy from the specified cache redirection virtual server.

Arguments

vServerNameSpecifies the name of the cache redirection virtual server from which you want the policy unbound.

policyNameSpecifies the name of the policy (that was previously created using the add cr policy or add policy map command).

Related Commandsrm policy mapshow policy maprm policy expressionshow policy expressionrm cr policyshow cr policybind cr vserver


unset cr vserver

unset cr vserver

Synopsisunset cr vserver <vServerName> [-cacheVserver] [-dnsVserver] [-destinationVServer] [-domainName]

DescriptionThis command unsets the attributes of the configured Cache Redirection virtual server. The Cache Redirection virtual server attributes can be set using either the add cr vserver or the set cr vserver command.

Arguments

vServerNameSpecifies the name of the Cache Redirection virtual server whose attributes need to be unset

cacheVserverSpecifies that the configured load balancing cache virtual server needs to be unset

dnsVserverSpecifies that the configured DNS virtual server needs to be unset. Note:This option is used only for Froward Proxy and hence not supported as the 4.0.2 release does not support Forward proxy.

destinationVServerSpecifies that the configured destination virtual server needs to be unset.

domainNameSpecifies that the configured default domain name for the Cache redirection virtual server.

Related Commandsrm policy mapshow policy maprm policy expressionshow policy expression


unset cr vserver

rm cr policyshow cr policyadd cr vserverset cr vservershow cr vserver


Content Switching Commands

This chapter covers the content switching commands.


add cs policy

add cs policy

Synopsisadd cs policy <policyName> [-url <string> | -rule <expression>] [-domain <string>]

DescriptionThis command creates a content switching policy. The policy created can be associated with a content switching virtual server using the bind cs vserver CLI command

Arguments

policyNameSpecifies the name of the new content switching policy.

urlSpecifies the URL with wildcards. Specify the string value in this format: // [[prefix ] [*]] [.suffix]

ruleSpecifies the condition for applying this policy. Expression logic consists of expression names, separated by the logical operators || and &&, and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following shows valid expression logic: ns_ext_cgi||ns_ext_asp "ns_non_get && (ns_header_cookie||ns_header_pragma)"

domainSpecifies the domain name. The string value can range to 63 characters.

ExampleTo match the requests that have URL "/", you would enter the following command: add cs policy <policyName> -url / To match with all URLs starting with "/sports/", you would enter the following command: add cs policy <policyName> -url /sports/* To match the requests that have URLs starting with "/sports", you would enter the following command: add cs policy <policyName> -url /sports* To match the requests that have the URL "/sports/tennis/index.html", you would enter the following command: add cs policy


add cs policy

<policyName> -url /sports/tennis/index.html To match the requests that have the URLs with the extension "jsp", you would enter the following command: add cs policy <policyName> -url /*.jsp To match the requests that have URLs starting with "/sports/" and the file extension "jsp", you would enter the following command: add cs policy <policyName> -url /sports/*.jsp To match the requests that have URLs containing "sports", you would enter the following commands: add pol expression sports_url "URL contains sports" add cs policy <policyName> -rule sports_url To match the requests with the URL queries containing "gold" or Cookie Header containing "gold", you would enter the following commands: add pol expression gold_query "URLQUERY contains gold" add pol expression gold_cookie "Header COOKIE contains gold" add cs policy <policyName> -rule "(gold_query ||gold_cookie)" To match the requests that have the domain name of www.domainxyz.com, you enter the following command: add cs policy <policyName> -domain "www.domainxyz.com" To match the requests that have the domain name of www.domainxyz.com and URLs containing the extension "jsp", you would enter the following command: add cs policy <policyName> -url /*.jsp -domain "www.domainxyz.com" To match the requests with the domain name of www.domainxyz.com and URLs containing "sports", you would enter the following commands: add pol expression sports_url "URL contains sports" add cs policy <policyName> -rule sports_url -domain "www.domainxyz.com"

Related Commandsrm cs policyshow cs policyset cs policy


rm cs policy

rm cs policy

Synopsisrm cs policy <policyName>

DescriptionThis command removes the specified content switching policy. Note:The policy must be unbound from the content switching virtual server before it is removed.

Arguments

policyNameThe name of the content switching policy to be removed.

Related Commandsadd cs policyshow cs policyset cs policy


show cs policy

show cs policy

Synopsisshow cs policy [<policyName>]

DescriptionThis command displays all of the content switching policies.

Arguments

policyNameSpecifies the name of the policy to be displayed. if no name is given then all policies will be displayed.

Output

policyName

url

rule

domain

vstype

hits

Related Commandsshow cs vserveradd cs policy


show cs policy

rm cs policyset cs policy


set cs policy

set cs policy

Synopsisset cs policy <policyName> [-rule <expression>]

DescriptionThis command changes a previously configured content switching policy.

Arguments

policyNameSpecifies the name of the new content switching policy.

ruleSpecifies the condition for applying this policy. Expression logic consists of expression names, separated by the logical operators || and &&, and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following shows valid expression logic: ns_ext_cgi||ns_ext_asp "ns_non_get && (ns_header_cookie||ns_header_pragma)"

Related Commandsadd cs policyrm cs policyshow cs policy


add cs vserver

add cs vserver

Synopsisadd cs vserver <vServerName> <serviceType> (<IPAddress> [-range <positive_integer>]) <port> [-state ( ENABLED | DISABLED )]

DescriptionThis command adds a content switching virtual server.

Arguments

vServerNameSpecifies the virtual server name. The name can be a maximum of 31 characters long.

serviceTypeSpecifies the service of the virtual server as HTTP or SSL. Possible values: HTTP, SSL

IPAddressSpecifies the IP address of the virtual server.

portSpecifies a port number for the virtual server.

stateSpecifies whether the virtual server is enabled or disabled. Possible values: ENABLED, DISABLED Default value: ENABLED

precedenceIdentifies the precedence on the content switching virtual server between RULE-based and URL-based policies. The default precedence is set to RULE. If the precedence is configured as RULE, the incoming request is applied against the content switching policies created with -rule argument using the add cs policy CLI command. If none of the rules match, the URL in the request is applied against the content switching policies created with -url argument using the add cs policy CLI command. Possible values: RULE, URL Default value: RULE


add cs vserver

casesensitiveIdentifies the URL lookup case option on the content switching vserver. If case sensitivity of a Content switching virtual server is set to 'ON' URL's /a/1.html and /A/1.HTML are treated differently and can have different targets set through content switching policies. On setting case sensitivity to 'OFF' URL's /a/1.html and /A/1.HTML are treated same and will be switched to the same target. Possible values: ON, OFF Default value: ON


soThreshold

Example1.Precedence can be used if certain client attributes (such as a specific type of browser) need to be served with different content and all other clients can be served from the content distributed among servers. If the precedence is configured as URL, the incoming request URL is applied against the content switching policies created with -url argument. If none of the policies match, then the request is applied against the content switching policies created with -rule argument. 2.Precedence can be used if some content (such as images) is the same for all clients but other content (such as text) is different for different clients. In this case the images will be served to all clients but the text served to specific clients based on the attributes, such as Accept-Language.

Related Commandsadd cs policyset cs vservershow cs vserverstat cs vserver


bind cs vserver

bind cs vserver

Synopsisbind cs vserver <vServerName> [<targetVserver>] [-policyName <string> [-priority <positive_integer>]]

DescriptionThis command binds a content switching policy between a content-based virtual server and an address-based virtual server. Multiple policies can be assigned to the virtual server pair. Do not specify the optional policyName when adding a default policy on the content switch virtual server.

Arguments

vServerNameIdentifies the virtual server name (created with the add cs vserver or add cr vserver command) for which the content switching policy will be set.

targetVserverSpecifies the virtual server name (created with the add lb vserver command) to which content will be switched.

policyNameSpecifies the content switch policy name (created with the add cs policy command).

Related Commandsadd cs policyshow cs policyunbind cs vserver


set cs vserver

set cs vserver

Synopsisset cs vserver <vServerName> [-precedence ( RULE | URL )] [-casesensitive ( ON | OFF )] [-backupVServerName <string>] [-redirectURL <URL>] [-cacheable ( YES | NO )] [-cltTimeout <secs>] [-soMethod <soMethod>] [-soPersistence ( ENABLED | DISABLED )] [-soPersistenceTimeOut <positive_integer>] [-soThreshold <positive_integer>]

DescriptionThis command changes or adds the parameters of a content switching virtual server.

Arguments

vServerNameIdentifies the virtual server name (created with the add cs vserver).

precedenceIdentifies the precedence on the content switching virtual server between rule-based and URL-based policies. The default precedence is set to RULE. If the precedence is configured as RULE, the incoming request is applied against the content switching policies created with -rule argument. If none of the rules match, then the URL in the request is applied against the content switching policies created with -url option. For example, this precedence can be used if certain client attributes (such as a specific type of browser) need to be served different content and all other clients can be served from the content distributed among servers. If the precedence is configured as URL, the incoming request URL is applied against the content switching policies created with -url option. If none of the policies match, then the request is applied against the content switching policies created with -rule option. Also, this precedence can be used if some content (such as images) is the same for all clients but other content (such as text) is different for different clients. In this case the images will be served to all clients but the text served to specific clients based on the attributes, such as Accept-Language. Possible values: RULE, URL


set cs vserver

casesensitiveIdentifies the URL lookup case option on the content switching vserver. If case sensitivity of a Content switching virtual server is set to 'ON' URL's /a/1.html and /A/1.HTML are treated differently and can have different targets set through content switching policies. On setting case sensitivity to 'OFF' URL's /a/1.html and /A/1.HTML are treated same and will be switched to the same target. Possible values: ON, OFF Default value: ON

backupVServerName

redirectURL

cacheable

cltTimeout

soMethod

soPersistence


soThreshold

Related Commandsadd cs policyshow cs policyadd cs vservershow cs vserverstat cs vserver


rm cs vserver

rm cs vserver

Synopsisrm cs vserver <name>@ ...


Arguments



Related Commandsenable cs vserverdisable cs vserver


enable cs vserver

enable cs vserver

Synopsisenable cs vserver <name>@


Arguments



Related Commandsrm cs vserverdisable cs vserver


disable cs vserver

disable cs vserver

Synopsisdisable cs vserver <name>@


Arguments



Related Commandsrm cs vserverenable cs vserver


show cs vserver

show cs vserver

Synopsisshow cs vserver [<name>] show cs vserver stats - alias for 'stat cs vserver'

DescriptionThis command displays the list of content switching virtual servers configured in the NetScaler 9000 system. To show the information for a particular virtual server and the content policies bound to that virtual server, enter the name of the content switching virtual server.

Arguments

nameSpecifies the content switching virtual server for which information is to be displayed.

Output

IPAddress

value

port

range

serviceType

type


show cs vserver

state

status

cacheType

redirect

precedence

redirectURL

authentication

casesensitive

homePage

dnsVserverName

domain

rule

policyName

hits


show cs vserver

serviceName

weight

cacheVserver

backupVServerName

priority

cltTimeout

soMethod

soPersistence


soThreshold

redirectURL

url

Related Commandsshow cs policyadd cs vserverset cs vserver


show cs vserver

stat cs vserver


stat cs vserver

stat cs vserver

Synopsisstat cs vserver [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays content switch vserver statistics

Arguments

nameThe name of the vserver for which statistics will be displayed. If not given statistics are shown for all cs vservers.

Output

Counters

Vserver protocol (Protocol)Protocol associated with the vserver



StateCurrent state




stat cs vserver



Related Commandsadd cs vserverset cs vservershow cs vserver


unbind cs vserver

unbind cs vserver

Synopsisunbind cs vserver <vServerName> [-policyName <string>]

DescriptionThis command removes the content switching policies for the specified content switching virtual server. To remove the default policy, do not specify the optional policy name.

Arguments

vServerNameIdentifies the virtual server name (created with the add cs vserver or add cr vserver command) for which the content switching policy will be set.

policyNameSpecifies the content switch policy name (created with the add cs policy command).

Related Commandsbind cs vserver


DNS Commands

This chapter covers the DNS commands.


stat dns

stat dns

Synopsisstat dns [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays the dns statistics.

Counters

Dns queries (Q)Total number of DNS queries received.

A queries (AQ)Total number of A queries received.

NS queries (NSQ)Total number of NS queries received.

CNAME queries (CNQ)Total number of CNAME queries received.

SOA queries (SOAQ)Total number of SOA queries received.

MX queries (MXQ)Total number of MX queries received.

Dns responses (Rsp)Total number of DNS responses received

A responses (ARsp)Total number of A responses received.

NS responses (NSRsp)Total number of NS responses received.


stat dns

CNAME responses (CNRsp)Total number of CNAME responses received.

SOA responses (SOARsp)Total number of SOA responses received.

MX responses (MXRsp)Total number of MX responses received.

Server queries (SvrQ)Total number of Server queries sent.

Server responses (SvrRsp)Total number of Server responses received.

A updates (AUp)Total number of A record updates.

NS updates (NSUp)Total number of NS record updates.

MX updates (MXUp)Total number of MX record updates.

SOA updates (SOAUp)Total number of SOA record updates.

CNAME updates (CNUp)Total number of CNAME record updates.

Record updates (Up)Total number of record updates.

Cache flush called (CaFsh)Total number of times cache was flushed.

Cache entries flushed (CaEntFsh)Total number of cache entries flushed.

A records (ARec)Total number of A records.


stat dns

NS records (NSRec)Total number of NS records.

MX records (MXRec)Total number of MX records.

SOA records (SOARec)Total number of SOA records.

CNAME records (CNRec)Total number of CNAME records.

Authoritative entries (AthEnt)Total number of authoritative entries.

Non-authoritative entries (PxyEnt)Total number of non-authoritative entries.

No A records (NoARec)Total number of times A record lookup failed.

No NS records (NoNSRec)Total number of times NS record lookup failed.

No MX records (NoMXRec)Total number of times MX record lookup failed.

No CNAME records (NoCNRec)Total number of times CNAME record lookup failed.

Unsupported queries (NotSupQ)Total number of requests for which query type requested was unsupported.

Response type unsupported (RspNoSup)Total number of responses for which response type requested was unsupported.

Response class unsupported (RspClsEr)Total number of responses for which response types were unsupported.

Query class unsupported (QClsEr)Total number of queries for which query class was unsupported.


stat dns

Invalid query format (InQFmt)Total number of queries whose format was invalid.

Invalid response format (InRspFmt)Total number of responses for which there was a format error.

Stray answers (StryRsp)Total number of stray answers.

Multi queries (MtQ)Total number of Multi Query request received.

Multi queries disabled (MtQErr)Total number of times a multi query was disabled and received a multi query.

Related Commands


show dns stats

show dns stats

Synopsisshow dns stats - alias for 'stat dns'

Descriptionshow dns stats is an alias for stat dns

Related Commandsstat dns


add dns addRec

add dns addRec

Synopsisadd dns addRec <hostname> <IPAddress> ... [-TTL <secs>]

DescriptionUse this command to add an address record for the specified domain name.

Arguments

hostnameThe domain name for which the address record is added.

IPAddressUse this parameter to specify one or more IP addresses for the domain name.

TTLUse this parameter to specify the time to live, in seconds.

Exampleadd dns addrec www.mynw.com 65.200.211.139 -ttl 10

Related Commandsrm dns addRecshow dns addRec


rm dns addRec

rm dns addRec

Synopsisrm dns addRec <hostname> [<IPAddress> ...]

DescriptionThis command removes the specified ipaddress from the address record for the given domain name. If IP address is not specified, the entire address record for the given domain name is removed.

Arguments

hostnameThe host name for which the address record has to be removed.

IPAddressUse this parameter to specify one or more IP addresses for the address record to be removed. If all address records within a domain are removed, the domain name entry is also removed.

Examplerm dns addrec www.mynw.com

Related Commandsadd dns addRecshow dns addRec


show dns addRec

show dns addRec

Synopsisshow dns addRec [<hostname> | -type <type>]

DescriptionUse this command to show the address record for the specified host name. If a host name is not specified, all address records are displayed.

Arguments

hostnameThe domain name for which the address records to be displayed.

typeUse this parameter to specify the address record type. Type can take 3 values : ADNS - if this is specified all the authoritative address records will be displayed PROXY - if this is specified all the proxy address records will be displayed ALL - if this is specified all the address records will be displayed Possible values: ALL, ADNS, PROXY

Output

IPAddress

TTL

vServerName

Related Commandsadd dns addRecrm dns addRec


add dns cnameRec

add dns cnameRec

Synopsisadd dns cnameRec <aliasName> <canonicalName> [-TTL <secs>]

DescriptionUse this command to add the canonical name record

Arguments

aliasNameAlias name for the specified domain.

canonicalNameThe domain for which cnamerec is created.

TTLUse this parameter to specify time to live, in seconds.

Exampleadd dns cnameRec www.mynw.org www.mynw.com -ttl 20

Related Commandsrm dns cnameRecshow dns cnameRec


rm dns cnameRec

rm dns cnameRec

Synopsisrm dns cnameRec <aliasName>

DescriptionUse this command to remove the canonical name record.

Arguments

aliasNameThe alias name to be removed.

Examplerm dns cnamerec www.mynw.org

Related Commandsadd dns cnameRecshow dns cnameRec


show dns cnameRec

show dns cnameRec

Synopsisshow dns cnameRec [<aliasName> | -type <type>]

DescriptionUse this command to display the cname records. If no alias name is specified, all "cname" records are displayed.

Arguments

aliasNameThe alias name. If an alias name is not specified, all "cname" records are displayed.

typeUse this parameter to specify the cname record type. Type can take 3 values : ADNS - if this is specified all the authoritative cname records will be displayed PROXY - if this is specified all the proxy cname records will be displayed ALL - if this is specified all the cname records will be displayed Possible values: ALL, ADNS, PROXY Default value: ADNS

Output

canonicalName

TTL

Exampleshow dns cnameRec www.mynw.org

Related Commandsadd dns cnameRecrm dns cnameRec


add dns mxRec

add dns mxRec

Synopsisadd dns mxRec <domain> -mx <string> -pref <positive_integer>

DescriptionUse this command to add the DNS mail exchange (MX) record. The parameters are:

Arguments

domainThe domain for which the added MX record is added.

mxSpecifies the MX record name.

prefThe route priority number. Note:A domain name can have multiple mail routes, each assigned a priority number. The mail route with the lowest number identifies the server responsible for the domain. Other mail servers listed are used as backups.


Related Commandsrm dns mxRecset dns mxRecshow dns mxRec


rm dns mxRec

rm dns mxRec

Synopsisrm dns mxRec <domain> <mx>

DescriptionUse this command to remove the DNS mail exchange record.

Arguments

domainThe domain for the mail exchange record to be removed.

mxThe mail exchange record name.

Related Commandsadd dns mxRecset dns mxRecshow dns mxRec


set dns mxRec

set dns mxRec

Synopsisset dns mxRec <domain> -mx <string> [-pref <positive_integer>] [-TTL <secs>]

DescriptionUse this parameter to set the DNS MX (mail exchange) record parameters.

Arguments

domainThe domain to be associated with the MX record.

mxThe name of the MX record.

prefThe priority number of the domain's mail route. Since one domain name can have multiple mail routes, you must specify a priority number for each of the domain's route. The mail route with the lowest number identifies the server responsible for the domain. Other mail servers listed are used as backups.


Related Commandsadd dns mxRecrm dns mxRecshow dns mxRec


show dns mxRec

show dns mxRec

Synopsisshow dns mxRec [<domain> | -type <type>]

DescriptionUse this command to show the mail exchange (MX) record for the specified domain. If a domain name is not specified, all mail exchange records are displayed.

Arguments

domainThe domain name for which the MX record will be displayed.

typeUse this parameter to specify the MX record type. Type can take 3 values : ADNS - if this is specified all the authoritative MX records will be displayed PROXY - if this is specified all the proxy MX records will be displayed ALL - if this is specified all the MX records will be displayed Possible values: ALL, ADNS, PROXY Default value: ADNS

Output

domain

mx

pref

TTL

Related Commandsadd dns mxRecrm dns mxRec


show dns mxRec

set dns mxRec


add dns nsRec

add dns nsRec

Synopsisadd dns nsRec <domain> <nameServer> [-TTL <secs>]

DescriptionUse this command to add the Name Server record for a given domain name.

Arguments

domainThe domain name for which Name Server record is added.

nameServerThe nameserver for the domain.


Related Commandsrm dns nsRecshow dns nsRec


rm dns nsRec

rm dns nsRec

Synopsisrm dns nsRec <domain> <nameServer>

DescriptionUse this command to remove the Name Server record for the given domain.

Arguments

domainThe domain name for which the Name Server record is to be removed.

nameServerThe nameserver for the domain to be removed.

Related Commandsadd dns nsRecshow dns nsRec


show dns nsRec

show dns nsRec

Synopsisshow dns nsRec [<domain> | -type <type>]

DescriptionUse this command to display the name server record for this domain. If no domain name is specified, all the name server records are displayed.

Arguments

domainThe domain name for the name server record.

typeUse this parameter to specify the Name Server record type. Type can take 3 values : ADNS - if this is specified all the authoritative Name Server records will be displayed PROXY - if this is specified all the proxy Name Server records will be displayed ALL - if this is specified all the Name Server records will be displayed Possible values: ALL, ADNS, PROXY

Output

domain

nameServer

TTL

Related Commandsadd dns nsRecrm dns nsRec


set dns parameter

set dns parameter

Synopsisset dns parameter [-retries <positive_integer>] [-minTTL <secs>] [-maxTTL <secs>] [-namelookuppriority ( WINS | DNS )]

DescriptionThis command sets TTL parameters.

Arguments

retriesThe DNS resolver request retry count.

minTTLThe minimum time to live value allowed, in seconds. If any DNS entry has a time to live value of less than the minimum time to live value, it is saved as the minimum time to live value.

maxTTLThe maximum time to live value allowed, in seconds. If the DNS entry has a time to live value of more than the maximum time to live value, it is saved as the maximum time to live value.

namelookuppriorityThe name lookup priority as DNS or WINS. Possible values: WINS, DNS Default value: WINS

Related Commandsshow dns parameter


show dns parameter

show dns parameter

Synopsisshow dns parameter

DescriptionUse this command to display the following values: DNS Retries - The DNS resolver request timeout. minTTL - The minimum time to live value allowed. If any DNS entry has a time to live value less than the minimum time to live, it is saved as minimum time to live. maxTTL - The maximum time to live value allowed. If any DNS entry has a time to live value less than the maximum time to live, it is saved as maximum time to live.

Arguments

Output

retries

minTTL

maxTTL

namelookuppriority

Related Commandsset dns parameter


add dns soaRec

add dns soaRec

Synopsisadd dns soaRec <domain> -originServer <string> -contact <string> -serial <positive_integer> -refresh <secs> -retry <secs> -expire <secs> -minimum <secs> -TTL <secs>

DescriptionUse this command to add the Start of Authority (SOA) record.

Arguments

domainThe domain name for which the SOA record is added.

originServerThe name of origin server for the given domain.

contactThe contact person for this ADNS, typically this is an email address in which the at sign (@) has been replaced by a period (.).

serialThis parameter is used by the secondary server to determine if it requires a zone transfer from the primary server. If the secondary's number is lower than the primary's number, then the secondary server knows that its records are out of date. This is not used by a primary server.

refreshUse this parameter to determine the number of seconds between a successful check on the serial number on the zone of the primary, and the next attempt. This is usually 2 - 24 hours. This is not used by a primary server.

retryIf a refresh attempt fails, a server retries after the specified number of seconds. This is not used by a primary server.


add dns soaRec

expireMeasured in seconds. If the refresh and retry attempts fail after that many seconds the server will stop serving the zone. The typical value is 1 week. Not used by a primary server.

minimumThe default TTL for every record in the zone. Can be overridden for any particular record. Typical values range from eight hours to four days. When changes are being made to a zone, often set at ten minutes or less.

TTLThe time to live, in seconds.

Related Commandsset dns soaRecrm dns soaRecshow dns soaRec


set dns soaRec

set dns soaRec

Synopsisset dns soaRec <domain> [-originServer <string>] [-contact <string>] [-serial <positive_integer>] [-refresh <secs>] [-retry <secs>] [-expire <secs>] [-minimum <secs>] [-TTL <secs>]

DescriptionUse this command to set the DNS Start Of Authority (SOA) record attributes.

Arguments

domainThe domain name for which the SOA record attributes are set.

originServerThe origin server name for the given domain.

contactThe contact person for this ADNS. Typically it is the email address of which the at (@) sign is replaced with a period (.).

serialThis is used by a secondary server to determine if it requires a zone transfer from the primary server. If the secondary's number is lower than the primary's number, then the secondary server determines that its records are out of date. Not used by a primary server.

refreshRefresh determines the number of seconds between a successful check on the serial number on the zone of the primary, and the next attempt (usually 2 - 24 hours). Not used by a primary server.

retryIf a refresh attempt fails, a server will retry after this many seconds. Not used by a primary server.


set dns soaRec

expireMeasured in seconds. If the refresh and retry attempts fail after that many seconds the server will stop serving the zone. The typical value is 1 week. Not used by a primary server.

minimumThe default TTL for every record in the zone. Can be overridden for any particular record. Typical values range from eight hours to four days. When changes are being made to a zone, often set at ten minutes or less.

TTLThe time to live, measured in seconds.

Related Commandsadd dns soaRecrm dns soaRecshow dns soaRec


rm dns soaRec

rm dns soaRec

Synopsisrm dns soaRec <domain>

DescriptionUse this command to remove the Start of Authority (SOA) record for a given domain name.

Arguments

domainThe domain name for the SOA record to be removed.

Related Commandsadd dns soaRecset dns soaRecshow dns soaRec


show dns soaRec

show dns soaRec

Synopsisshow dns soaRec [<domain> | -type <type>]

DescriptionUse this command to show the specified Start of Authority record. If the domain name is not specified, all the SOA records are displayed.

Arguments

domainThe domain name for which the SOA record will be displayed.

typeUse this parameter to specify the SOA record type. Type can take 3 values : ADNS - if this is specified all the authoritative SOA records will be displayed PROXY - if this is specified all the proxy SOA records will be displayed ALL - if this is specified all the SOA records will be displayed Possible values: ALL, ADNS, PROXY

Output

domain

originServer

contact

serial

refresh


show dns soaRec

retry

expire

minimum

TTL

Related Commandsadd dns soaRecset dns soaRecrm dns soaRec


add dns suffix

add dns suffix

Synopsisadd dns suffix <dnsSuffix>

DescriptionUse this command to append suffixes while resolving the domain names.

Arguments

dnsSuffixSuffix to be appended while resloving the Domain name.

Exampleadd dns suffix netscaler.com If the incoming domain name "engineering" is not resolved by itself, then Netscaler will append the suffix netscaler.com and attempt to resolve the name engineering.netscaler.com

Related Commandsrm dns suffixshow dns suffix


rm dns suffix

rm dns suffix

Synopsisrm dns suffix <dnsSuffix>

DescriptionUse this command to remove the DNS suffixes configured in NetScaler system

Arguments

dnsSuffixSuffix name to be removed.

Related Commandsadd dns suffixshow dns suffix


show dns suffix

show dns suffix

Synopsisshow dns suffix

DescriptionUse this command to show all the configured DNS suffixes.

Output

dnsSuffix

Related Commandsadd dns suffixrm dns suffix


add dns nameserver

add dns nameserver

Synopsisadd dns nameserver (<dnsVserverName> | <IP>)

DescriptionUse this command to add a NameServer in NetScaler System. 2 types of name servers can be added. 1.IP Address based name server. In this case, the user has to specify the Ipaddress of the name server to be contacted 2.Vserver based name server. In this case, the user has to specify the name of the DNS vserver configured in the Netscaler System

Arguments

dnsVserverNameThe name of the dns vserver

IPThe IP address of the name server.

ExampleAdding an IP based nameserver IP: add nameserver 10.102.4.1, Adding a vserver based name server: add nameserver dns_vsvr where dns_vsvr is name of a DNS vserver created in NetScaler system

Related Commandsrm dns nameservershow dns nameserver


rm dns nameserver

rm dns nameserver

Synopsisrm dns nameserver (<dnsVserverName> | <IP>)

DescriptionUse this command to remove the NameServer.

Arguments

dnsVserverNameThe name of the dns vserver.

IPThe IP address of the name server.

ExampleDeleting an IP based nameserver : rm nameserver 10.102.4.1, Deleting a vserver based nameserver: rm nameserver dns_vsvr

Related Commandsadd dns nameservershow dns nameserver


show dns nameserver

show dns nameserver

Synopsisshow dns nameserver [<dnsVserverName> | <IP>]

DescriptionUse this command to display the name servers configured in Netscaler System and state of the nameservers.

Arguments

dnsVserverNameThe name of the dns vserver

IPThe IP address of the name server to be displayed.

Output

serviceNameSpecifies the name of the dns vserver

IPAddressip address of the service

portport of the service

state

Related Commandsadd dns nameserverrm dns nameserver


flush dns proxyRecords

flush dns proxyRecords

Synopsisflush dns proxyRecords

DescriptionUse this command to flush all the DNS proxy records.

Related Commands


DoS Commands

This chapter covers the DoS commands.


add dos policy

add dos policy

Synopsisadd dos policy <name> -qDepth <positive_integer>

DescriptionUse this command to add a DoS protection policy to the NetScaler 9000 system.

Arguments

nameThe name of the DoS protection policy to be added to a NetScaler 9000 system.

qDepthThe queue size (the number of outstanding service requests on the NetScaler 9000 system) that must be reached before DoS protection is activated on the service to which the DoS protection policy is bound.The minimum value you can specify is 21. Note:For the DoS protection to be applied on a service, it must have a DoS policy bound to it. This is done with the bind service CLI command.

cltDetectRateThe client detect rate is the percentage of traffic to apply the DOS policy. The value can vary from 1 to 100.

Exampleadd dos policy dospol -qdepth 100 -cltDetectRate 90

Related Commandsrm dos policyset dos policyshow dos policy


rm dos policy

rm dos policy

Synopsisrm dos policy <name>

DescriptionUse this command to remove the specified DoS protection policy <name>. The DoS protection policy is set in the NetScaler 9000 system using the add dos policy command.

Arguments

nameThe name of the DoS protection policy to be removed.

Examplerm dos policy dospol

Related Commandsadd dos policyset dos policyshow dos policy


set dos policy

set dos policy

Synopsisset dos policy <name> [-qDepth <positive_integer>] [-cltDetectRate <positive_integer>]

DescriptionUse this command to modify the parameters for the specified DoS protection policy.

Arguments

nameThe name of the DoS protection policy to be modified.

qDepthThe queue size (the outstanding requests on this service queued in the NetScaler 9000 system, waiting to be sent to the server) that must be reached before DoS protection is activated on the service. The minimum queue size that you can specify is 21. For DoS protection to be activated on a service, this policy needs to be bound to that service using the bind service CLI command.


Exampleset dos policy dospol -qdepth 1000

Related Commandsadd dos policyrm dos policyshow dos policy


show dos policy

show dos policy

Synopsisshow dos policy

DescriptionUse this command to display the configured DoS protection policy.

Arguments

Output

nameThe DoS policy that needs to be displayed

qDepthThe queue size (the outstanding requests on this service queued in the NetScaler 9000 system, waiting to be sent to the server) that must be reached before DoS protection is activated on the service. The minimum queue size that you can specify is 21. For DoS protection to be activated on a service, this policy needs to be bound to that service using the bind service CLI command.


Example> show dos policy 1 configured DoS policy: 1) Policy: dospol QDepth: 100 ClientDetectRate: 90 Done

Related Commandsadd dos policyrm dos policyset dos policy


show dos policy


Filter Commands

This chapter covers the filter commands.


add filter action

add filter action

Synopsisadd filter action <name> <qual> [<serviceName>] [<value>] [<respcode>] [<page>]

DescriptionThis command creates a content filtering action. The action thus created can be associated with the content filtering policy by using the "add filter policy" command. The two built-in filter actions RESET and DROP are always present on the Netscaler system. Use the RESET filter action to send a TCP reset for the HTTP requests. Use the DROP filter action to drop the HTTP requests silently without sending a TCP FIN for closing the connection.

Arguments

nameThe name for the filter action being added. This name may not exceed 31 characters.

qualThe filter action to be performed. The valid values are add, forward, errorcode, reset, and drop. Possible values: reset, add, corrupt, forward, errorcode, drop

serviceNameThe service to which HTTP requests are forwarded. This parameter is required when the qualifier is FORWARD.

valueThe string containing the header_name and header_value. When the qualifier is ADD use this option as header_name:header_value. When the qualifier is Corrupt use this option to specify only the header_name.

respcodeThe response code to be returned for HTTP requests. Use this parameter when the qualifier is ERRORCODE.


add filter action

pageThe HTML page that will be returned for the HTTP requests. Use this parameter when the qualifier is ERRORCODE.

Exampleadd filter action bad_url_action errorcode 400 "<HTML>Bad URL.</HTML>" add filter action forw_action FORWARD service1 add filter action add_header_action add "HEADER:value"

Related Commandsrm filter actionshow filter action


rm filter action

rm filter action

Synopsisrm filter action <name>

DescriptionUse this command to remove a filter action that was created using the "add filter action" command.

Arguments

nameThe name of the filter action to be removed.

Examplerm filter action filter_action_name

Related Commandsadd filter actionshow filter action


show filter action

show filter action

Synopsisshow filter action

DescriptionUse this command to display the filter actions defined using the "add filter action" command. The information displayed includes the action name, qualifier, and operands. The filter actions RESET and DROP are always displayed, irrespective of whether an action has been defined. They are built-in actions and cannot be modified.

Arguments

Output

name

qual

serviceName

value

respcode

page

ExampleExample 1 The following shows an example of the output of the show filter action command when no filter actions have been defined: 1) Name: RESET Filter Type: reset 2) Name: DROP Filter Type: drop Done Example 2 The following command


show filter action

creates a filter action: add filter action bad_url_action errorcode 400 "<HTML>Bad URL.</HTML>" The following shows an example of the output of the show filter action command after the previous command has been issued: Name: bad_url_action Filter Type: errorcode StatusCode: 400 Response Page: <HTML>Bad URL.</HTML> Done

Related Commandsadd filter actionrm filter action


add filter policy

add filter policy

Synopsisadd filter policy <name> -rule <expression>

DescriptionUse this command to create a content filtering policy.

Arguments

nameThe name of the new filter policy.

ruleThe expression which sets the condition for application of the policy.

reqActionThe name of the action to be performed on the request. The string value can be a filter action created using the "add filter action" command, or one of the following built-in actions: RESET - Sends the TCP reset and closes the connection to the peer. DROP - Silently closes the connection to the peer without sending the TCP FIN. Note that the request action can not be specified if the rule has some condition to be evaluated for response.

resActionThe action to be performed on the response. The string value can be a filter action created using the "add filter action" command or a built-in action.

ExampleExample 1: add policy expression e1 "sourceip == 66.33.22.0 -netmask 255.255.255.0" add policy expression e2 "URL == /admin/account.asp" add filter policy ip_filter -rule "e1 && e2" -reqAction RESET After creating above filter policy, it can be activated by binding it globally: bind filter global ip_filter With the configured ip_filter (name of the filter policy), the NetScaler system sends a TCP reset to all HTTP requests for the /admin/account.asp URL from 66.33.22.0 Class C network. This action is applied at the HTTP request time. Example 2: To silently drop (without sending FIN) all the HTTP requests in which the URL has root.exe or cmd.exe, below filter policy can be configured: add filter


add filter policy

policy nimda_filter -rule "URL contains root.exe || URL contains cmd.exe" -reqAction DROP bind filter global nimda_filter Example 3: add filter policy url_filter -rule "url == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP != 65.202.35.0 -netmask 255.255.255.0" -reqaction RESET bind filter global url_filter With the above configured filter policy named url_filter, the NetScaler system sends RESET to all HTTP requests for the URL /foo/secure.asp from all the networks except from 65.186.55.0 and 65.202.35.0 Class C networks. This action is applied at the HTTP request time. Note: In above examples, the RESET and DROP are built-in actions in the Netscaler system. "show filter action" and "show filter policy" CLI commands show the configured filter actions and policies in Netscaler system respectively. "show filter global" command shows all the globallyactive filter policies.

Related Commandsrm filter policyshow filter policyset filter policy


rm filter policy

rm filter policy

Synopsisrm filter policy <name>

DescriptionUse this command to remove a filter policy.

Arguments

nameThe filter policy to be removed.

Examplerm filter policy filter_policy_name The "show filter policy" command shows all filter policies that are currently defined.

Related Commandsadd filter policyshow filter policyset filter policy


show filter policy

show filter policy

Synopsisshow filter policy [<name>]

DescriptionUse this command to display the filter policies created using the "add filter policy" command. For each filter policy, the command output shows the filter policy name, associated rule, and request action or response action.

Arguments

nameThe name of the filter policy to be displayed.

Output

name

rule

reqAction

resAction

hits

Exampleshow filter policy 1) Name: nimda_filter Rule: (URL CONTAINS root.exe || URL CONTAINS cmd.exe) Request action: RESET Response action: Hits: 0 2) Name: ip_filter Rule: (src_ips && URL == /admin/account.asp) Request action: RESET Response action: Hits: 0 Done Individual filter policy can also be


show filter policy

viewed by giving filter policy name as argument: show filter policy ip_filter Name: ip_filter Rule: (src_ips && URL == /admin/account.asp) Request action: RESET Response action: Hits: 0 Done

Related Commandsadd filter policyrm filter policyset filter policy


set filter policy

set filter policy

Synopsisset filter policy <name> [-rule <expression>] [-reqAction <string> | -resAction <string>]

DescriptionUse this command to modify the rule and/or action of an existing filter policy, created using the "add filter policy" command. Use the "show filter policy" command to view all the configured filter policies.

Arguments

nameThe name of the filter policy to be modified.

ruleThe new expression to associate with the policy.

reqActionThe new request action to be applied by the policy.

resActionThe new response action to be applied by the policy.

ExampleExample 1: A filter policy to allow access of URL /foo/secure.asp only from 65.186.55.0 network can be created using below command: add filter policy url_filter -rule "URL == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0" -reqAction RESET This policy is activated using: bind filter global url_filter Later, to allow access of this url from second network 65.202.35.0 too, above filter policy can be changed by issuing below command: set filter policy url_filter -rule "URL == /foo/secure.asp && SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP != 65.202.35.0 -netmask 255.255.255.0" Changed filter policy can be viewed by using following command: show filter policy url_filter Name: url_filter Rule: (URL == /foo/secure.asp && (SOURCEIP != 65.186.55.0 -netmask 255.255.255.0 && SOURCEIP !=


set filter policy

65.202.35.0 -netmask 255.255.255.0)) Request action: RESET Response action: Hits: 0 Done

Related Commandsadd filter policyrm filter policyshow filter policy


bind filter global

bind filter global

Synopsisbind filter global (<policyName> [-priority <positive_integer>]) [-state ( ENABLED | DISABLED )]

DescriptionUse this command to activate the filter policy globally. The filter policies are created using the "add filter policy" command. The command "show filter policy" shows all the existing filter policies and the command "show filter global" shows all the globally active filter policies. Note that the content filtering license is required for filtering. Use the "enable ns feature cf" command to activate the feature.

Arguments

policyNameThe name of the filter policy to be bound.

stateSets the state of the binding. Possible values: ENABLED, DISABLED Default value: ENABLED

ExampleTo send RESET for all the HTTP requests which are not get or head type, following filter policy can be created: add filter policy reset_invalid_req -rule "METHOD != GET && METHOD != HEAD" -reqAction RESET This filter policy can be activated globally for Netscaler system by giving command: bind filter global reset_invalid_req Globally active filter policies can be seen using command: show filter global 1) Policy Name: reset_invalid_req Priority: 0 Done

Related Commandsunbind filter globalshow filter global


unbind filter global

unbind filter global

Synopsisunbind filter global <policyName>

DescriptionUse this command to deactivate a filter policy globally. Use command "show filter global" to see all the globally active filter policies.

Arguments

policyNameThe name of the filter policy to be unbound.

ExampleGlobally active filter policies can be seen using command: show filter global 1) Policy Name: reset_invalid_req Priority: 0 Done This globally active filter policy can be deactivated on Netscaler system by giving command: unbind filter global reset_invalid_req

Related Commandsbind filter globalshow filter global


show filter global

show filter global

Synopsisshow filter global

DescriptionUse this command to display the globally active filter policies that have been activated using the "bind filter global" command.

Arguments

Output

policyName

priority

stateThe state of the binding.

Exampleshow filter global 1) Policy Name: url_filter Priority: 0 2) Policy Name: reset_invalid_req Priority: 0 Done

Related Commandsbind filter globalunbind filter global


GSLB Commands

This chapter covers the GSLB commands.


add gslb site

add gslb site

Synopsisadd gslb site <siteName> <siteType> <siteIPAddress> [-publicIP <ip_addr>]

DescriptionUse this command to add the site entity participating in GSLB in NetScaler 9000 system

Arguments

siteNameThe name of the site that is participating in the GSLB

siteTypeUse this parameter to specify whether the site is LOCAL or REMOTE Possible values: REMOTE, LOCAL

siteIPAddressThe IP address of the site. This IP address will be a NetScaler owned IP address. SNIP or MIP can be used as Site IP address

publicIPThe Public IP. This parameter can be specified only for a LOCAL site. This parameter is required only if the local NetScaler is in a private address space and has a public IP hosted on an external FW or NAT device.

metricExchangeUse this parameter to specify whether MEP should be enabled or disabled. When metric exchange is DISABLED, then the site does not exchange metrics with other sites. When this option is disabled, a simple ROUNDROBIN method will be used for Global Server Load Balancing Possible values: ENABLED, DISABLED Default value: ENABLED

Exampleadd site new_york LOCAL 192.168.100.12 -publicIP 65.200.211.139


add gslb site

Related Commandsset gslb siterm gslb siteshow gslb site


set gslb site

set gslb site

Synopsisset gslb site <siteName> [-metricExchange ( ENABLED | DISABLED )]

DescriptionUse this command to enable or disable the Metric Exchange between sites

Arguments

siteNameThe name of the site to be modified

metricExchangeUse this parameter to specify whether the metric exchange for the site is enabled or disabled. If metric exchange is disabled, a simple ROUNDROBIN method is used to perform Global Server load balancing Possible values: ENABLED, DISABLED

Exampleset gslb site new_york - metricExchange DISABLED

Related Commandsadd gslb siterm gslb siteshow gslb site


rm gslb site

rm gslb site

Synopsisrm gslb site <siteName>

DescriptionUse this command to remove the site entity configured in Netscaler 9000 system

Arguments

siteNameThe name of the site entity to be removed. When the site is removed, all the services created under that site will be removed.

Examplerm gslb site new_york

Related Commandsadd gslb siteset gslb siteshow gslb site


show gslb site

show gslb site

Synopsisshow gslb site [<siteName>]

DescriptionUse this command to display the configured site entities in NetScaler 9000 system

Arguments

siteNameThe name of the site to be displayed. If sitename is specified, all the services created under that site will be displayed.

Output

siteName

siteType

siteIPAddress

publicIP

metricExchange

serviceName

IPAddress


show gslb site

port

state

status

serviceType

Exampleshow site new_york

Related Commandsadd gslb siteset gslb siterm gslb site


add gslb service

add gslb service

Synopsisadd gslb service <serviceName> (<serverName> | <IP>) <serviceType> <port> [-siteName <string>] [-state ( ENABLED | DISABLED )]

DescriptionUse this command to add a GSLB service in the NetScaler 9000 system.

Arguments

serviceNameThe name of the service . Enter a maximum of 31 characters

serverNameThe name of the server for which the service will be added

IPThe IP address of the server for which the service will be added

serviceTypeThe type of service that is being added Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, ANY

portThe port on which the service is running

publicIPThe IP address on a NAT box in front of the NetScaler 9000 system to which a private IP of the service maps. This is applicable to GSLB local services. This is optional

publicPortThe port on a NAT box in front of the NetScaler 9000 system to which the private port of service maps. This is applicable to GSLB local services.This is optional

maxClientThe maximum number of open connections to the service. This argument is optional


add gslb service

siteNameThe GSLB site name. This parameter is mandatory. This option specifies whether the service is a local GSLB service or remote GSLB service

stateUse this parameter to specify whether the service(s) being added will initially be enabled. This parameter is optional. This is not applicable to the local GSLB services Possible values: ENABLED, DISABLED Default value: ENABLED

cipUse this parameter to enable insertion of the Client IP header for the service. This parameter is used while connection proxy based Site persistency is enabled, and it inserts real client's IP address in the HTTP request Possible values: ENABLED, DISABLED Default value: DISABLED

cipHeaderThe client IP header to be used in the HTTP request. If client IP insertion is enabled and the client IP header is not specified then the value that has been set by the set ns config CLI command will be used as the Client IP header.

sitePersistenceUse this parameter to specify whether cookie based Site persistency is enabled or disabled Possible values: ConnectionProxy, HTTPRedirect, NONE Default value: NONE

cookieTimeoutThe timeout value in minutes for the cookie when cookie based Site persistency is enabled Default value: 0

sitePrefixSpecify the siteprefix string. When the service is bound to a GSLB vserver, then for each bound service-domain pair, a GSLB Site domain will be generated internally by concatenating the service's siteprefix and the domain's name. If a special string "NONE" is specified, the siteprefix string will be unset

cltTimeout

svrTimeout

maxBandwidthA positive integer to identify the maximum bandwidth allowed for the service


add gslb service

Exampleadd gslb service sj_svc 203.12.123.12 http 80 -site san_jos

Related Commandsset gslb servicerm gslb serviceshow gslb service


set gslb service

set gslb service

Synopsisset gslb service <serviceName> [-publicIP <ip_addr>] [-publicPort <port>] [-cip ( ENABLED | DISABLED ) [<cipHeader>]] [-sitePersistence <sitePersistence>] [-sitePrefix <string>] [-maxClient <positive_integer>] [-maxBandwidth <positive_integer>]

DescriptionUse this command to set parameters in the gslb service

Arguments

serviceNameThe name of the service for which the attributes needs to be changed

publicIPThe IP address on a NAT box in front of the NetScaler 9000 system to which a private IP service maps. This is optional. It is only valid for LOCAL GSLB service

publicPortThe port on a NAT box in front of the NetScaler 9000 system to which the private port of service maps. This is optional. It is only valid for local service

cipUse this parameter to enable insertion of the Client IP header for the service. This option is used while connection proxy based Site persistency is enabled Possible values: ENABLED, DISABLED

cipHeaderThe client IP header to be used in the HTTP request. If client IP insertion is enabled and the client IP header is not specified then the value that has been set by the set ns config CLI command will be used as the Client IP header.


set gslb service

sitePersistenceUse this parameter to specify whether cookie based Site persistency is enabled or disabled Possible values: ConnectionProxy, HTTPRedirect, NONE

sitePrefixSpecify the siteprefix string. When the service is bound to a GSLB vserver, then for each bound service-domain pair, a GSLB Site domain will be generated internally by concatenating the service's siteprefix and the domain's name. If a special string "NONE" is specified, the siteprefix string will be unset

maxClientThe maximum number of open connections to the service. This argument is optional

maxBandwidthA positive integer to identify the maximum bandwidth allowed for the service

Exampleset gslb service sj_svc -sitePersistence ConnectionProxy

Related Commandsadd gslb servicerm gslb serviceshow gslb service


rm gslb service

rm gslb service

Synopsisrm gslb service <serviceName>

DescriptionUse this command to remove a gslb service configured in NetScaler 9000 system.

Arguments

serviceNameThe name of the service entity to be removed

Examplerm gslb service sj_svc

Related Commandsadd gslb serviceset gslb serviceshow gslb service


show gslb service

show gslb service

Synopsisshow gslb service [<serviceName>]

DescriptionUse this command to display the gslb services configured in the NetScaler 9000 system.

Arguments

serviceNameThe name of the gslb service to be displayed

Output

serviceName

IPAddress

serviceType

port

publicIP

publicPort

maxClient

siteName


show gslb service

svrState

state

monitorName

monState

cip

cipHeader

sitePersistence

sitePrefix

cltTimeout

svrTimeout

preferredlocation

maxBandwidth

Exampleshow gslb service sj_svc

Related Commandsadd gslb service


show gslb service

set gslb servicerm gslb service


add gslb vserver

add gslb vserver

Synopsisadd gslb vserver <vServerName> <serviceType> [-state ( ENABLED | DISABLED )]

DescriptionUse this command to add a GSLB vserver in the NetScaler 9000 system.

Arguments

vServerNameThe virtual server name, which can be a maximum of 31 characters

serviceTypeThe servicetype of the virtual server Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, ANY

lbmethodThe load balancing method for the virtual server.The valid options for this parameter are: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, SOURCEIPHASH, LEASTBANDWIDTH, LEASTPACKETS, STATICPROXIMITY, RTT Possible values: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, SOURCEIPHASH, LEASTBANDWIDTH, LEASTPACKETS, STATICPROXIMITY, RTT Default value: LEASTCONNECTION

netmaskThe netmask to be used in the SOURCEIPHASH policy. The default is 255.255.255.255 Default value: 255.255.255.255

toleranceThe Site selection tolerance is the maximum deviation (in milliseconds) in the RTT value, which the NetScaler system can tolerate, while deciding the best site for a domain. This value enables the NetScaler system to implement the Round Robin method of GSLB between sites that have RTT values within this permissible limit. The tolerance value is required only if the LB method is RTT. The default tolerance value is 0


add gslb vserver

persistenceTypeThe persistence type for the virtual server. This has 2 options: SOURCEIP and NONE Possible values: SOURCEIP, NONE Default value: NONE

persistenceIdThe Persistence Id. This parameter is a positive integer which is used to identify the GSLB VIP on all sites. This is a required argument if SOURCEIP based persistency is enabled.

persistmaskThe netmask to be used while SOURCEIP based persistency is ENABLED.This is an optional argument. Default value: 255.255.255.255

timeoutThe idle time out in minutes for the persistence entries Default value: 2

EDRUse this parameter to specify whether NetScaler will send empty DNS response when all the sites participating in GSLB are down Possible values: ENABLED, DISABLED Default value: DISABLED

MIRUse this parameter to specify whether NetScaler can send Multiple IP addresses in the DNS response or not. Possible values: ENABLED, DISABLED Default value: DISABLED

dynamicWeightSpecifies whether we want to consider the svc count or the svc weights or ignore both Possible values: SERVICECOUNT, SERVICEWEIGHT, DISABLED Default value: DISABLED

stateUse this parameter to specify whether the virtual server is enabled or disabled Possible values: ENABLED, DISABLED Default value: ENABLED

Exampleadd gslb vserver gvip http

Related Commandsset gslb vserver


add gslb vserver

rm gslb vservershow gslb vserverbind gslb vserverunbind gslb vserver


set gslb vserver

set gslb vserver

Synopsisset gslb vserver <vServerName> [-backupVServerName <string>] [-lbmethod <lbmethod>] [-netmask <netmask>] [-tolerance <positive_integer>] [-persistenceType ( SOURCEIP | NONE )] [-persistenceId <positive_integer>] [-persistmask <netmask>] [-timeout <mins>] [-EDR ( ENABLED | DISABLED )] [-MIR ( ENABLED | DISABLED )] [-dynamicWeight <dynamicWeight>] [-serviceName <string> -weight <positive_integer>] [-domainName <string> [-TTL <secs>] [-backupIP <ip_addr>] [-cookieDomain <string>] [-cookieTimeout <mins>] [-sitedomainTTL <secs>]]

DescriptionUse this command to specify different settings on GSLB vserver

Arguments

vServerNameThe virtual server name for which attributes are set.

backupVServerName

lbmethodThe load balancing method for the virtual server.The valid options for this parameter are: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, SOURCEIPHASH, LEASTBANDWIDTH, LEASTPACKETS, STATICPROXIMITY, RTT Possible values: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, SOURCEIPHASH, LEASTBANDWIDTH, LEASTPACKETS, STATICPROXIMITY, RTT

netmaskThe netmask to be used in the SOURCEIPHASH policy.The default is 255.255.255.255


set gslb vserver

toleranceThe Site selection tolerance is the maximum deviation (in milliseconds) in the RTT value, which the NetScaler system can tolerate, while deciding the best site for a domain. This value enables the NetScaler system to implement the Round Robin method of GSLB between sites that have RTT values within this permissible limit. The tolerance value is required only if the LB method is RTT. The default tolerance value is 0

persistenceTypeThe persistence type for the virtual server. This has 2 options: SOURCEIP and NONE Possible values: SOURCEIP, NONE

persistenceIdThe Persistence Id. This parameter is a positive integer which is used to identify the GSLB VIP on all sites

persistmaskThe netmask to be used while SOURCEIP based persistency is ENABLED.This is an optional argument. Default is 255.255.255.255

timeoutThe idle time out in minutes for the persistence entries

EDRUse this parameter to specify whether NetScaler will send empty DNS response when all the sites participating in GSLB are down Possible values: ENABLED, DISABLED

MIRUse this parameter to specify whether NetScaler can send Multiple IP addresses in the DNS response or not Possible values: ENABLED, DISABLED

dynamicWeightSpecifies whether we want to consider the svc count or the svc weights or ignore both Possible values: SERVICECOUNT, SERVICEWEIGHT, DISABLED Default value: DISABLED

serviceNameUse this parameter to specify the service for which the weight needs to be changed


set gslb vserver

domainNameUse this parameter to specify the name of the domain for which TTL and/or backupIP needs to be changed

Exampleset gslb vserver gvip -persistenceType SOURCEIP

Related Commandsadd gslb vserverrm gslb vservershow gslb vserverbind gslb vserverunbind gslb vserver


rm gslb vserver

rm gslb vserver

Synopsisrm gslb vserver <vServerName>

DescriptionUse this command to remove a GSLB vserver configured in NetScaler 9000 system.

Arguments

vServerNameThe name of the GSLB virtual server to be removed

Examplerm gslb vserver gvip

Related Commandsadd gslb vserverset gslb vservershow gslb vserverbind gslb vserverunbind gslb vserver


enable gslb vserver

enable gslb vserver

Synopsisenable gslb vserver <name>@


Arguments



Related Commandsdisable gslb vserver


disable gslb vserver

disable gslb vserver

Synopsisdisable gslb vserver <name>@


Arguments



Related Commandsenable gslb vserver


show gslb vserver

show gslb vserver

Synopsisshow gslb vserver [<vServerName>]

DescriptionUse this command to display the GSLB virtual server attributes

Arguments

vServerNameThe name of the GSLB virtual server to be displayed

Output

vServerName

serviceType

persistenceType

persistenceId

lbmethod

tolerance

timeout

state


show gslb vserver

netmask

persistmask

serviceName

weight

domainName

TTL

backupIP

cookieDomain

cookieTimeout

sitedomainTTL

IPAddress

port

status

preferredlocation


show gslb vserver

backupVServerName

EDR

MIR

dynamicWeightSpecifies whether we want to consider the svc count or the svc weights or ignore both

cumulativeWeightNSA_DYNAMIC_CONF_WT * NSA_WEIGHT

dynamicConfWtweight obtained by the virtue of bound service count or weight

Exampleshow gslb vserver gvip

Related Commandsadd gslb vserverset gslb vserverrm gslb vserverbind gslb vserverunbind gslb vserver


bind gslb vserver

bind gslb vserver

Synopsisbind gslb vserver <vServerName> [(-serviceName <string> [-weight <positive_integer>]) | (-domainName <string> [-TTL <secs>] [-backupIP <ip_addr>] [-cookieDomain <string>] [-cookieTimeout <mins>] [-sitedomainTTL <secs>])]

DescriptionUse this command to bind a domain or service to a GSLB vserver

Arguments

vServerNameThe vserver for which the binding operation is to be done

serviceNameThe name of the service to be bound with the gslb vserver

domainNameThe domain to be bound with this vserver

Examplebind gslb vserver gvip -domainName www.mynw.com

Related Commandsadd gslb vserverset gslb vserverrm gslb vservershow gslb vserverunbind gslb vserver


unbind gslb vserver

unbind gslb vserver

Synopsisunbind gslb vserver <vServerName> [-serviceName <string> | (-domainName <string> [-backupIP] [-cookieDomain])]

DescriptionUse this command to unbind the domain or service from the gslb vserver

Arguments

vServerNameThe vserver for which the unbinding operation is to be performed

serviceNameThe service to be unbound from the gslb vserver

domainNameThe domain to be unbound from this vserver

Exampleunbind gslb vserver gvip -domainName www.mynw.com

Related Commandsadd gslb vserverset gslb vserverrm gslb vservershow gslb vserverbind gslb vserver


set gslb parameter

set gslb parameter

Synopsisset gslb parameter [-ldnsEntryTimeout <positive_integer>] [-RTTtolerance <positive_integer>] [-ldnsMask <netmask>]

DescriptionUse this command to set different GSLB parameters

Arguments

ldnsEntryTimeoutThe idle timeout in seconds of the learnt LDNS entry. If no new DNS request is made within this interval, then the LDNS entry is aged out. The minimum value is 30 seconds

jitterThe RTT Tolerance in milli seconds. When the RTT is calculated for an LDNS entry, and if the difference between the old RTT and the newly computed one is less than or equal to the RTT Tolerance value, the network metric table is not updated with the new value for this LDNS entry. This is done to prevent exchange of metric when there is small variation in RTT. Value should be between 1 to 100

ldnsMaskThe Netmask specified here is used to store the LDNS IP addresses in the hash table and these are used in dynamic proximity-based GSLB

Exampleset gslb parameter -ldnsMask 255.255.0.0

Related Commandsshow gslb parameter


show gslb parameter

show gslb parameter

Synopsisshow gslb parameter

DescriptionUse this command to display the GSLB parameters

Arguments

Output

flags

ldnsEntryTimeout

jitter

ldnsMask

Exampleshow gslb parameter

Related Commandsset gslb parameter


add gslb policy

add gslb policy

Synopsisadd gslb policy <name> -reqRule <expression> -action <string>

DescriptionUse this command to add GSLB policy

Arguments

nameThe name of the GSLB policy

reqRuleThe expression rule

actionThe GSLB action to be used when the reqrule is matched

Exampleadd gslb policy gslb_redirect -reqRule client_Japan -action pref_site

Related Commandsrm gslb policyset gslb policyshow gslb policy


rm gslb policy

rm gslb policy

Synopsisrm gslb policy <name>

DescriptionUse this command to remove the gslb policy configured in the NetScaler system

Arguments

nameThe name of the policy to be removed

Examplerm gslb policy gslb_redirect

Related Commandsadd gslb policyset gslb policyshow gslb policy


set gslb policy

set gslb policy

Synopsisset gslb policy <name> -action <string>

DescriptionUse this command to change the action for the given gslb policy

Arguments

nameThe name of the policy for which the action to be changed

actionThe action to be taken for the given gslb policy

Exampleset gslb policy gslb_redirect -action redirect_asia

Related Commandsadd gslb policyrm gslb policyshow gslb policy


show gslb policy

show gslb policy

Synopsisshow gslb policy [<name>]

DescriptionUse this command to display the configured GSLB policy

Arguments

nameThe name of the GSLB policy to be displayed

Output

name

reqRule

action

hits

Exampleshow gslb policy

Related Commandsadd gslb policyrm gslb policyset gslb policy


add gslb action

add gslb action

Synopsisadd gslb action <name> -preferredlocation <string>

DescriptionUse this command to add GSLB action used in the GSLB policy

Arguments

nameThe name of the GSLB action

preferredlocationThe target site to be returned in the DNS response when a policy is successfully evaluated against the incoming DNS request. Target site is specified in dotted notation with up to 6 qualifiers. Wildcard `*' is accepted as a valid qualifier token. Maximum length of the -preferredlocation string allowed is 197 bytes

Exampleadd gslb action pref_site -preferredlocation NorthAmerica.US.*.*.*.*

Related Commandsrm gslb actionset gslb actionshow gslb action


rm gslb action

rm gslb action

Synopsisrm gslb action <name>

DescriptionUse this command to remove the gslb action configured in the NetScaler system

Arguments

nameThe name of the action to be removed

Examplerm gslb action redirect_asia

Related Commandsadd gslb actionset gslb actionshow gslb action


set gslb action

set gslb action

Synopsisset gslb action <name> -preferredlocation <string>

DescriptionUse this command to change the preferredlocation of the given gslb action

Arguments

nameThe name of the GSLB action

preferredlocationThe target site to be returned in the DNS response when a policy is successfully evaluated against the incoming DNS request. Target site is specified in dotted notation with up to 6 qualifiers. Wildcard `*' is accepted as a valid qualifier token. Maximum length of the -preferredlocation string allowed is 197 bytes

Exampleset gslb action pref_site -preferredlocation NorthAmerica.US.*.*.*.*

Related Commandsadd gslb actionrm gslb actionshow gslb action


show gslb action

show gslb action

Synopsisshow gslb action [<name>]

DescriptionUse this command to display the GSLB actions configured

Arguments

nameThe name of the action to be displayed

Output

name

preferredlocation

Exampleshow gslb action

Related Commandsadd gslb actionrm gslb actionset gslb action


Load Balancing Commands

This chapter covers the load balancing commands.


bind lb group

bind lb group

Synopsisbind lb group <name>@ <vServerName>@ ...

DescriptionUse this command to create a group of virtual servers in the NetScaler 9000 system. This group supports server persistence. Only address-based (not content-based) virtual servers can be added to a group. Each virtual server can only be assigned to one group. When moving a virtual server from one group to another, the virtual server must be removed from the original group with the unbind lb group command.

Arguments

nameThe name of the group. A maximum of 31 characters can be used to specify a new name to a group of virtual servers that you are creating (or to specify an existing group name if you are adding the virtual server to an existing group of virtual servers.

vServerNameThe name of the virtual server that will belong to the named group.

Examplebind lb group webgrp http_vip

Related Commandsshow lb groupset lb groupunbind lb group


show lb group

show lb group

Synopsisshow lb group [<groupName>]

DescriptionUse this command to display the names of the virtual servers associated to the specified group. The virtual servers were created using the add vserver CLI command.

Arguments

groupNameThe name of the group to be displayed.

Output

name

vServerName

persistenceType

persistenceBackup

persistmask

cookieDomain

timeout


show lb group

Exampleshow lb group webgrp

Related Commandsadd vserverbind lb groupset lb groupunbind lb group


set lb group

set lb group

Synopsisset lb group <name>@ [-persistenceType <persistenceType>] [-persistenceBackup ( SOURCEIP | NONE )] [-persistmask <netmask>] [-cookieDomain <string>] [-timeout <mins>]

DescriptionUse this command to set the persistence for the group (used in the NetScaler 9000 system's load balancing feature). Persistence is set for the connections between a client and a server that is being load balanced by the NetScaler 9000 system. The client will be directed to the same server until client's transactions have completed (or until the time period that you have specified has passed). Before using this command, the group must be created. The group is created implicitly when binding a load balancing virtual server to a group using the bind lb group CLI command. Similarly a group is removed when the last load balancing virtual server is unbound from it using the unbind lb group CLI command.

Arguments

nameThe name of the group for which the persistence type need to be set.

persistenceTypeThe type of the persistence to be set for the group. The valid options are: SOURCEIP or COOKIEINSERT or NONE. Select SOURCEIP - This option is used to maintain persistency based on the client IP. COOKIEINSERT- This option is used to maintain persistency based on the cookie in the client request.This cookie is inserted by the NetScaler 9000 system in the first response to the client. NONE - To disable the persistency. Possible values: SOURCEIP, COOKIEINSERT, NONE

persistenceBackupThe type of the backup persistence to be set for the group.The valid options are SOURCEIP or NONE. Possible values: SOURCEIP, NONE

persistmaskThe netmask to be applied when the persistency type is SOURCEIP.


set lb group

cookieDomainThe domain attribute of the HTTP cookie.

timeoutUse this parameter to specify the maximum time that persistence is in effect for a specific client. The value ranges from 2 to 1440 minutes. Default value: 2

Exampleset lb group webgrp -persistenceType COOKIEINSERT

Related Commandsbind lb groupshow lb groupunbind lb group


unbind lb group

unbind lb group

Synopsisunbind lb group <name> <vServerName>@ ...

DescriptionUse this command to unbind the virtual server from a group. When the last vserver is unbound, the group is deleted from Netscaler system.

Arguments

nameThe name of the group.

vServerNameThe name of the virtual server to be removed from the group. Multiple names can be specified.

Exampleunbind lb group webgroup http_vip

Related Commandsbind lb groupshow lb groupset lb group


add lb vserver

add lb vserver

Synopsisadd lb vserver <vServerName>@ <serviceType> [<IPAddress>@ <port> [-range <positive_integer>]] [-state ( ENABLED | DISABLED )]

DescriptionUse this command to add a load balancing virtual server.

Arguments

vServerNameThe name of the load balancing virtual server being added. The virtual server name can be up to 31 characters long.

serviceTypeThe service type. Valid service types are: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, DNS and ANY. Possible values: HTTP, FTP, TCP, UDP, SSL, SSL_BRIDGE, SSL_TCP, NNTP, DNS, DHCPRA, ANY

IPAddressThe IP address of the virtual server.

persistenceTypeUse this parameter to specify a persistence type for the virtual server. Note: The <persistenceType> parameter can take one of the following options: SOURCEIP - When configured, the NetScaler 9000 system selects a physical service based on the Load Balancing method, and then directs all the subsequent requests arriving from the same IP as the first request to the same physical service. COOKIEINSERT - When configured, the NetScaler 9000 system inserts an HTTP cookie into the client responses. The cookie is inserted into the "Cookie" header field of the HTTP response. The client stores the cookie (if enabled) and includes it in all the subsequent requests, which then match the cookie criteria. The cookie contains information about the service where the requests have to be sent. SSLSESSION ID - When configured, the NetScaler 9000 system creates a persistence that is session based on the arriving SSL Session ID, which is part of the SSL


add lb vserver

handshake process. All requests with the same SSL session ID are directed to the initially selected physical service. CUSTOM SERVER ID -This mode of Persistence requires the server to provide its Server-ID in such a way that it can be extracted from subsequent requests. The NetScaler 9000 system extracts the Server-ID from subsequent client requests and uses it to select a server. The server embeds the Server-ID into the URL query of the HTML links, accessible from the initial page that has to generate persistent HTTP requests. RULE - When configured, the NetScaler 9000 system maintains persistence based on the contents of the matched rule. This persistence requires an expression to be configured. The expression is created using the add expression CLI command and is configured on a virtual server, using the -rule option of the add lb vserver or set lb vserver CLI command.After successful evaluation of the expression, a persistence session is created and all subsequent matching client requests are directed to the previously selected server. URLPASSIVE - This mode of Persistence requires the server to provide its Server-ID in such a way that it can be extracted from subsequent requests.The NetScaler 9000 system extracts the Server-ID from subsequent client requests and uses it to select a server. The servers which require persistence, embed the Server-ID into the URL query of the HTML links, accessible from the initial page. The Server-ID is its IP address and port specified as a hexadecimal number.URL Passive persistence type requires an expression to be configured that specifies the location of the Server-ID in the client's requests. The expression is created using the CLI command add expression. This expression is configured on a virtual server, using option -rule of the add lb vserver or set lb vserver CLI command. DESTIP -When configured, the NetScaler 9000 system selects a physical service based on the Load Balancing method, and then directs all the subsequent requests with the same destination as the first packet to the same physical service. This will be used in LLB deployment scenarios. SRCIPDESTIP - When configured, the NetScaler 9000 system selects a physical service based on the Load Balancing method, and then directs all the subsequent requests with the same Source IP and Destination IP as the first packet to the same physical service. This will be used in IDS LB depolyments. Possible values: SOURCEIP, COOKIEINSERT, SSLSESSION, RULE, URLPASSIVE, CUSTOMSERVERID, DESTIP, SRCIPDESTIP, NONE Default value: NONE

persistenceBackupUse this parameter to specify a backup persistence type for the virtual server. The Backup persistence option is used when the primary configured persistence mechanism on virtual server fails. The <persistenceBacup> parameter can take one of the following options: lSOURCEIP lNONE Possible values: SOURCEIP, NONE Default value: NONE


add lb vserver

lbmethodThe load balancing method for the virtual server. The valid options for this parameter are: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, URLHASH, DOMAINHASH, DESTINATIONIPHASH, SOURCEIPHASH, SRCIPDESTIPHASH,LEASTBANDWIDTH, LEASTPACKETS, TOKEN, SRCIPDESTIPHASH. When the load balancing policy is configured as: ROUNDROBIN - When configured, the NetScaler 9000 system distributes incoming requests to each server in rotation, regardless of the load. When different weights are assigned to services then weighted round robin occurs and requests go to services according to how much weighting has been set. LEASTCONNECTION (default value)- When configured, the NetScaler 9000 system selects the service that has the least number of connections. For TCP, HTTP, HTTPS and SSL_TCP services the least number of connections includes: Established, active connections to a service. Connection reuse applies to HTTP and HTTPS. Hence the count includes only those connections which have outstanding HTTP or HTTPS requests, and does not include inactive, reusable connections. Connections to a service waiting in the Surge Queue, which exists only if the Surge Protection feature is enabled. For UDP services the least number of connections includes: The number of sessions between client and a physical service. These sessions are the logical, time-based entities, created on first arriving UDP packet. If configured, weights are taken into account when server selection is performed. LEASTRESPONSETIME - When configured, the NetScaler 9000 system selects the service with the minimum average response time. The response time is the time interval taken when a request is sent to a service and first response packet comes back from the service, that is Time to First Byte (TTFB). URLHASH - The NetScaler 9000 system selects the service based on the hashed value of the incoming URL.To specify the number of bytes of the URL that is used to calculate the hash value use the optional argument [-hashLength <positive_integer>] in either the add lb vserver or set lb vserver CLI command. The default value is 80. DOMAINHASH - When configured with this load balancing method, the NetScaler 9000 system selects the service based on the hashed value of the domain name in the HTTP request. The domain name is taken either from the incoming URL or from the Host header of the HTTP request. Note:The NetScaler 9000 system defaults to LEASTCONNECTION if the request does not contain a domain name. If the domain name appears in both the URL and the host header, the NetScaler 9000 system gives preference to the URL domain. DESTINATIONIPHASH - The NetScaler 9000 system selects the service based on the hashed value of the destination IP address in the TCP IP header. SOURCEIPHASH - The NetScaler 9000 system selects the service based on the hashed value of the client's IP address in the TCP IP header. LEASTBANDWIDTH - The NetScaler 9000 system selects the service that is currently serving the least traffic, measured in megabits per second.


add lb vserver

LEASTPACKETS - The NetScaler 9000 system selects the service that is currently serving the lowest number of packets per second. Token -The NetScaler 9000 system selects the service based on the value, calculated from a token, extracted from the client's request (location and size of the token is configurable). For subsequent requests with the same token, the NetScaler 9000 systems will select the same physical server. SRCIPDESTIPHASH - The NetScaler 9000 system selects the service based on the hashed value of the client's SOURCE IP and DESTINATION IP address in the TCP IP header. Possible values: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, URLHASH, DOMAINHASH, DESTINATIONIPHASH, SOURCEIPHASH, SRCIPDESTIPHASH, LEASTBANDWIDTH, LEASTPACKETS, TOKEN, STATICPROXIMITY, RTT, SRCIPSRCPORTHASH, LRTM Default value: LEASTCONNECTION

ruleUse this parameter to specify the string value used to set the RULE persistence type. The string can be either an existing rule name (configured using add rule command) or else it can be an in-line expression with a maximum of 256 characters.

persistmaskUse this parameter to specify if the persistency is IP based. This parameter is Optional. Default value: 255.255.255.255

pqUse this parameter to enable priority queuing on the specified virtual server. Possible values: ON, OFF Default value: OFF

scUse this parameter to enable SureConnect on the specified virtual server. Possible values: ON, OFF Default value: OFF

mUse this parameter to specify the LB mode. If the value is specified as IP then the traffic is sent to the physical servers by changing the destination IP address to that of the physical server. If the value is MAC then the traffic is sent to the physical servers , by changing the destination MAC address to that of one of the physical servers, the destination IP is not changed. MAC mode is used mostly in Firewall Load Balancing scenario. Possible values: IP, MAC Default value: IP


add lb vserver

datalengthUse this parameter to specify the length of the token in bytes. Applicable to TCP virtual servers, when Token Load Balancing method is selected. The datalength should not be more than 24k.

dataoffsetUse this parameter to specifies offset of the data to be taken as token. Applicable to the TCP type virtual servers, when Token load balancing method is used. Must be within the first 24k of the client TCP data.

sessionlessUse this parameter to enable sessionless load balancing. Possible values: ENABLED, DISABLED Default value: DISABLED


soThreshold

stateUse this parameter to specify the state of the load balancing virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED

timeoutThe time period for which the persistence is in effect for a specific client. The value ranges from 2 to 1440 minutes. Default value: 2

connfailoverSpecifies whether connection failover is enabled on the virtual server Possible values: ENABLED, DISABLED Default value: DISABLED

Exampleadd lb vserver http_vsvr http 10.102.1.10 80

Related Commandsset lb vservershow lb vserverstat lb vserver


bind lb vserver

bind lb vserver

Synopsisbind lb vserver <vServerName>@ ((<serviceName>@ [-weight <positive_integer>]) | (-policyName <string> [-priority <positive_integer>]))

DescriptionUse this command to bind a physical service to a virtual server.

Arguments

vServerNameThe virtual server name to which the service is bound.

serviceNameThe name of the service that is bound.

policyNameThe SureConnect or priority queuing policy that needs to be bound to the specified load balancing virtual server for SureConnect or priority queuing to be activated on a load balancing virtual server.

Examplebind lb vserver http_vip http_svc

Related Commandsunbind lb vserver


enable lb vserver

enable lb vserver

Synopsisenable lb vserver <name>@


Arguments



Related Commandsdisable lb vserverrm lb vserver


disable lb vserver

disable lb vserver

Synopsisdisable lb vserver <name>@


Arguments



Related Commandsenable lb vserverrm lb vserver


set lb vserver

set lb vserver

Synopsisset lb vserver <vServerName>@ [-weight <positive_integer> <serviceName>@] [-persistenceType <persistenceType>] [-persistenceBackup <persistenceBackup>] [-lbmethod <lbmethod>] [-hashLength <positive_integer>] [-netmask <netmask>] [-rule <expression>] [-persistmask <netmask>] [-pq ( ON | OFF )] [-sc ( ON | OFF )] [-m ( IP | MAC )] [-datalength <positive_integer>] [-dataoffset <positive_integer>] [-sessionless ( ENABLED | DISABLED )] [-timeout <mins>] [-connfailover ( ENABLED | DISABLED )] [-backupVServerName <string>] [-redirectURL <URL>] [-cacheable ( YES | NO )] [-cltTimeout <secs>] [-soMethod <soMethod>] [-soPersistence ( ENABLED | DISABLED )] [-soPersistenceTimeOut <positive_integer>] [-soThreshold <positive_integer>]

DescriptionUse this command to set load balancing virtual server attributes.

Arguments

vServerNameThe name of the load balancing virtual server.

weightThe weight for the specified service.

persistenceTypeThe persistence type for the specified virtual server: SOURCEIP - Specify a server that can use any or all protocols. COOKIEINSERT - The NetScaler 9000 system inserts a cookie when a cookie is being sent from the server. Each subsequent client request lwill have that cookie. The NetScaler 9000 system extracts the cookie and sends the client request to the same server. In this mode, the NetScaler 9000 system inserts and reads the inserted cookie. SSLSESSION - Specify for an SSL server. RULE - Specify this when the


set lb vserver

persistence is based on a rule. URLPASSIVE - Specify this when the destination server is selected from the URL. CUSTOMSERVERID - Specify this when the destination server is selected based on the server ID configured using set service or add service command. NONE - Disables session persistence. This setting is the default. Possible values: SOURCEIP, COOKIEINSERT, SSLSESSION, RULE, URLPASSIVE, CUSTOMSERVERID, DESTIP, SRCIPDESTIP, NONE

persistenceBackupThe backup persistency to be used when the primary persistency fails. For the backup persistency to be active the primary persistency must be COOKIEINSERT. The valid options are - SOURCEIP and NONE Possible values: SOURCEIP, NONE

lbmethodThe load balancing method to be in effect: ROUNDROBIN: When selected, determines the destination of a request based on the performance weight (configured by the -weight argument of the set lb vserver command). LEASTCONNECTION: When selected, determines the destination of a request based on the least number of active connections from the NetScaler 9000 system to each physical service bound to the virtual server. LEASTRESPONSETIME: When selected, determines the destination of a request based on the average response time. URLHASH: When selected, determines the destination of a request by hashing the URL. DOMAINHASH: When selected, determines the destination of a request by hashing the domain name DESTINATIONHASH: When selected, determines the destination of a request by hashing the destination IP address or destination network. SOURCEIPHASH: When selected, determines the destination of a request by hashing the source IP address or source network. LEASTBANDWIDTH: When selected, determines the destination of a request based on the bandwidth utilization. LEASTPACKETS: When selected, determines the destination of a request based on number of packets. Token: When selected, determines the destination of a request based on the value, calculated from a token, extracted from the client's request (location and size of the token is configurable). Possible values: ROUNDROBIN, LEASTCONNECTION, LEASTRESPONSETIME, URLHASH, DOMAINHASH, DESTINATIONIPHASH, SOURCEIPHASH, SRCIPDESTIPHASH, LEASTBANDWIDTH, LEASTPACKETS, TOKEN, STATICPROXIMITY, RTT, SRCIPSRCPORTHASH, LRTM

ruleUse this parameter when setting RULE persistence type. The string can be either a existing rule name (configured using add rule command) or else it could it be an inline expression with a maximum of 256 characters.


set lb vserver

persistmaskUse this parameter if you are using IP based persistence type.

pqUse this parameter to specify whether priority queuing needs to be enabled on the specified virtual server. Possible values: ON, OFF

scUse this parameter to specify whether SureConnect is enabled on the specified virtual server. Possible values: ON, OFF

mUse this parameter to specify the LB mode. This option is designed for firewall load balancing and cache redirection. IP - Communicate to the server using server's IP address. MAC - Communicate to the server using server's MAC address. Possible values: IP, MAC

datalengthUse this parameter to specify the data length when TOKEN load balancing method is selected.

dataoffsetUse this parameter to specify the data offset length when TOKEN load balancing method is selected.

sessionlessUse this parameter to enable sessionless load balancing. Possible values: ENABLED, DISABLED

timeoutThe maximum time persistence is in effect for a specific client. Enter a value from 2 to 1440 minutes.

connfailoverSpecifies whether connection failover is enabled on the virtual server Possible values: ENABLED, DISABLED Default value: DISABLED


set lb vserver

backupVServerName

redirectURL

cacheable

cltTimeout

soMethod

soPersistence


soThreshold

Exampleset lb vserver http_vip -lbmethod LEASTRESPONSETIME

Related Commandsadd lb vservershow lb vserverstat lb vserver


rm lb vserver

rm lb vserver

Synopsisrm lb vserver <name>@ ...


Arguments



Related Commandsenable lb vserverdisable lb vserver


show lb vserver

show lb vserver

Synopsisshow lb vserver [<name>] show lb vserver stats - alias for 'stat lb vserver'

DescriptionUse this command to display load balancing virtual servers information.

Arguments

nameThe name of the load balancing server whose properties will be displayed. If no load balancing virtual server name is entered, a list of all configured load balancing virtual servers is displayed. All the services and priority queuing/SureConnect policies that are bound to this virtual server are also displayed.

Output

value

IPAddress

port

range

serviceType

type


show lb vserver

state

effectiveState

status

cacheType

redirect

precedence

redirectURL

authentication

homePage

dnsVserverName

domain

rule

policyName

serviceName


show lb vserver

weight

cacheVserver

backupVServerName

priority

cltTimeout

soMethod

soPersistence


soThreshold

soDynamicThreshold

lbmethod

hashLength

dataoffset

datalength


show lb vserver

netmask

rule

groupName

m

persistenceType

cookieDomain

persistmask

persistenceBackup

timeout

cacheable

pq

sc

sessionlessTo enable sessionless load balancing, enable this option

map


show lb vserver

connfailover

Related Commandsadd lb vserverset lb vserverstat lb vserver


stat lb vserver

stat lb vserver

Synopsisstat lb vserver [<name>] [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionUse this command to display load-balancing vserver statistics.

Arguments

nameThe name of the vserver for which statistics will be displayed. If not given statistics are shown for all vservers.

Output

Counters

Vserver protocol (Protocol)Protocol associated with the vserver



StateCurrent state

Current client connections (ClntConn)The number of current client connections to the vserver

Current server connections (SvrConn)The number of current connections to the real servers behind the vserver.


stat lb vserver





Spill Over Threshold (SOThresh)Spill Over Threshold set on the VServer.

Related Commandsadd lb vserverset lb vservershow lb vserver


unbind lb vserver

unbind lb vserver

Synopsisunbind lb vserver <vServerName>@ (<serviceName>@ | -policyName <string>)

DescriptionUse this command to unbind a service or policy from a virtual server that has been configured for use in NetScaler 9000 system's load balancing.

Arguments

vServerNameThe virtual server name from which the service will be unbound.

serviceNameThe service name (created with the addService command) that will be unbound.

policyNameThe SureConnect or priority queuing policy that has been bound to this load balancing virtual server, using the bind lb vserver CLI command.

Exampleunbind lb vserver http_vip http_svc

Related Commandsbind lb vserver


show lb route

show lb route

Synopsisshow lb route

DescriptionUse this command to display the names of the routes associated to the route structure using the add lb route CLI command.

Arguments

Output

network

netmask

gatewayname

flags

Related Commandsadd lb routerm lb route


add lb route

add lb route

Synopsisadd lb route <network> <netmask> <gatewayname>

DescriptionUse this command to bind the route VIP to the route structure.

Arguments

networkThe IP address of the network to which the route belongs.

netmaskThe netmask to which the route belongs.

gatewaynameThe name of the route.

Related Commandsshow lb routerm lb route


rm lb route

rm lb route

Synopsisrm lb route <network> <netmask>

DescriptionUse this command to remove the route VIP from the route structure.

Arguments

networkThe IP address of the network to which the route VIP belongs.

netmaskThe netmask of the destination network.

Related Commandsshow lb routeadd lb route


rm lb route


NetScaler Commands

This chapter covers the NetScaler commands.


stat ns

stat ns

Synopsisstat ns [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays general system statistics

Counters

Up time (UP)Seconds since the system started

Up since (Since)Time when the system last started

System state (HAstate)High-availability system state

Master state (mastate)HA Master state

Independent Network Config (incstate)Independent network configuration state

HA over L3 (haoverl3)HA over L3

BPDU packet drop (dropBPDU)Flag to drop BPDU packets

CPU Usage (CPU)CPU utilization percentage

System memory (MB) (Memory)Total amount of system memory, in megabytes


stat ns

Memory usage (MB) (MemUseMB)Amount of memory currently is use, in megabytes

GETs (HTGETs)Number of HTTP GET requests received

POSTs (HTPOSTs)Number of HTTP POST requests received

Other methods (HTOthers)Number of non-GET/POST HTTP methods received

Total requests (HTReqRx)Total number HTTP requests received from clients

Total responses (HTRspRx)Number of HTTP responses received from servers

Request bytes received (HTReqbRx)Data received in request including headers (in bytes)

Response bytes received (HTRspbRx)Data received in the response including headers (in bytes)

Request bytes transmitted (HTReqbTx)Data transmitted in request including headers(in bytes)

Response bytes transmitted (HTRspbTx)Data transmitted in response including headers (in bytes)

HTTP/1.0 requests (HT10ReqRx)Number of HTTP/1.0 requests received from clients


Content-length requests (HTCLnReq)Number of content-length requests received

Chunked requests (HTChkReq)Number of chunked requests received


stat ns

HTTP/1.0 responses (HT10RspRx)Number of HTTP/1.0 responses received from servers


Content-length responses (HTCLnRsp)Number of HTTP requests/responses received with content-length headers

Chunked responses (HTChunk)Number of HTTP requests/responses received with chunked encoding

FIN-terminated responses (HTNoCLnChunk)Number of FIN-terminated responses

Multi-part responses (HTMPrtHd)Number of HTTP multi-part header requests/responses received

Incomplete headers (HTIncHd)Number of incomplete header reassembly failures

Incomplete request headers (HTIncReqHd)Number of incomplete request headers received

Incomplete response headers (HTIncRspHd)Number of incomplete response headers received

Large/Invalid messages (HTInvReq)Number of large/invalid requests/responses received

Large/Invalid chunk requests (HTInvChkRx)Number of large/invalid requests/responses received

Large/Invalid content-length (HTInvCLn)Number of large/invalid content-length requests/responses received

All server connections (SvrCx)Number of server connections in NetScaler

Closing server connections (SvrCxCl)Number of server connections in NetScaler in closing states


stat ns

Established server connections (SvrCxE)Number of server connections in NetScaler in established state

Opening server connections (SvrCxO)Number of server connections in NetScaler in opening states

Opened server connections (TotSvrO)Total number of opened server connections

Closed server connections (TotSvrC)Total number of closed server connections

All client connections (CltCx)Number of client connections in NetScaler

Closing client connections (CltCxCl)Number of client connections in NetScaler in closing states

Established client connections (CltCxE)Number of client connections in NetScaler in established state

Opening client connections (CltCxO)Number of client connections in NetScaler in opening states

Opened client connections (TotCltO)Total number of opened client connections

Closed client connections (TotCltC)Total number of closed client connections

Surge queue (SQlen)Number of connections in surge queue

Spare connections (SpConn)Number of spare connections ready to be used

Server active connections (ActSvrCo)Number of connections currently serving requests

Server out of order packets (SvrOOO)Number of out of order TCP packets, received from servers


stat ns

Client out of order packets (CltOOO)Number of out of order TCP packets, received from clients

TCP packets received (TCPPktRx)Number of TCP packets received

TCP bytes received (TCPbRx)Number TCP bytes received

TCP packets transmitted (TCPPktTx)Number TCP packets transmitted

TCP bytes transmitted (TCPbTx)Number TCP bytes transmitted

Current rate threshold (UDPThs)This contains the value set for 10ms rate threshold for udp packets. This implies that within 10ms range , NetScaler can allow (receive or pass through ) the set number of UDP packets

Packets received (UDPPktRx)Number of UDP packets received

Bytes received (UDPbRx)Number of UDP bytes received

Packets transmitted (UDPPktTx)Number of UDP packets transmitted

Bytes transmitted (UDPbTx)Number of UDP bytes transmitted

Unknown service (UDPUnSvc)Number of UDP packets to unconfigured services

Bad UDP checksum (UDPBadCkSum)Number of packets with bad UDP checksum received.

Rate threshold exceeded (UDPRtEx)Number of time UDP rate threshold was exceeded.


stat ns

IP packets received (IPPktRx)Number of IP packets received by NetScaler

IP bytes received (IPbRx)Number of IP bytes received by NetScaler.

IP packets transmitted (IPPktTx)Number of IP packets transmitted by NetScaler.

ICMP packets received (ICPktRx)Number of ICMP packets received by NetScaler.

ICMP bytes received (ICbRx)Number of ICMP bytes received by NetScaler.

ICMP packets transmitted (ICPktTx)Number of ICMP packets transmitted by NetScaler.

ICMP bytes transmitted (ICbTx)Number of ICMP bytes transmitted by NetScaler.

ICMP echo replies received (ECORepRx)Number of ICMP echo replies received by NetScaler.

ICMP echo replies transmitted (ECORepTx)Number of ICMP echo replies transmitted by NetScaler.

ICMP echos received (ECORx)Number of ICMP echos received by NetScaler.

ICMP packets dropped (ICPktDr)Number of ICMP packets dropped by NetScaler.

SYN packets received (TCPSYN)Number of SYN packets received

Server probes (SYNProbe)Number of times auto-discovered servers were probed

FIN packets from server (SvrFin)Number of FIN packet was received from a server


stat ns

FIN packets from client (CltFin)Number of FIN packet was received from a client

Time wait to SYN (WaToSyn)Number of times SYN packet received on a connection in TIME_WAIT state

Data in TIME_WAIT (WaDat)Number of times data was received on a connection in TIME_WAIT state

Client idle flushed (ZomCltF)Number of idle client connections flushed

Server idle connections flushed (ZSvrF)Number of idle server flushed

Client half opened flushed (ZCltFHo)Number of half opened client connections flushed

Server half opened flushed (ZSvrFHo)Number of half opened server connections flushed

Client active half closed flushed (ZCltFAhc)Number of active half closed client connections flushed

Server active half closed flushed (ZSvrFAhc)Number of active half closed server connections flushed

Client passive half closed flushed (ZCltFPhc)Number of passive half closed client connections flushed

Server passive half closed flushed (ZSrvFPhc)Number of passive half closed server connections flushed

Bad TCP checksum (TCPBadCk)Number of bad TCP checksums received

SYN in SYN_RCVD state (TCPSYNRv)Number of SYN packets was received on a connection in SYN_RCVD state

SYN in ESTABLISHED state (TCPSYNEs)Number of SYN packets received on a connection in ESTABLISHED state


stat ns

SYN packets timeout (TCPSYNG)Number of times connection establishment timed out

SYN_SENT incorrect ACK packet (TCPBadAk)Number incorrect ACK packets received on a connection in SYN_SENT state

SYN packet retries (TCPSYNRe)Number of times SYN packet was retried

FIN packet retries (TCPFINRe)Number of times FIN packet was retried

FIN packets timeout (TCPFING)Number of times connection closing timed out

RST packets received (TCPRST)Number of RST packets recieved

RST on not ESTABLISHED (TCPRSTNE)Number of RST packets recieved on a connection in not ESTABLISHED state

RST out of window (TCPRSTOW)Number of RST packets recieved on a connection out of current TCP window

RST in TIME_WAIT (TCPRSTTi)Number of RST packets recieved on a connection in TIME_WAIT state

Server retransmissions (TCPSvrRe)Number of retransmission packets from servers

Client retransmissions (TCPCltRe)Number of retransmission packets from clients

Full packet retransmissions (TCPFulRe)Number of full retransmission packets

Partial packet retransmissions (TCPParRe)Number of full retransmission packets



stat ns


TCP hole on client connection (CltHole)Number of TCP holes on client connnections

TCP hole on server connection (SvrHole)Number of TCP holes on server connnections

Seq number SYN cookie reject (CSeqRej)Number of TCP SYN cookie packets rejected due to incorrect sequence number

Signature SYN cookie reject (CSigRej)Number of TCP SYN cookie packets rejected due to incorrect signature

Seq number SYN cookie drop (CSigDrp)Number of TCP SYN cookie packets dropped due to out of window sequence number

MSS SYN cookie reject (CMssRej)Number of TCP SYN cookie packets rejected due to incorrect MSS

TCP retransmission (Retr)Number of TCP retransmissions sent

TCP retransmission giveup (RetrG)Number of times TCP retransmission giveups

Zombie cleanup calls (ZmbCall)Number times Zombie cleanup is called

SYN packets held (SYNHeld)Number of SYN packets held, waiting for server connection

SYN packets flushed (SYNFlush)Number of held SYN packets flushed due to no server response

TIME_WAIT connections closed (FinWaitC)Number of connections closed because there were too many connections in TIME_WAIT state


stat ns

Any IP port allocation failure (PortFal)Number of port allocation failure on any IP address

IP port allocation failure (PortFalI)Number of port allocation failure on a specific IP address

Stray packets (StrayPkt)Number of packets received on non existant connection

RST packets sent (SentRst)Number of RST packets sent

Bad state connections (BadConn)Number of connections in non of known TCP states

Fast retransmits (FastRetr)Number of fast TCP restransmissions done

1st retransmission (1stRetr)Number of first restransmissions done

2nd retransmission (2ndRetr)Number of second restransmissions done

3rd retransmission (3rdRetr)Number of third restransmissions done

4th retransmission (4thRetr)Number of forth restransmissions done

5th retransmission (5thRetr)Number of fifth restransmissions done

6th retransmission (6thRetr)Number of sixth restransmissions done

7th retransmission (7thRetr)Number of seventh restransmissions done

Data after FIN (TCPDtFin)Number of times data was received after FIN packet


stat ns

RST threshold dropped (RstThre)Number of RST packets dropped dor to RST threshold

Packets out of window (OOWPkt)Number of packets out of TCP advertised window

SYNs dropped (Congestion) (SynCng)Number of SYN packets dropped because of network congestion

Heartbeats received (HApktrx)Number of HA heartbeats received

BPDU packets dropped (BPDUdrop)Number of BPDU packets dropped

Master claims (HAclaim)Number of Master claims

Master state changes (masterch)This represents the total number of master state changes that the NetScaler has made from primary to secondary and vice-versa

State Fail (HAstfail)Number of times state changed to PARTIAL_FAIL/PARTIAL_FAIL_SSL/ROUTEMONITOR_FAIL/COMPLETE_FAIL

State UP (HAstup)Number of times state changed to UP

State INIT (HAstinit)Number of times state changed to INIT

Recovers (HArecnum)Number of Recovers

Heartbeats sent (HApkttx)Number of packets sent

REQ_INIT packets received (reqinit)Number of REQ_INIT packets received


stat ns

Config sync (HAsync)Number of config sync

Mac updates (macupd)Number of MAC updates

Propagated commands (propioc)Number of ioctls extracted from the queue for propagation

Config flush (clrconf)Number of times config is flushed

NSB allocation failures (memfail)Number of nsb allocation failures

sw monitor fail (swmnfail)Number of times heartbeat was not seen over the links

Pkts rx on non-monitored links (rxnoswmn)Number of packets received on not monitored links

Pkts rx with wrong dst mac (rxdstmac)Number of packets received with wrong destination MAC

Pkts rx not from the peer (rxnode)Number of packets received not from a HA node

Pkts rx with wrong signature (rxsig)Number of packets received with wrong signature

Version mismatch (rxver)Number of packets received with wrong version

Pkts rx with the same seq num (rxseqno)Number of packets received with the same seq number

Propagation mem alloc failures (propmemf)Number of times memory allocation failed during propagation

Propagation timeouts (ptimeout)Number of times propagation timed out


stat ns

Master disputes (mastdisp)Number of HA master dispute

Node DOWN (nodedown)Number of times a node is detected as DOWN

non-INIT pkts from DOWN node (rxnoinit)Number of non-INIT packets received from a DOWN node

Port silent (silent)Number of times heartbeats were not received on a link for dead interval

Heartbeat rx after dead intvl (heartbeat)Number of times heartbeats seen after loosing them for deadinterval

Sync failure (syncfail)Recent sync operation failed

Heartbeats with invalid app id (hbappid)Number of times HA heart beat seen with invalid app_id

Heartbeats with invalid type (hbtype)Number of times HA heart beat seen with invalid type

Heartbeats with invalid state (hbstate)Number of times HA heart beat seen with invalid state

Heartbeat with bad masterstate (hbmasst)Number of times HA heart beat seen with invalid master state

Heartbeats with bad pkt length (hbpktlen)Number of times HA heart beat seen with different packet size

Number of peer nodes (nodenum)Number of peer nodes

Initialization time (inittime)The time until end of initialization

hw monitor (hwmon)The nics that are monitored


stat ns

sw monitor (swmon)The nics that are monitored by heartbeat

Derived incarnation number (derinc)Derived incarnation based on ioctls received

Peer incarnation number (peerinc)The peer's incarnation seen from heartbeats

Time left for synchronization (synctime)The time at which the next sync starts

Hello interval in 10ms (helloint)HA Hello Interval in 10ms

Dead interval in 10ms (deadint)HA Dead Interval in 10ms

Bad IP checksums (badCksum)Number of packets reveived with bad IP checksums.




IP bytes transmitted (IPbTx)Number of IP bytes transmitted by NetScaler.

Megabits received (IPMbRx)Number of IP bits received by the NetScaler, in megabits.

Megabits transmitted (IPMbTx)Number of IP bits transmitted by the NetScaler, in megabits.

IP fragments received (IPFragRx)Number of IP fragments received.


stat ns

Successful reassembly (reasSucc)Number of IP packets for which successful reassembly was done.

Unsuccessful reassembly (reasFail)Number of IP packets for which reassembly failed.

Reassembled data too big (reasBig)Number of IP packets for which reassembled data was too big.

Reassembly attempted (reasAtmp)Number of IP packets for which reassembly was attempted.

Zero fragment length received (zeroLen)Number of IP packets received with fragment length zero.

Duplicate fragments received (dupFrag)Number of duplicate IP fragments received.

Out of order fragment received (oooFrag)Number of out of order fragments received.

Unknown destination received (UnkDst)Number of unknown destinations received, cannot route packet to NSIP.

Bad Transport (badTran)Number of packets for which the service handler is unknown.

VIP down (vipDown)Number of packets received for which the VIP down for natpcb sessions.

Fix header failure (hdrFail)Number of IP packets in which there is an error in the IP header.

IP address lookups (IpLkUp)Number of IP address lookups done

IP address lookup failure (IpLkFail)Number of IP address lookups which failed.


stat ns

max non-TCP clients (maxClt)Number of times one tries to open a new connection to a service having maximum number of allowed open client connections

Unknown services (UnkSvc)Number of packets received for a NetScaler owned IP, but an un-configured port/service

land-attacks (LndAtk)Number of land attack packets received by NetScaler

UDP fragments forwarded (udpFgFwd)Total number of UDP fragments forwarded.

TCP fragments forwarded (tcpFgFwd)Total number TCP fragments forwarded.

Fragmentation packets created (frgPktCr)Total number of fragmentation packets created by NS applications.

Invalid IP header size (errHdrSz)Number of packets with invalid IP header size.

Invalid IP packet size (errPktLen)Number of packets with invalid IP packet size.

Truncated IP packet (trIP)Total number of truncated IP packets

Truncated non-IP packet (trNonIp)truncated non-IP packet

ZERO next hop (zrNxtHop)Total number of IP packets with ZERO next hop.

Packets with bad MAC sent (BadMacTx)The total number of transmitted ip packets with bad MAC addresseses.

Packets with len > 1514 rcvd (BadLenTx)The total number of ip packets received with length > 1514.


stat ns

TTL expired during transit (ttlExp)Number of IP packets for which TTL expired during transit.

ICMP port unreachable received (PortUnRx)Number of ICMP port unreachable packets received.








ICMP rate threshold exceeded (ICRtEx)Number of time ICMP rate threshold was exceeded.


Bad ICMP checksum (BadCkSum)Number of packets with bad ICMP checksum received.

Need fragmentation received (NeedFrag)Number of ICMP error message: need fragmentation received.

PMTU non-first IP fragments (PMTUerr)Number of non-first IP fragments resulting in path MTU error.


stat ns

PMTU Invalid body len received (IvBdyLen)Number of invalid body length received on a need fragmentation ICMP error message.

PMTU no tcp connection (NoTcpCon)Number of packets with no tcp connection on src/dst, ip/port information received on a need fragmentation ICMP error message.

PMTU no udp conection (NoUdpCon)Number of packets with no udp connection on src/dst, ip/port information received on a need fragmentation ICMP error message.

PMTU invalid tcp seqno recvd (InvSeqNo)Invalid tcp seqno received on need fragmentation ICMP error message.

Invalid next MTU value recvd (IvNxtMTU)Inval (576|>1500) next MTU value received on a need fragmentation ICMP error message.

Next MTU > Current MTU (BigNxMTU)Next MTU information received on a need fragmentation ICMP error message greater than current MTU.

PMTU Invalid protocol recvd (IvPrtRx)Invalid protocol type received on a need fragmentation ICMP error message.

PMTU IP check sum error (CkSumErr)IP checksum error on the IP fragment in the need fragmentation ICMP error message body.

PMTU pcb with no link (NoLnkErr)Need fragmentation ICMP error message received on a pcb with no link.

PMTU Discovery not enabled (PMTUdis)PMTU Discovery mode is not enabled.

ICMP rate threshold (ICThs)This contains the value set for 10ms rate threshold for icmp packets. This implies that within 10ms range , NetScaler can allow (receive or pass through ) the set number of ICMP packets


stat ns

ICMP port unreachable generated (PortUnTx)Number of ICMP port unreachable packets generated by NetScaler.

LoopsThe number of bridge loops

Collisions (Collisns)The number of bridge collisions

Interface mutes (Mutes)The number of bridge mutes

SSL crypto card status (SSLCard)Status of the SSL card (1=UP, 0=DOWN)

SSL engine statusStatus of the SSL Engine (1=UP, 0=DOWN)

SSL transactions (SSLTrn)Number of SSL transactions

SSLv2 transactions (SSL2Trn)Number of SSLv2 transactions

SSLv3 transactions (SSL3Trn) Total number of SSLv3 Transactions.

TLSv1 transactions (TLS1Trn)Number of TLSv1 transactions

SSL sessions (SSLSe)Number of SSL sessions

SSLv3 sessions (SSL3Se)Number of SSLv3 sessions

TLSv1 sessions (TLS1Se)Number of TLSv1 sessions

new SSL sessions (NewSe)Number of new SSL sessions


stat ns

SSL session hits (SeHit)Number of SSL session reuse hits

SSL session misses (SeMiss)Number of SSL session reuse misses

Export sessions (40-bit) (ExpSe)Total number of Expired SSL Sessions.

SSL session renegotiations (SSLRn)Number of SSL session renegotiations

SSLv3 session renegotiations (SSL3Rn)Number of session renegotiations done on SSLv3

TLSv1 session renegotiations (TLS1Rn)Number of SSL session renegotiations done on TLSv1


SSLv2 SSL handshakes (SSL2Hs)Number of handshakes on SSLv2


TLSv1 SSL handshakes (TLS1Hs)Number of SSL handshakes on TLSv1

RSA 1024-bit key exchanges (RSAKx1)Number of RSA 1024-bit key exchanges



DH 512-bit key exchanges (DHKx5)Number of Diffie-Helman 512-bit key exchanges


stat ns



RSA authentications (RSAAt)Number of RSA authentications

DH authentications (DHAt)Number of Diffie-Helman authentications

DSS (DSA) authentications (DSSAt) Total number of times DSS authorization used.

Null authentications (NullAt)Number of Null authentications

RC4 40-bit encryptions (RC4En4)Number of RC4 40-bit cipher encryptions




DES 40-bit encryptions (DESEn4)Number of DES 40-bit cipher encryptions


DES 168-bit encryptions (3DESEn1)Number of DES 168-bit cipher encryptions



stat ns



IDEA 128-bit encryptions (IDEAEn1)Number of IDEA 128-bit cipher encryptions

AES 128-bit encryptions (AESEn1)Number of AES 128-bit cipher encryptions


Null cipher encryptions (NullEn)Number of Null cipher encryptions

MD5 hashes (MD5Hsh)Number of MD5 hashes

SHA hashes (SHAHsh)Number of SHA hashes

SSLv2 client authentications (SSL2CAt)Number of client authentications done on SSLv2


TLSv1 client authentications (TLS1CAt)Number of client authentications done on TLSv1

Backend SSL sessions (BSSLSe)Number of Backend SSL sessions

Backend SSLv3 sessions (BSSL3Se)Number of Backend SSLv3 sessions

Backend TLSv1 sessions (BTLS1Se)Number of Backend TLSv1 sessions


stat ns

Backend SSL sessions reused (BSeRe)Number of Backend SSL sessions reused

Backend session multiplex attempts (BSeMx)Number of Backend SSL session multiplex attempts

Backend session multiplex successes (BSeMxS)Number of Backend SSL session multiplex successes

Backend SSL multiplex failures (BSeMxF)Number of Backend SSL session multiplex failures

Backend SSL session renegotiations (BSSLRn)Number of Backend SSL session renegotiations

Backend SSLv3 session renegotiations (BSSL3Rn)Number of Backend SSLv3 session renegotiations

Backend TLSv1 session renegotiations (BTLS1Rn)Number of Backend TLSv1 session renegotiations

Backend RSA 512-bit key exchanges (BRSAKx5)Number of Backend RSA 512-bit key exchanges



Backend DH 512-bit key exchanges (BDHKx5)Number of Backend DH 512-bit key exchanges



Backend RC4 40-bit encryptions (BRC4En4)Number of Backend RC4 40-bit cipher encryptions


stat ns




Backend DES 40-bit encryptions (BDESEn4)Number of Backend DES 40-bit cipher encryptions


Backend 3DES 168-bit encryptions (B3DESE1n)Number of Backend 3DES 168-bit cipher encryptions

Backend AES 128-bit encryptions (BAESEn1)Backend AES 128-bit cipher encryptions





Backend IDEA 128-bit encryptions (BIDEAEn1)Number of Backend IDEA 128-bit cipher encryptions

Backend null encryptions (BNullEn)Number of Backend null cipher encryptions

Backend MD5 hashes (BMD5Hsh)Number of Backend MD5 hashes


stat ns

Backend SHA hashes (BSHAHsh)Number of Backend SHA hashes




Backend SSLv3 handshakes (BSSL3Hs)Number of Backend SSLv3 handshakes

Backend TLSv1 handshakes (BTLS1Hs)Number of Backend TLSv1 handshakes

Backend SSLv3 client authentications (BSSL3CAt)Number of Backend SSLv3 client authentications

Backend TLSv1 client authentications (BTLS1CAt)Number of Backend TLSv1 client authentications

Backend RSA authentications (BRSAAt)Number of Backend RSA authentications

Backend DH authentications (BDHAt)Number of Backend DH authentications

Backend DSS authentications (BDSSAt)Number of Backend DSS authentications

Backend Null authentications (BNullAt)Number of Backend null authentications

Related Commands


stat ns bridge

stat ns bridge

Synopsisstat ns bridge [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplay bridge statistics

Counters

LoopsThe number of bridge loops

Collisions (Collisns)The number of bridge collisions

Interface mutes (Mutes)The number of bridge mutes

Related Commands


stat ns node

stat ns node

Synopsisstat ns node [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplay high-availability protocol statistics

Counters

System state (HAstate)High-availability system state

Master state (mastate)HA Master state

Independent Network Config (incstate)Independent network configuration state

HA over L3 (haoverl3)HA over L3

BPDU packet drop (dropBPDU)Flag to drop BPDU packets

Heartbeats received (HApktrx)Number of HA heartbeats received

BPDU packets dropped (BPDUdrop)Number of BPDU packets dropped

Master claims (HAclaim)Number of Master claims

Master state changes (masterch)This represents the total number of master state changes that the NetScaler has made from primary to secondary and vice-versa


stat ns node

State Fail (HAstfail)Number of times state changed to PARTIAL_FAIL/PARTIAL_FAIL_SSL/ROUTEMONITOR_FAIL/COMPLETE_FAIL

State UP (HAstup)Number of times state changed to UP

State INIT (HAstinit)Number of times state changed to INIT

Heartbeats sent (HApkttx)Number of packets sent

REQ_INIT packets received (reqinit)Number of REQ_INIT packets received

Config sync (HAsync)Number of config sync

Mac updates (macupd)Number of MAC updates

Propagated commands (propioc)Number of ioctls extracted from the queue for propagation

Config flush (clrconf)Number of times config is flushed

NSB allocation failures (memfail)Number of nsb allocation failures

sw monitor fail (swmnfail)Number of times heartbeat was not seen over the links

Pkts rx on non-monitored links (rxnoswmn)Number of packets received on not monitored links

Pkts rx with wrong dst mac (rxdstmac)Number of packets received with wrong destination MAC


stat ns node

Pkts rx not from the peer (rxnode)Number of packets received not from a HA node

Pkts rx with wrong signature (rxsig)Number of packets received with wrong signature

Version mismatch (rxver)Number of packets received with wrong version

Pkts rx with the same seq num (rxseqno)Number of packets received with the same seq number

Propagation mem alloc failures (propmemf)Number of times memory allocation failed during propagation

Propagation timeouts (ptimeout)Number of times propagation timed out

Master disputes (mastdisp)Number of HA master dispute

Node DOWN (nodedown)Number of times a node is detected as DOWN

non-INIT pkts from DOWN node (rxnoinit)Number of non-INIT packets received from a DOWN node

Port silent (silent)Number of times heartbeats were not received on a link for dead interval

Heartbeat rx after dead intvl (heartbeat)Number of times heartbeats seen after loosing them for deadinterval

Sync failure (syncfail)Recent sync operation failed

Heartbeats with invalid app id (hbappid)Number of times HA heart beat seen with invalid app_id

Heartbeats with invalid type (hbtype)Number of times HA heart beat seen with invalid type


stat ns node

Heartbeats with invalid state (hbstate)Number of times HA heart beat seen with invalid state

Heartbeat with bad masterstate (hbmasst)Number of times HA heart beat seen with invalid master state

Heartbeats with bad pkt length (hbpktlen)Number of times HA heart beat seen with different packet size

Number of peer nodes (nodenum)Number of peer nodes

Initialization time (inittime)The time until end of initialization

hw monitor (hwmon)The nics that are monitored

sw monitor (swmon)The nics that are monitored by heartbeat

Derived incarnation number (derinc)Derived incarnation based on ioctls received

Peer incarnation number (peerinc)The peer's incarnation seen from heartbeats

Time left for synchronization (synctime)The time at which the next sync starts

Hello interval in 10ms (helloint)HA Hello Interval in 10ms

Dead interval in 10ms (deadint)HA Dead Interval in 10ms

Related Commandsbind ns nodeunbind ns nodeadd ns node


stat ns node

set ns noderm ns nodeshow ns node


show ns stats

show ns stats

Synopsisshow ns stats - alias for 'stat ns'

Descriptionshow ns stats is an alias for stat ns

Related Commandsstat ns


add ns arp

add ns arp

Synopsisadd ns arp -IPAddress <ip_addr> -mac <mac_addr> -ifnum <interface_name>

DescriptionUse this command to add a static entry to the NetScaler system's ARP table. This ARP entry never times out.

Arguments

IPAddressThe IP address of the server.

macThe MAC address of the server. Enter the MAC address with the colons (:) as the example shows.

ifnumThe physical interface for the ARP entry. Use the show interface command to view the valid interface names.

Exampleadd ns arp -ip 10.100.0.48 -mac 00:a0:cc:5f:76:3a -ifnum 1/1

Related Commandsdisable ns arpenable ns arprm ns arpsend ns arpshow ns arp


disable ns arp

disable ns arp

Synopsisdisable ns arp <IPAddress>

DescriptionUse this command to configure the NetScaler system so that it does not respond to ARP requests for the specified IP address. This is beneficial in topologies where the IP address is shared across multiple devices - for example, in authoritative server load balancing (ASLB) configuration.

Arguments

IPAddressThe IP address of the NetScaler system ARP to be disabled.

Related Commandsadd ns arpenable ns arprm ns arpsend ns arpshow ns arp


enable ns arp

enable ns arp

Synopsisenable ns arp <IPAddress>

DescriptionUse this command to configure the NetScaler system to respond to an ARP request for the specified IP address. This IP address must be an address owned by the NetScaler system.

Arguments

IPAddressThe IP address for which the ARP response is to be enabled.

Related Commandsadd ns arpdisable ns arprm ns arpsend ns arpshow ns arp


rm ns arp

rm ns arp

Synopsisrm ns arp (<IPAddress> | -all)

DescriptionUse this command to remove an entry from the NetScaler system's ARP table.

Arguments

IPAddressThe IP address whose entry is to be removed.

allUse this option to remove all entries from the NetScaler system's ARP table.

Related Commandsadd ns arpdisable ns arpenable ns arpsend ns arpshow ns arp


send ns arp

send ns arp

Synopsissend ns arp (<IPAddress> | -all)

DescriptionUse this command to send out an ARP for an IP address or for all IP addresses.

Arguments

IPAddressThe IP address for which the ARP needs to be sent.

allUse this option to send an ARP out for all NetScaler-owned IP addresses for which ARP is enabled.

Examplesend arp 10.10.10.10

Related Commandsadd ns arpdisable ns arpenable ns arprm ns arpshow ns arp


show ns arp

show ns arp

Synopsisshow ns arp

DescriptionUse this command to display all the entries in the NetScaler system's ARP table: lIP shows the server's IP address. lMAC shows the server's MAC address. lInterface shows which NetScaler system interface is being used. lOrigin shows whether the entry is static or dynamic. lVLAN shows the VLAN to which this IP address belongs.

Arguments

Output

IPAddressThe IP address corresponding to an ARP entry.

macThe MAC address corresponding to an ARP entry.

ifnumThe interface on which this MAC address resides.

timeoutThe time when this entry will timeout.

stateThe state of this ARP entry.

flagsThe flags for this entry.

vlanThe VLAN for this ARP entry.


show ns arp

ExampleThe output of the sh ns arp command is as follows: 5 configured arps: IP MAC Inface VLAN Origin ------- ------- ------- ------ ------- 1) 10.250.11.1 00:04:76:dc:f1:b9 1/2 2 dynamic 2) 10.11.0.254 00:30:19:c1:7e:f4 1/1 1 dynamic 3) 10.11.0.41 00:d0:a8:00:7c:e4 0/1 1 dynamic 4) 10.11.222.2 00:ee:ff:22:00:01 0/1 1 dynamic 5) 10.11.201.12 00:30:48:31:23:49 0/1 1 dynamic

Related Commandsadd ns arpdisable ns arpenable ns arprm ns arpsend ns arp


show ns bridgetable

show ns bridgetable

Synopsisshow ns bridgetable

DescriptionUse this command to display the bridge ageing time and bridging table.

Output

bridgeAgeThe bridge ageing time in seconds.

macThe MAC address of target.

ifnumThe interface on which the address was learnt.

vlanThe VLAN in which this MAC address lies.

Exampleshow bridgetable

Related Commandsset ns bridgetable


set ns bridgetable

set ns bridgetable

Synopsisset ns bridgetable [-bridgeAge <positive_integer>]

DescriptionUse this command to set the ageing time for bridge table entries. Dynamic bridge entries are automatically removed after a specified time, the ageing time, has elapsed since the entry was created or last updated.

Arguments

bridgeAgeThe bridge ageing time in seconds. Default value: 300

Exampleset ns bridgetable -bridgeAge 200

Related Commandsshow ns bridgetable


save ns config

save ns config

Synopsissave ns config

DescriptionUse this command to save the NetScaler system configuration to the NetScaler system's FLASH. In a high availability setup, the command is sent to the primary NetScaler system. The primary NetScaler system then forwards the command to the secondary NetScaler system. The entire NetScaler system configuration is saved to the ns.conf file located in the /nsconfig directory. Backup configuration files are named ns.conf.n. The most recent backup file has the smallest value for n.

Output

Related Commandsset ns configunset ns configshow ns configclear ns config


set ns config

set ns config

Synopsisset ns config [-IPAddress <ip_addr> -netmask <netmask>] [-nsvlan <positive_integer> -ifnum <interface_name> ...] [-httpPort <port> ...] [-maxConn <positive_integer>] [-maxReq <positive_integer>] [-cip ( ENABLED | DISABLED ) <cipHeader>] [-cookieversion ( 0 | 1 )] [-pmtuMin <positive_integer>] [-pmtuTimeout <mins>]

DescriptionUse this command to set the NetScaler system parameters.

Arguments

IPAddressThe IP address of the NetScaler system.

nsvlanThe VLAN (NSVLAN) for the subnet on which the NetScaler IP resides

httpPortThe HTTP ports on the Web server. This allows the NetScaler system to perform connection off-load for any client request that has a destination port matching one of these configured ports.

maxConnThe maximum number of connections that will be made from the NetScaler system to the web server(s) attached to it. The value entered here is applied globally to all attached servers.

maxReqThe maximum number of requests that the NetScaler system can pass on a particular connection between the NetScaler system and a server attached to it. Setting this value to 0 allows an unlimited number of requests to be passed.


set ns config

cipUse this option to control (enable or disable) the insertion of the actual client IP address into the HTTP header request passed from the client to one, some, or all servers attached to the NetScaler system. The passed address can then be accessed through a minor modification to the server. lIf cipHeader is specified, it will be used as the client IP header. lIf it is not specified, then the value that has been set by the set ns config CLI command will be used as the client IP header. Possible values: ENABLED, DISABLED

cipHeaderThe text that will be used as the client IP header.

cookieversionThe version of the cookie inserted by Netscaler system. Possible values: 0, 1

pmtuMinThe minimum Path MTU.

pmtuTimeoutThe timeout value in minutes.

Related Commandssave ns configunset ns configshow ns configclear ns config


unset ns config

unset ns config

Synopsisunset ns config [-nsvlan]

DescriptionUse this command to unset the NetScaler system parameters.

Arguments

nsvlanunset The VLAN (NSVLAN) for the subnet on which the NetScaler IP resides

Related Commandssave ns configset ns configshow ns configclear ns config


show ns config

show ns config

Synopsisshow ns config

DescriptionUse this command to display the version, build, and feature information of the NetScaler system. Note:If you want to see the complete configuration parameters that have been set for the NetScaler 9000 system, use the show ns runningconfig CLI command.

Arguments

Output

IPAddress

netmask

mappedIP

range

nsvlan

ifnum

httpPort

maxConn


show ns config

maxReq

cip

cipHeader

cookieversion

failover

primaryIP

pmtuMinThe minimum Path MTU.

pmtuTimeoutThe timeout value in minutes.

flags

Related Commandssave ns configset ns configunset ns configclear ns config


show ns ns.conf

show ns ns.conf

Synopsisshow ns ns.conf

DescriptionUse this command to display the last saved configuration.

Arguments

Output

Related Commandssave config, show runningconfig


clear ns config

clear ns config

Synopsisclear ns config [-force] [<level>]

Description

Arguments

force

confirm

level

Related Commandssave ns configset ns configunset ns configshow ns config


config ns

config ns

Synopsisconfig ns

DescriptionUse this command to display the NetScaler system's configuration menu. By choosing items from the menu and following the instructions on the screen, each of the configuration parameters can be modified. On entering the config CLI command, the following menu is displayed: Note:The values inside the square brackets indicate the current value of the parameters. > config ns NSCONFIG NS6.1. Reading the NetScaler configuration from the file /etc/ns.conf REVIEW CONFIGURATION PARAMETERS MENU ------------------------------------ This menu allows you to view and/or modify the NetScaler's configuration. Each configuration parameter displays its current value within brackets if it has been set. To change a value, enter the number that is displayed next to it. ------------------------------------ 1. NetScaler's IP address: [10.102.7.101] 2. Netmask: [255.255.255.0] 3. Advanced Network Configuration. 4. Time zone. 5. Cancel all the changes and exit. 6. Apply changes and exit. Select a menu item from 1 to 6 [6]: NetScaler is running. Writing the NetScaler configuration into the file /etc/ns.conf NetScaler must be rebooted to apply configuration changes. Do you want to reboot NetScaler now? [NO]: Done Notes: 1.The NetScaler 9000 system needs to be rebooted every time an item on this menu is changed and the changes saved. 2.This command only modifies and saves the basic configuration set in the ns.conf file (using the set ns config command). It does not save the running configuration changes applied after the last invocation of the save ns config command. If you have applied changes to your running configuration, then you should save them with save ns config command before using the config ns command. See the note on the reboot ns command.

Arguments

Related Commandsreboot nsshutdown


show ns runningconfig

show ns runningconfig

Synopsisshow ns runningconfig

DescriptionUse this command to print the information pertaining to all the configuration that has been applied to the NetScaler system, including settings that have not yet been saved to the NetScaler system's ns.conf file using the save config command.

Arguments

Related Commandsshow ns.conf


add ns acl

add ns acl

Synopsisadd ns acl <aclname> <aclaction> [-established]

DescriptionUse this command to add an ACL to the NetScaler configuration. Each inbound packet is matched against configured ACLs and the specified action is applied to the packet. The action could be ALLOW, DENY or BRIDGE. This command adds the acl to the configuration space. To commit this ACL, use 'apply acls' command.

Arguments

aclnameThe alphanumeric name of the ACL.

aclactionThe action associated with the ACL. Possible values: BRIDGE, DENY, ALLOW

srcIPThe source IP address (range).

srcPortThe source Port (range).

destIPThe destination IP address (range).

destPortThe destination Port (range).

srcMacThe source MAC address.

protocolThe IP protocol name. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS


add ns acl

protocolNumberThe IP protocol number (decimal).

vlanThe VLAN number.

interfaceThe physical interface.

establishedThis argument indicates that the ACL should be used for TCP response traffic only.

priorityThe priority of the ACL.

stateThe state of the ACL. Possible values: ENABLED, DISABLED Default value: ENABLED

Exampleadd ns acl restrict DENY -srcport 45-1024 -destIP 192.168.1.1 -protocol TCP

Related Commandsclear aclsapply aclsrm ns aclenable ns acldisable ns aclset ns aclshow ns aclstat ns acl


rm ns acl

rm ns acl

Synopsisrm ns acl <aclname> ...

DescriptionUse this command to remove an ACL. To commit this operation, use the 'apply acls' command.

Arguments

aclnameThe name of the ACL to be deleted.

Examplerm ns acl restrict

Related Commandsapply aclsclear aclsadd ns aclenable ns acldisable ns aclset ns aclshow ns aclstat ns acl


enable ns acl

enable ns acl

Synopsisenable ns acl <aclname> ...

DescriptionUse this command to enable an ACL. To commit this operation, use the 'apply acls' command.

Arguments

aclnameThe name of the ACL to be enabled.

Exampleenable ns acl foo

Related Commandsapply aclsclear aclsadd ns aclrm ns acldisable ns aclset ns aclshow ns aclstat ns acl


disable ns acl

disable ns acl

Synopsisdisable ns acl <aclname> ...

DescriptionUse this command to disable an ACL. To commit this operation, use the 'apply acls' command.

Arguments

aclnameThe name of the ACL to be disabled.

Exampledisable ns acl foo

Related Commandsapply aclsclear aclsadd ns aclrm ns aclenable ns aclset ns aclshow ns aclstat ns acl


set ns acl

set ns acl

Synopsisset ns acl <aclname> [-aclaction <aclaction>] [-srcIP [<operator>] <srcIPVal>] [-srcPort [<operator>] <srcPortVal>] [-destIP [<operator>] <destIPVal>] [-destPort [<operator>] <destPortVal>] [-srcMac <mac_addr>] [-protocol <protocol> | -protocolNumber <positive_integer>] [-vlan <positive_integer>] [-interface <interface_name>] [-priority <positive_integer>] [-state <state>]

DescriptionUse this command to modify an ACL. To commit this modified ACL, use the 'apply acls' command.

Arguments

aclnameThe alphanumeric name of the ACL.

aclactionThe action associated with the ACL. Possible values: BRIDGE, DENY, ALLOW

srcIPThe source IP address (range).

srcPortThe source Port (range).

destIPThe destination IP address (range).

destPortThe destination Port (range).



set ns acl

protocolThe IP protocol name. Possible values: ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS

protocolNumberThe IP protocol numbe (decimal).




stateThe state of the ACL. Possible values: ENABLED, DISABLED

Exampleset ns acl restrict -srcPort 50

Related Commandsclear aclsapply aclsadd ns aclrm ns aclenable ns acldisable ns aclshow ns aclstat ns acl


show ns acl

show ns acl

Synopsisshow ns acl [<aclname>]

DescriptionUse this command to list the ACLs. If a name is specified, then only that ACL is shown.

Arguments

aclnameThe name of the ACL.

Output

aclactionThe action associated with the ACL.


protocolThe protocol number in IP header or name

protocolNumberThe protocol number in IP header or name

srcPortValThe source Port (range).

destPortValThe destination Port (range).

srcIPValThe source IP address (range).

destIPValThe destination IP address (range).


show ns acl


stateThe state of the ACL.

kernelstateThe commit status of the ACL


hitsThe hits of this ACL.

establishedThis flag indicates that the ACL should be used for TCP response traffic only.


Examplesh acl foo Name: foo Action: ALLOW Hits: 0 srcIP = 10.102.1.150 destIP = 202.54.12.47 srcMac: Protocol: TCP srcPort destPort = 110 Vlan: Interface: Active Status: ENABLED Applied Status: NOTAPPLIED Priority: 1027

Related Commandsadd ns aclrm ns aclenable ns acldisable ns aclset ns aclstat ns acl


clear ns acls

clear ns acls

Synopsisclear ns acls

DescriptionUse this command to clear all configured ACLs. This operation does not require an explicit apply.

Exampleclear ns acls

Related Commandsadd ns aclrm ns aclapply ns acls


apply ns acls

apply ns acls

Synopsisapply ns acls

DescriptionUse this command to commit the ACL in the configuration space to the NetScaler system. This is required after you add ACLs or modify the ACLs.

Exampleapply ns acls

Related Commandsadd ns aclrm ns aclset ns aclenable ns acldisable ns aclclear ns acls


stat ns acl

stat ns acl

Synopsisstat ns acl [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays the ACL statistics

Counters

Bridge ACL hits (ACLBdg)Total packets that matched an ACL with action BRIDGE and got bridged by NetScaler.

Deny ACL hits (ACLDeny)Total packets that matched an ACL with action DENY and got dropped by NetScaler.

Allow ACL hits (ACLAllow)Total packets that matched the an ACL with action ALLOW and got consumed by NetScaler.

NAT ACL hits (ACLNAT)Total packets that matched the an ACL with action ALLOW NAT and got consumed by NetScaler.

ACL hits (ACLHits)Total packets that matched any ACL

ACL misses (ACLMiss)Total packets that did not match any ACL

Examplestat acl

Related Commandsadd ns aclrm ns acl


stat ns acl

enable ns acldisable ns aclset ns aclshow ns acl


force ns failover

force ns failover

Synopsisforce ns failover

DescriptionUse this command to trigger a failover.

Related Commands


force ns sync

force ns sync

Synopsisforce ns sync

DescriptionUse this command to force the configuration to be synchronized between the HA pair.

Related Commands


disable ns feature

disable ns feature

Synopsisdisable ns feature [<feature> ...]

DescriptionUse this command to disable a specified feature or features.

Arguments

featureThe name of the feature to be disabled. To disable features enter one or more of the following: lCF|ContentFiltering - Disables content filtering. lCMP|CMPcntl - Disables compression. lCR|CacheRedirection - Disables cache redirection. lCS|ContentSwitching - Disables content switching. lHDOSP | HttpDosProtection - Disables HTTP DoS Protection. lGSLB| - Disables global server load balancing. lLB|LoadBalancing - Disables load balancing. lPQ|PriorityQueing - Disables priority queuing. lSC|SureConnect - Disables SureConnect . lSP|SurgeProtection - Disables surge protection. lSSL|SSLOffload - Disables SSL off load. lWL|WebLogging - Disables web server logging. lIC|IntegratedCaching - Disables integrated caching. lSSLVPN - Disables SSL VPN. lrouting - Disables dynamic routing.

Output

reqFeature

Related Commandsdisable ns modeenable ns featureshow ns feature


enable ns feature

enable ns feature

Synopsisenable ns feature [<feature> ...]

DescriptionUse this command to enable a specific feature.

Arguments

featureThe feature to be enabled. Use the following values to enable corresponding features: lCF or ContentFiltering - Enables content filtering. lCMP or CMPcntl - Enables compression. lCR or CacheRedirection - Enables cache redirection. lCS or ContentSwitching - Enables content switching. lDOSP or DoSProtection - Enables DoS protection. lGSLB - Enables global server load balancing. lLB or LoadBalancing - Enables load balancing. lPQ or PriorityQueing - Enables priority queuing. lSC or SureConnect - Enables SureConnect . lSP or SurgeProtection - Enables surge protection. lSSL or SSLOffload - Enables SSL offload. lWL or WebLogging - Enables web server logging. lIC or IntegratedCaching - Enables Integrated Caching. lSSLVPN - Enables SSL VPN. lrouting - Enables the dynamic routing.

Output

reqFeature

Exampleenable ns feature sc This CLI command enables the SureConnect feature.

Related Commandsdisable ns featureshow ns feature


show ns feature

show ns feature

Synopsisshow ns feature

DescriptionUse this command to display the current status of NetScaler features.

Arguments

Output

feature

reqFeature

Related Commandsdisable ns featureenable ns feature


show ns info

show ns info

Synopsisshow ns info

DescriptionUse this command to display the most relevant information about a NetScaler system, including: lSoftware version lFeatures that are enabled and disabled lModes that are enabled and disabled lWhether the NetScaler 9000 system is acting as a normal or master node lThe NetScaler 9000 system IP address and mapped IP

ExampleAn example of this command's output is shown below: NetScaler 9000 system Rainier: Build 24, Date: Apr 25 2002, 21:13:25 NetScaler 9000 system IP: 10.101.4.22 (mask: 255.255.0.0) Mapped IP: 10.101.4.23 Node: Standalone HTTP port(s): (none) Max connections: 0 Max requests per connection: 0 Client IP insertion enabled: NO Cookie version: 0 Feature status: Web Logging: ON Surge Protection: ON Load Balancing: ON Content Switching: ON Cache Redirection: ON Sure Connect: ON Compression Control: OFF Priority Queuing: ON SSL Offloading: ON Global Server Load Balancing: ON HTTP DoS Protection: OFF N+1: OFF Dynamic Routing: OFF Content Filtering: ON Internal Caching: ON SSL VPN: OFF Mode status: Fast Ramp: ON Layer 2 mode: ON Use Source IP: OFF Client Keep-alive: ON TCP Buffering: OFF MAC-based forwarding: ON Edge configuration: OFF Use Subnet IP: OFF Layer 3 mode (ip forwarding): ON

Related Commands


add ns ip

add ns ip

Synopsisadd ns ip <IPAddress>@ <netmask> [-type <type>]

DescriptionUse this command to add an IP address.

Arguments

IPAddressThe IP address of the entity.

netmaskThe netmask of the IP.

typeThe type of the IP address. Possible values: SNIP, VIP, MIP Default value: SNIP

arpUse this option to set (enable or disable) ARP and gratuitous ARP for the entity. Possible values: ENABLED, DISABLED Default value: ENABLED

icmpUse this option to set (enable or disable) ICMP responses for the entity. Possible values: ENABLED, DISABLED Default value: ENABLED

vServerUse this option to set (enable or disable) the vserver attribute for this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED

telnetUse this option to set (enable or disable) the state of telnet access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED

ftpUse this option to set (enable or disable) the state of ftp access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED


add ns ip

guiUse this option to set (enable or disable) GUI access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED

sshUse this option to set (enable or disable) the state of SSH access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED

snmpUse this option to set (enable or disable) the state of SNMP access to this IP entity. Possible values: ENABLED, DISABLED Default value: ENABLED

mgmtAccessUse this option to set (enable or disable) the state of management access to this IP entity. Possible values: ENABLED, DISABLED Default value: DISABLED

hostrouteUse this option to control (enable or disable) the advertisement of a hostroute to this IP entity. Possible values: ENABLED, DISABLED Default value: DISABLED

ospfUse this option to enable or disable OSPF on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED

bgpUse this option to enable or disable BGP on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED

ripUse this option to enable or disable RIP on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED

hostrtgwUse this option to set the gateway for the hostroute to be advertised for this IP entity.

vserverRHILevelUse this option to set the per VIP RHI controls Possible values: ONE_VSERVER, ALL_VSERVERS, NONE Default value: ONE_VSERVER


add ns ip

ospfLSATypeUse this option to choose whether OSPF should advertise this route as Type1 or Type5. Possible values: TYPE1, TYPE5 Default value: TYPE5

Exampleadd ns ip 10.102.4.123 255.255.255.0

Related Commandsshow ns ipset ns ipenable ns ipdisable ns iprm ns ip


show ns ip

show ns ip

Synopsisshow ns ip [<IPAddress>]

DescriptionUse this command to display all the IP addresses such as VIP,MIP,NSIP, and SNIP.

Arguments


Output

IPAddressThe IP address of this entity.

netmaskThe netmask of this IP.

typeThe type of this IP.

arpWhether arp is enabled or disabled.

icmpWhether icmp is enabled or disabled.

vServerWhether vserver is enabled or disabled.

telnetWhether telnet is enabled or disabled.

sshWhether ssh is enabled or disabled.


show ns ip

guiWhether gui is enabled or disabled.

snmpWhether snmp is enabled or disabled.

ftpWhether ftp is enabled or disabled.

mgmtAccessWhether management access is enabled or disabled.

bgpWhether bgp is enabled or disabled.

ospfWhether ospf is enabled or disabled.

ripWhether rip is enabled or disabled.

hostrouteWhether host route is enabled or disabled.

hostrtgwGateway used for advertising host route.

vserverRHILevelThe rhi level for this IP.

ospfLSATypeThe ospf lsa type to use while advertising this IP.

Exampleshow ns ip Ipaddress Type Mode Arp Icmp Vserver State --------- ---- ---- --- ---- ------- ----- 1)10.102.4.123 NetScaler IP Active Enabled Enabled NA Enabled 2)10.102.4.237 MIP Passive Enabled Enabled NA Enabled 3)10.102.1.131 VIP Passive Enabled Enabled Enabled Enabled


show ns ip

Related Commandsadd ns ipset ns ipenable ns ipdisable ns iprm ns ip


set ns ip

set ns ip

Synopsisset ns ip <IPAddress>@ [-arp ( ENABLED | DISABLED )] [-icmp ( ENABLED | DISABLED )] [-vServer ( ENABLED | DISABLED )] [-telnet ( ENABLED | DISABLED )] [-ftp ( ENABLED | DISABLED )] [-gui ( ENABLED | DISABLED )] [-ssh ( ENABLED | DISABLED )] [-snmp ( ENABLED | DISABLED )] [-mgmtAccess ( ENABLED | DISABLED )] [-ospf ( ENABLED | DISABLED )] [-bgp ( ENABLED | DISABLED )] [-rip ( ENABLED | DISABLED )] [-hostroute ( ENABLED | DISABLED )] [-hostrtgw <ip_addr>] [-vserverRHILevel <vserverRHILevel>] [-ospfLSAType ( TYPE1 | TYPE5 )]

DescriptionUse this command to set the attributes of an IP entity.

Arguments


arpUse this option to set (enable or disable) ARP and gratuitous ARP for the entity. Possible values: ENABLED, DISABLED

icmpUse this option to set (enable or disable) ICMP responses for the entity. Possible values: ENABLED, DISABLED

vServerUse this option to set (enable or disable) the vserver attribute for this IP entity. Possible values: ENABLED, DISABLED

telnetUse this option to set (enable or disable) the state of telnet access to this IP entity. Possible values: ENABLED, DISABLED


set ns ip

ftpUse this option to set (enable or disable) the state of ftp access to this IP entity. Possible values: ENABLED, DISABLED

guiUse this option to set (enable or disable) GUI access to this IP entity. Possible values: ENABLED, DISABLED

sshUse this option to set (enable or disable) the state of SSH access to this IP entity. Possible values: ENABLED, DISABLED

snmpUse this option to set (enable or disable) the state of SNMP access to this IP entity. Possible values: ENABLED, DISABLED

mgmtAccessUse this option to set (enable or disable) the state of management access to this IP entity. Possible values: ENABLED, DISABLED

ospfUse this option to (enable or disable) OSPF on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED

bgpUse this option to (enable or disable) BGP on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED

ripUse this option to (enable or disable) RIP on this IP address for the entity. Possible values: ENABLED, DISABLED Default value: DISABLED

hostrouteUse this option to control (enable or disable) the advertisement of a hostroute to this IP entity. Possible values: ENABLED, DISABLED

hostrtgwUse this option to set the gateway for the hostroute to be advertised for this IP entity.


set ns ip

vserverRHILevelUse this option to set the per VIP RHI controls. Possible values: ONE_VSERVER, ALL_VSERVERS, NONE Default value: ONE_VSERVER

ospfLSATypeUse this option to choose whether OSPF should advertise this route as Type1 or Type5. Possible values: TYPE1, TYPE5 Default value: TYPE5

Exampleset ns ip 10.102.4.123 -arp ENABLED

Related Commandsadd ns ipshow ns ipenable ns ipdisable ns iprm ns ip


enable ns ip

enable ns ip

Synopsisenable ns ip <IPAddress>@

DescriptionUse this command to enable an IP entity.

Arguments


Exampleenable ns ip 10.10.10.10

Related Commandsadd ns ipshow ns ipset ns ipdisable ns iprm ns ip


disable ns ip

disable ns ip

Synopsisdisable ns ip <IPAddress>@

DescriptionUse this command to disable an IP entity.

Arguments


Exampledisable ns ip 10.10.10.10

Related Commandsadd ns ipshow ns ipset ns ipenable ns iprm ns ip


rm ns ip

rm ns ip

Synopsisrm ns ip <IPAddress>@

DescriptionUse this command to remove an IP entity.

Arguments


Examplerm ns ip 10.102.4.123

Related Commandsadd ns ipshow ns ipset ns ipenable ns ipdisable ns ip


disable ns mode

disable ns mode

Synopsisdisable ns mode [<Mode> ...]

DescriptionUse this command to disable the specified feature or features.

Arguments

ModeThe feature to be disabled. The features are summarized as follows: lFR | FastRamp - Disables Fast Ramp . This mode is enabled by default. lL2 | Layer 2 mode - Disables the layer 2 mode. This mode is enabled by default. lL3 | Layer 3 mode - Disables the layer 3 mode. This mode is disabled by default. lUSIP | UseSourceIP - Disables the use source IP mode. This mode is disabled for the HTTP protocol and enabled for non-HTTP protocols by default. lCKA | Client Keep Alive - Disables the client keep alive mode. This mode is enabled by default. lTCPB | TCPBuffering - Disables the TCP buffering mode. lMBF | MAC Based Forwarding - Disables MAC based forwarding. This mode is enabled by default. ledge - Disables the edge mode configuration. lUSNIP - Disables the use SNIP mode

Output

swReqFeature

ExampleThis example shows the command to disable the NetScaler 9000 system's client keep-alive feature: disable ns mode CKA

Related Commandsenable ns modeshow ns mode


enable ns mode

enable ns mode

Synopsisenable ns mode [<Mode> ...]

DescriptionUse this command to enable a specified mode.

Arguments

ModeThe name of the mode to be enabled. Enter one or more of the following mode names: lFR | FastRamp - Enables the Fast Ramp . This mode is enabled by default. lL2 | l2mode - Enables the layer 2 mode. This mode is enabled by default. lL3 | l3mode - enables the layer 3 mode. This mode is disabled by default. lUSIP | UseSourceIP - Enables the use source IP mode. This mode is disabled for the HTTP protocol and enabled for non-HTTP protocols by default. lCKA | Client Keep Alive - Enables the client keep alive mode. This mode is enabled by default. lTCPB | TCPBuffering - Enables the TCP buffering mode. This mode is disabled by default. lMBF | MAC Based Forwarding - Enables MAC based forwarding. This mode is enabled by default. ledge - Enables the edge mode configuration. lUSNIP - Enables the use SNIP mode

Output

swReqFeature

ExampleThis CLI command enables the NetScaler 9000 system's client keep-alive feature: enable ns mode CKA

Related Commandsdisable ns modeshow ns mode


show ns mode

show ns mode

Synopsisshow ns mode

DescriptionUse this command to display the state of Fast Ramp, Layer 2, USIP, client keep-alive, TCP buffering, and MAC-based forwarding features.

Arguments

Output

Mode

Related Commandsdisable ns modeenable ns mode


add ns fis

add ns fis

Synopsisadd ns fis <name>

DescriptionThis command creates an FIS. Each FIS is identified by a name (string max 31 letters). The FIS created is empty (without members.

Arguments

nameThe name of the FIS. This name must not exceed 31 characters

Related Commandsbind ns fisunbind ns fisrm ns fisshow ns fis


bind ns fis

bind ns fis

Synopsisbind ns fis <name> <ifnum> ...

DescriptionThis command binds interfaces to an FIS. Adding an interface to an FIS deletes it from CIs and adds it to the new FIS.

Arguments



Related Commandsadd ns fisunbind ns fisrm ns fisshow ns fis


unbind ns fis

unbind ns fis

Synopsisunbind ns fis <name> <ifnum> ...

DescriptionThis command unbinds the specified interface from the FIS. The interface unbound becomes a CI.

Arguments



Related Commandsadd ns fisbind ns fisrm ns fisshow ns fis


rm ns fis

rm ns fis

Synopsisrm ns fis <name>

DescriptionRemoves the FIS created by the add fis command. Once the FIS is removed, its interfaces become CIs.

Arguments


Related Commandsadd ns fisbind ns fisunbind ns fisshow ns fis


show ns fis

show ns fis

Synopsisshow ns fis [<name>]

DescriptionThis command displays the configured FISs.

Arguments

nameThe name of the FIS.

Output

nameThe name of the FIS.

ifacesInterfaces bound to theFIS.

Example>show ns fis 1) FIS: fis1 Member Interfaces : 1/1 Done

Related Commandsadd ns fisbind ns fisunbind ns fisrm ns fis


show ns ci

show ns ci

Synopsisshow ns ci

DescriptionThis command displays the CIs.

Output

ifacesInterfaces that are critical.

Example>show ns ci Critical Interfaces: LO/1 1/2

Related Commands


bind ns node

bind ns node

Synopsisbind ns node -routeMonitor <ip_addr|*> <netmask>

DescriptionUse this command to monitor the presence of a route in the FIB.

Arguments

routeMonitorThe network.

netmaskThe netmask.

Related Commandsstat ns nodeunbind ns nodeadd ns nodeset ns noderm ns nodeshow ns node


unbind ns node

unbind ns node

Synopsisunbind ns node -routeMonitor <ip_addr|*> <netmask>

DescriptionUse this command to unbind a route monitor from the node.

Arguments

routeMonitorThe network.

netmaskThe netmask.

Related Commandsstat ns nodebind ns nodeadd ns nodeset ns noderm ns nodeshow ns node


add ns node

add ns node

Synopsisadd ns node <id> <IPAddress> [-inc ( ENABLED | DISABLED )]

DescriptionUse this command to add the IP address of the other NetScaler system in the high availability configuration. The IP addresses of the both the NetScaler systems must belong to the same subnet.

Arguments

idThe unique number that identifies the node. The value of this parameter can range from 1 to 64.

IPAddressThe IP address of the node to be added. This should be in same subnet as NSIP.

incUse this option to set (enable or disable) the INC mode Possible values: ENABLED, DISABLED Default value: DISABLED

Related Commandsstat ns nodebind ns nodeunbind ns nodeset ns noderm ns nodeshow ns node


set ns node

set ns node

Synopsisset ns node [-hastatus <hastatus>] [-hasync ( ENABLED | DISABLED )] [-helloInterval <msecs>] [-deadInterval <secs>]

DescriptionUse this command to set the HA status of the current node and configure synchronization.

Arguments

hastatusThe HA status of the node. The valid values are ENABLED and DISABLED. The HA status STAYSECONDARY is used to force the secondary device stay as secondary independent of the state of the Primary device. For example, in an existing HA setup, the Primary node has to be upgraded and this process would take few seconds. During the upgradation, it is possible that the Primary node may suffer from a downtime for a few seconds. However, the Secondary should not take over as the Primary node. Thus, the Secondary node should remain as Secondary even if there is a failure in the Primary node. Possible values: ENABLED, STAYSECONDARY, DISABLED

hasyncThe state of synchronization. The valid values are Enabled and Disabled. Possible values: ENABLED, DISABLED Default value: ENABLED

helloIntervalThe Hello Interval in milliseconds. Default value: 200

deadIntervalThe Dead Interval in seconds. Default value: 3

Related Commandsstat ns nodebind ns nodeunbind ns nodeadd ns node


set ns node

rm ns nodeshow ns node


rm ns node

rm ns node

Synopsisrm ns node <id>

DescriptionUse this command to remove a node.

Arguments

idThe unique number that identifies the node. The value can range from 1 to 64.

Related Commandsstat ns nodebind ns nodeunbind ns nodeadd ns nodeset ns nodeshow ns node


show ns node

show ns node

Synopsisshow ns node

DescriptionUse this command to display all nodes. It also displays the number of additional nodes, ID, IP address, and the state of all nodes.

Arguments

Output

id

name

IPAddress

flags

hastatus

hasync

enaifaces

disifaces


show ns node

hamonifaces

pfifaces

ifaces

networkThe network.

netmaskThe netmask.

incINC state.

helloIntervalHello Interval.

deadIntervalDead Interval.

ExampleAn example of the command's output is as follows: 2 configured nodes: 1) Node ID: 0 IP: 192.168.100.5 Primary node 2) Node ID: 2 IP: 192.168.100.112 Secondary node

Related Commandsstat ns nodebind ns nodeunbind ns nodeadd ns nodeset ns noderm ns node


show ns license

show ns license

Synopsisshow ns license

DescriptionUse this command to display information about the current NetScaler license.

Arguments

Output

keyfeature

Related Commands


show ns rnat

show ns rnat

Synopsisshow ns rnat

DescriptionUse this command to display the Reverse NAT configuration.

Arguments

Output

network

netmaskThe netmask of the network.

natip

aclnameThe acl name.

redirectPortThe redirect port.

Related Commandsset ns rnatclear ns rnat


set ns rnat

set ns rnat

Synopsisset ns rnat ((<network> [<netmask>]) | (<aclname> [-redirectPort <port>])) [-natip <ip_addr> ...]

DescriptionUse this command to configure Reverse NAT on the NetScaler system.

Arguments

networkThe network or subnet from which the traffic is flowing.




natipThe NAT IP(s) assigned to a source IP or NetScaler IP.

Related Commandsshow ns rnatclear ns rnat


clear ns rnat

clear ns rnat

Synopsisclear ns rnat ((<network> [<netmask>]) | (<aclname> [-redirectPort])) [-natip <ip_addr> ...]

DescriptionUse this command to clear the Reverse NAT configuration.

Arguments

networkThe network or subnet from which the traffic is flowing.




natipThe NAT IP(s) assigned to a source IP or NetScaler IP.

Related Commandsshow ns rnatset ns rnat


add ns route

add ns route

Synopsisadd ns route <network> <netmask> <gateway> [<cost>] [-advertise ( DISABLED | ENABLED )] [-protocol <protocol> ...]

DescriptionUse this command to add a static route to the forwarding table.

Arguments

networkThe destination network.


gatewayThe gateway for this route.

costCost of the Route. Default value: 65535

advertiseUse this option to control (enable or disable) the advertisement of this route. Possible values: DISABLED, ENABLED

protocolUse this option to choose the routing protocols for advertisement of this route.

Exampleadd ns route 10.10.10.0 255.255.255.0 10.10.10.1

Related Commandsshow ns arprm ns arpset ns route


add ns route

unset ns routeclear ns routerm ns routeshow ns route


set ns route

set ns route

Synopsisset ns route <network> <netmask> <gateway> [<cost>] [-advertise ( DISABLED | ENABLED ) | -protocol <protocol> ...]

DescriptionUse this command to set the attributes of a route that was added via the add ns route command.

Arguments

networkThe destination network for the route.

netmaskThe netmask for this destination network.

gatewayThe gateway for the destination network of the route.

costCost of the Route. Default value: 65535



Exampleset ns route 10.10.10.0 255.255.255.0 10.10.10.1 -advertise enable

Related Commandsadd ns routeunset ns route


set ns route

clear ns routerm ns routeshow ns route


unset ns route

unset ns route

Synopsisunset ns route <network> <netmask> <gateway> [-advertise ( DISABLED | ENABLED ) | -protocol <protocol> ...]

DescriptionUse this command to unset the attributes of a route that were added via the add/set ns route command.

Arguments

networkThe destination network for the route.

netmaskThe netmask for this destination network.

gatewayThe gateway for the destination network of the route.



Exampleunset ns route 10.10.10.0 255.255.255.0 10.10.10.1 -advertise enable

Related Commandsadd ns routeset ns routeclear ns routerm ns route


unset ns route

show ns route


clear ns route

clear ns route

Synopsisclear ns route <type>

DescriptionUse this command to clear the Routes.

Arguments

typeThe type of routes to be cleared.

Related Commandsadd ns routeset ns routeunset ns routerm ns routeshow ns route


rm ns route

rm ns route

Synopsisrm ns route <network> <netmask> <gateway>

DescriptionUse this command to remove a configured static route from the NetScaler system. Routes added via VLAN configuration cannot be deleted using this command. Use the rm vlan or clear vlan command instead.

Arguments

networkThe network of the route to be removed.

netmaskThe netmask of the route to be removed.

gatewayThe gateway address of the route to be removed.

Related Commandsclear vlanadd ns routeset ns routeunset ns routeclear ns routeshow ns route


show ns route

show ns route

Synopsisshow ns route [<network> <netmask> [<gateway>]] [<type>] [-detail]

DescriptionUse this command to display the configured routing information.

Arguments

networkThe destination network or host.

typeThe type of routes to be shown.

detailTo get a detailed view.

Output

networkThe destination network or host.


gatewayThe gateway for this route.

gatewaynameThe name of the gateway for this route.

advertiseWhether advertisement is enabled or disabled.


show ns route

rnatWhether rnat is enabled or disabled.

privateWhether this route is marked as private.

dynamicWhether this route is dynamically learnt or not.

costCost of this route.

flagsIf this route is dynamic then which routing protocol was it learnt from.

ExampleAn example of the ouput of the show route command is as follows: 3 configured routes: Network Netmask Gateway/OwnedIP Type ------- ------- --------------- ---- 1) 0.0.0.0 0.0.0.0 10.11.0.254 STATIC 2) 127.0.0.0 255.0.0.0 127.0.0.1 PERMANENT 3) 10.251.0.0 255.255.0.0 10.251.0.254 NAT

Related Commandsadd ns routeset ns routeunset ns routeclear ns routerm ns route


set ns spparams

set ns spparams

Synopsisset ns spparams [-baseThreshold <integer>] [-throttle <throttle>]

DescriptionUse this command to set the base threshold and/or the throttle rate for surge protection.

Arguments

baseThresholdThe base threshold. This is the maximum number of server connections that can be opened before surge protection is activated. The maximum value is 32,767.

throttleThe throttle rate, which is the rate at which the NetScaler system opens connections to the server. The different names of throttle are the keywords: relaxed, normal, and aggressive. Possible values: Aggressive, Normal, Relaxed

Exampleset ns spparams -baseThreshold 1000 -throttle aggressive set ns spparams -throttle relaxed

Related Commandsshow ns spparams


show ns spparams

show ns spparams

Synopsisshow ns spparams

DescriptionUse this command to display the surge protection configuration on the NetScaler system. This includes the base threshold value and throttle value. These values are set using the set nsparams command.

Arguments

Output

baseThresholdThe base threshold. This is the maximum number of server connections that can be open before surge protection is activated. The maximum value that you can enter for this argument is 32,767.

throttleThe throttle rate, which is the rate at which the NetScaler system opens connections to the server. The different names of throttle are the keywords: relaxed, normal, and aggressive.

Table

Example> show ns spparams Surge Protection parameters: BaseThreshold: 200 Throttle: Normal Done

Related Commandsset ns spparams


set ns tcpbufparam

set ns tcpbufparam

Synopsisset ns tcpbufparam [-size <KBytes>] [-memLimit <MBytes>]

DescriptionUse this command to display the current TCP buffer size. The command also displays the percentage of the system memory that is used for buffering.

Arguments

sizeThe size (in KBytes) of the TCP buffer per connection. The default size is 64k bytes, the minimum is 4k bytes, and the maximum is 20 MB.

memLimitThe maximum memory that can be used for buffering, in megabytes.

Related Commandsshow ns tcpbufparam


show ns tcpbufparam

show ns tcpbufparam

Synopsisshow ns tcpbufparam

DescriptionUse this command to display the current TCP buffer size. The command also displays the percentage of the system memory that is used for buffering.

Arguments

Output

size

memLimit

ExampleAn example of this command's output is as follows: TCP buffer size: 64KBytes TCP buffer percentage: 50%

Related Commandsset ns tcpbufparam


show ns version

show ns version

Synopsisshow ns version

DescriptionUse this command to display the version and build number of the NetScaler system.

Arguments

Output

version

Related Commands


set ns weblogparam

set ns weblogparam

Synopsisset ns weblogparam -bufferSizeMB <positive_integer>

DescriptionUse this command to set the current web log buffer size.

Arguments

bufferSizeMBThe buffer size (in MB) allocated for log transaction data on the NetScaler system. The default setting is 16 MB.

Related Commandsshow ns weblogparam


show ns weblogparam

show ns weblogparam

Synopsisshow ns weblogparam

DescriptionUse this command to display the current size of the buffer, which is used to store log transactions.

Arguments

Output

bufferSizeMB

Related Commandsset ns weblogparam


set ns rateControl

set ns rateControl

Synopsisset ns rateControl [-tcpThreshold <positive_integer>] [-udpThreshold <positive_integer>] [-icmpThreshold <positive_integer>]

DescriptionUse this option to configure udp/tcp/icmp packet rate controls for any application that is not configured at Netscaler(ie., direct access to the backend through Netscaler). This rate limit should be specified in the number of packets to allow per 10ms.

Arguments

tcpThresholdThe number of SYNs permitted per 10 milli second.

udpThresholdThe number of UDP packets permitted per 10 milli second.

icmpThresholdThe number of ICMP packets permitted per 10 milli second.

Example The following command will set the SYN rate to 100, icmp rate to 10 and the udp rate to unlimited. set ns ratecontrol -tcpThreshold 100 -udpThreshold 0 -icmpThreshold 10 The 'show ns rate control' command can be used to view the current settings of the rate controls. > show ns ratecontrol UDP threshold: 0 per 10 ms TCP threshold: 0 per 10 ms ICMP threshold: 100 per 10 ms Done

Related Commandsshow ns rateControl


show ns rateControl

show ns rateControl

Synopsisshow ns rateControl

DescriptionUse this command to check the current rate control values.

Arguments

Output

tcpThreshold

udpThreshold

icmpThreshold

ExampleBy default, there is no rate control for TCP/UDP and for ICMP it will be 100. The output of the "show ns ratecontrol" command, with default setting, > show ns ratecontrol UDP threshold: 0 per 10 ms TCP threshold: 0 per 10 ms ICMP threshold: 100 per 10 ms Done

Related Commandsset ns rateControl


reboot

reboot

Synopsisreboot

DescriptionUse this command to restart a NetScaler system. Notes: 1.When a standalone NetScaler system is rebooted, all configuration changes made since the last save ns config command was issued are lost. 2.In High Availability mode, on running this command on the primary NetScaler system, the secondary NetScaler system takes over and will have the configuration changes made since the last time that the save ns config command was issued on the primary NetScaler system. In this case, log on to the new primary NetScaler system, then issue the save ns config CLI command to save these changes.

Arguments

Related Commandsconfig nsshutdown


shutdown

shutdown

Synopsisshutdown

DescriptionUse this command to stop the operations of the NetScaler system on which you are issuing this command. After you enter this command, you can turn off power to the NetScaler system. Notes 1.When a standalone NetScaler system is rebooted, all configuration changes made since the last save ns config command was issued are lost. 2.In High Availability mode, on running this command on the primary NetScaler system, the secondary NetScaler system takes over and will have the configuration changes made since the last time that the save ns config command was issued on the primary NetScaler system. In this case, log on to the new primary NetScaler system, then issue the save ns config CLI command to save these changes.

Arguments

Related Commandsconfig nsreboot


set ns rpcnode

set ns rpcnode

Synopsisset ns rpcnode <IPAddress> [-password <string>]

DescriptionUse this command to set the authentication attributes associated with peer NetScaler node. All NetScaler nodes use remote procedure calls to communicate.

Arguments

IPAddressThe IP address of the node to be set. This has to be in same subnet as NSIP.

passwordThe password to be used in authentication with the peer NetScaler node.

ExampleExample-1: Failover configuration In a failover configuration define peer NS as: add node 1 10.101.4.87 Set peer ha-unit's password as: set ns rpcnode 10.101.4.87 -password testpass NetScaler will now use the configured password to authenticate with its failover unit. Example-2: GSLB configuration In a GSLB configuration define peer NS GSLB site as: add gslb site us_east_coast remote 206.123.3.4 Set peer GSLB-NS's password as: set ns rpcnode 206.123.3.4 -password testrun NetScaler will now use the configured password to authenticate with east-coast GSLB site.

Related Commandsshow ns rpcnode


show ns rpcnode

show ns rpcnode

Synopsisshow ns rpcnode

DescriptionUse this command to display a list of nodes currently communicating using RPC. All NetScaler nodes use remote procedure calls to communicate.

Arguments

Output

IPAddressThe IP address of the node to be set. This has to be in same subnet as NSIP.

password

retryThe reference count.

ExampleFollowing example shows list of nodes communicating using RPC: > sh rpcnode 1) IPAddress: 10.101.4.84 Password: ..8a7b474124957776b56cf03b28 2) IPAddress: 10.101.4.87 Password: ..ca2a035465d22c Done

Related Commandsset ns rpcnode


show ns rpcnode


Policy Commands

This chapter covers the policy commands.




Synopsisadd policy expression <name> <value>

DescriptionThis command creates an expression.

Arguments

nameThe name of the expression that will be created, The name can be up to 32 characters long.

value \"[(] <expname | expression> [<relop> <expname | expression>] [)]...\" <expname> = the name of an existing expression <relop> = ( && | || ) <expression> = the expression string in the format: ([<flow type>.<protocol>.]<qualifier> <headerName>) <operator> [<qualifier-value>] [-length <positive_integer>] [-offset <positive_integer>] [-netmask <netmask>] <flow type> = ( REQUEST | RESPONSE ) <protocol> = ( HTTP | SSL | TCP | IP ) <qualifier> = ( METHOD | URL | URLSUFFIX | URLTOKENS | VERSION | URLQUERY | HEADER | URLLEN | URLQUERYLEN | SOURCEIP | DESTIP | SOURCEPORT | DESTPORT | LOCATION | CLIENT.SSL.VERSION | CLIENT.CIPHER.BITS | CLIENT.CIPHER.TYPE | CLIENT.CERT | CLIENT.CERT.VERSION | CLIENT.CERT.SERIALNUMBER | CLIENT.CERT.SIGALGORITHM | CLIENT.CERT.SUBJECT | CLIENT.CERT.ISSUER | CLIENT.CERT.VALIDFROM | CLIENT.CERT.VALIDTO ) <operator> = ( == | eq | != | neq | > | gt | < | lt | >= | ge | <= | le | EXISTS | NOTEXISTS | CONTAINS | NOTCONTAINS | CONTENTS )

Related Commandsset policy expressionrm policy expressionshow policy expression


rm policy expression

rm policy expression

Synopsisrm policy expression <name> ...

DescriptionThis command removes a previously defined expression. If the expression is part of a policy or filter, you must remove the policy or filter before removing the expression.

Arguments

nameThe name of the expression to be removed. Separate multiple expressions with spaces.

Related Commandsadd policy expressionset policy expressionshow policy expression


show policy expression

show policy expression

Synopsisshow policy expression [<name>]

DescriptionThis command displays the expressions defined in the NetScaler 9000 system. The information displayed includes the expression name, qualifier, operator, and expression usage statistics.

Arguments

nameSpecifies the name of the expression to be displayed. if no name is given then all expressions will be displayed.

Output

name

value

hits

Related Commandsadd policy expressionset policy expressionrm policy expression


add policy map

add policy map

Synopsisadd policy map <mapPolicyName> -sd <string> [-su <string>] [-td <string>] [-tu <string>]

DescriptionFor a reverse proxy virtual server used in the cache redirection feature, this command creates a policy to map publicly-known domain name to a target domain name. Optionally, a source and target URL can also be specified. The map policy created can be associated with a reverse proxy cache redirection virtual server using the bind cr vserver CLI command. There can be only one default map policy for a domain.

Arguments

mapPolicyNameSpecifies the name of the map policy to be created. The name can be at most 32 characters long.

sdSpecifies the source domain name which is publicly known. The maximum string value is 64 characters. This is the domain name with which a client request arrives to a reverse proxy virtual server for cache redirection on the NetScaler 9000 system.

suSpecifies the source URL. The maximum string value can be 207 characters. The format to specify the argument is: / [[prefix] [*]] [.suffix]

tdSpecifies the domain name sent to the server. It replaces the source domain name specified by the -sd string argument. The maximum string value length is 64 characters.

tuSpecifies the target URL. The maximum string length is 207 characters. The format to specify the argument is: / [[prefix] [*]] [.suffix]


add policy map

ExampleExample 1 The following example creates a default map policy (map1) for the source domain www.a.com. Any client requests with this source domain in the host header is changed to www.real_a.com. add policy map map2 -sd www.a.com -td www.real.a.com Example 2 This example shows how to create a URL map policy (map2) if you want to translate /sports.html in the incoming request to /news.html in addition to mapping the source domain www.a.com to www.real_a.com in the outgoing request. add policy map map2 -sd www.a.com -td www.real_a.com -su /sports.html -tu /news.html These type of map policies, called "URL map policies," have the following restrictions: lURL map policies belonging to www.a.com cannot be added without first adding a default map policy as described in Example 1. lIf a source suffix has been specified for URL map policy, a destination suffix must also be specified. lIf an exact URL has been specified as the source, then the target URL should also be exact URL. lIf there is a source prefix in the URL, there must be also a destination prefix in the URL.

Related Commandsrm policy mapshow policy map


rm policy map

rm policy map

Synopsisrm policy map <mapPolicyName>

DescriptionThis command removes map policies. Note:Before using this command, you must first unbind the map policy from the reverse proxy virtual server by using the unbind cr vserver command.

Arguments

mapPolicyNameNames the map policy to be removed.

Related Commandsadd policy mapshow policy map


show policy map

show policy map

Synopsisshow policy map

DescriptionThis command displays the map policies that have been configured and the related map policy information. This includes the name of the map policy, the source domain, the source URL, the target domain, the target URL, and the target virtual server.

Arguments

Output

mapPolicyName

sd

su

td

tu

targetName

Related Commandsadd policy maprm policy map


show policy map


Performance Queuing Commands

This chapter covers the performance queuing commands.


show pq binding

show pq binding

Synopsisshow pq binding <vServerName>

DescriptionUse this command to display binding information for the NetScaler 9000 system's priority queuing feature. This applies to the specified load balancing virtual server (previously bound during priority queuing configuration).

Arguments

vServerNameSpecifies the load balancing virtual server.

Output

policyName

rule

priority

weight

qDepth

polqDepth

Related Commands


add pq policy

add pq policy

Synopsisadd pq policy <policyName> -rule <expression> -priority <positive_integer>

DescriptionUse this command to create a priority queueing policy. Note: In order to activate priority queuing on a virtual server, this policy needs to be bound to the virtual server using the bind lb vserver command. This virtual server must also have priority queuing turned on using the set vserver CLI command

Arguments

policyNameThe name of the priority queuing policy.

ruleThe condition for applying the policy. When requests are received by a NetScaler 9000 system, they are classified into different priority levels based on the expression_logic that they match. Specifies the condition for applying the policy. Expression logic is expression names, separated by the logical operators || and &&, and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes. The following are valid expression logic: ns_ext_cgi||ns_ext_asp ns_non_get && (ns_header_cookie||ns_header_pragma) When a request comes to the NetScaler 9000 system, it is prioritized based on the expression_list that is matches.

priorityThe priority of queuing the request. When a request matches the configured rule and if server resources are not available, this option specifies a priority for queuing the request until the server resources are available again. Enter the value of positive_integer as 1, 2 or 3. The highest priority level is 1 and the lowest priority value is 3.

weightThe weight for the priorty level. Each priority level is assigned a weight according to which it is served when server resources are available. The weight for a higher priority


add pq policy

request must be set higher than that of a lower priority request. The default weights for the priority queues 1, 2, and 3 are 3, 2, and 1 respectively. Specify the weights as 0 through 101. A weight of 0 indicates that the particular priority level should be served only when there are no requests in any of the priority queues. A weight of 101 specifies a weight of infinity. This means that this priority level is served irrespective of the number of clients waiting in other priority queues.

qDepthThe queue depth threshold value. When the number of waiting requests in the queue (or queue size) on the virtual server to which this policy is bound, increases to the specified qdepth value, any subsequent requests are dropped to the lowest priority level.

polqDepthThe policy queue depth threshold value. When the number of waiting requests in all the queue belonging to this policy (or the policy queue size) increases to the specified polqdepth value all subsequent requests are dropped to the lowest priority level.

Related Commandsbind lb vserverset vserverrm pq policyset pq policyshow pq policy


rm pq policy

rm pq policy

Synopsisrm pq policy <policyName> ...

DescriptionUse this command to remove the priority queuing policy that was added using the add pq policy command.

Arguments

policyNameThe name of the priority queuing policy to be removed.

Related Commandsadd pq policyset pq policyshow pq policy


set pq policy

set pq policy

Synopsisset pq policy <policyName> [-weight <positive_integer>] [-qDepth <positive_integer> | -polqDepth <positive_integer>]

DescriptionUse this command to modify priority queuing policies that was set using the add pq policy command.

Arguments

policyNameThe name of the priority queuing policy that is to be modified.

weightThe weight for the priorty level. Each priority level is assigned a weight according to which it is served when server resources are available. The weight for a higher priority request must be set higher than that of a lower priority request. The default weights for the priority queues 1, 2, and 3 are 3, 2, and 1 respectively. Specify the weights as 0 through 101. A weight of 0 indicates that the particular priority level should be served only when there are no requests in any of the priority queues. A weight of 101 specifies a weight of infinity. This means that this priority level is served irrespective of the number of clients waiting in other priority queues.

qDepthThe queue depth threshold value. When the number of waiting requests in the queue (or queue size) on the virtual server to which this policy is bound, increases to the specified qdepth value, any subsequent requests are dropped to the lowest priority level.

polqDepthThe policy queue depth threshold value. When the number of waiting requests in all the queue belonging to this policy (or the policy queue size) increases to the specified polqdepth value all subsequent requests are dropped to the lowest priority level.

Related Commandsadd pq policy


set pq policy

rm pq policyshow pq policy


show pq policy

show pq policy

Synopsisshow pq policy [<policyName>]

DescriptionUse this command to display all priority queuing policies added using the add pq policy command.

Arguments

policyName

Output

policyName

rule

priority

weight

qDepth

polqDepth

Related Commandsadd pq policyrm pq policyset pq policy


Protocols Commands

This chapter covers the protocols commands.


stat protocol tcp

stat protocol tcp

Synopsisstat protocol tcp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplay TCP protocol statistics

Counters

All server connections (SvrCx)Number of server connections in NetScaler

Closing server connections (SvrCxCl)Number of server connections in NetScaler in closing states

Established server connections (SvrCxE)Number of server connections in NetScaler in established state

Opening server connections (SvrCxO)Number of server connections in NetScaler in opening states

Opened server connections (TotSvrO)Total number of opened server connections

All client connections (CltCx)Number of client connections in NetScaler

Closing client connections (CltCxCl)Number of client connections in NetScaler in closing states

Established client connections (CltCxE)Number of client connections in NetScaler in established state

Opening client connections (CltCxO)Number of client connections in NetScaler in opening states


stat protocol tcp

Opened client connections (TotCltO)Total number of opened client connections

Surge queue (SQlen)Number of connections in surge queue

Spare connections (SpConn)Number of spare connections ready to be used

Server active connections (ActSvrCo)Number of connections currently serving requests



TCP packets received (TCPPktRx)Number of TCP packets received

TCP bytes received (TCPbRx)Number TCP bytes received

TCP packets transmitted (TCPPktTx)Number TCP packets transmitted

TCP bytes transmitted (TCPbTx)Number TCP bytes transmitted

SYN packets received (TCPSYN)Number of SYN packets received

Server probes (SYNProbe)Number of times auto-discovered servers were probed

FIN packets from server (SvrFin)Number of FIN packet was received from a server

FIN packets from client (CltFin)Number of FIN packet was received from a client


stat protocol tcp

Time wait to SYN (WaToSyn)Number of times SYN packet received on a connection in TIME_WAIT state

Data in TIME_WAIT (WaDat)Number of times data was received on a connection in TIME_WAIT state

Client idle flushed (ZomCltF)Number of idle client connections flushed

Server idle connections flushed (ZSvrF)Number of idle server flushed

Client half opened flushed (ZCltFHo)Number of half opened client connections flushed

Server half opened flushed (ZSvrFHo)Number of half opened server connections flushed

Client active half closed flushed (ZCltFAhc)Number of active half closed client connections flushed

Server active half closed flushed (ZSvrFAhc)Number of active half closed server connections flushed

Client passive half closed flushed (ZCltFPhc)Number of passive half closed client connections flushed

Server passive half closed flushed (ZSrvFPhc)Number of passive half closed server connections flushed

Bad TCP checksum (TCPBadCk)Number of bad TCP checksums received

SYN in SYN_RCVD state (TCPSYNRv)Number of SYN packets was received on a connection in SYN_RCVD state

SYN in ESTABLISHED state (TCPSYNEs)Number of SYN packets received on a connection in ESTABLISHED state

SYN packets timeout (TCPSYNG)Number of times connection establishment timed out


stat protocol tcp

SYN_SENT incorrect ACK packet (TCPBadAk)Number incorrect ACK packets received on a connection in SYN_SENT state

SYN packet retries (TCPSYNRe)Number of times SYN packet was retried

FIN packet retries (TCPFINRe)Number of times FIN packet was retried

FIN packets timeout (TCPFING)Number of times connection closing timed out

RST packets received (TCPRST)Number of RST packets recieved

RST on not ESTABLISHED (TCPRSTNE)Number of RST packets recieved on a connection in not ESTABLISHED state

RST out of window (TCPRSTOW)Number of RST packets recieved on a connection out of current TCP window

RST in TIME_WAIT (TCPRSTTi)Number of RST packets recieved on a connection in TIME_WAIT state

Server retransmissions (TCPSvrRe)Number of retransmission packets from servers

Client retransmissions (TCPCltRe)Number of retransmission packets from clients

Full packet retransmissions (TCPFulRe)Number of full retransmission packets

Partial packet retransmissions (TCPParRe)Number of full retransmission packets




stat protocol tcp

TCP hole on client connection (CltHole)Number of TCP holes on client connnections

TCP hole on server connection (SvrHole)Number of TCP holes on server connnections

Seq number SYN cookie reject (CSeqRej)Number of TCP SYN cookie packets rejected due to incorrect sequence number

Signature SYN cookie reject (CSigRej)Number of TCP SYN cookie packets rejected due to incorrect signature

Seq number SYN cookie drop (CSigDrp)Number of TCP SYN cookie packets dropped due to out of window sequence number

MSS SYN cookie reject (CMssRej)Number of TCP SYN cookie packets rejected due to incorrect MSS

TCP retransmission (Retr)Number of TCP retransmissions sent

TCP retransmission giveup (RetrG)Number of times TCP retransmission giveups

Zombie cleanup calls (ZmbCall)Number times Zombie cleanup is called

SYN packets held (SYNHeld)Number of SYN packets held, waiting for server connection

SYN packets flushed (SYNFlush)Number of held SYN packets flushed due to no server response

TIME_WAIT connections closed (FinWaitC)Number of connections closed because there were too many connections in TIME_WAIT state

Any IP port allocation failure (PortFal)Number of port allocation failure on any IP address


stat protocol tcp

IP port allocation failure (PortFalI)Number of port allocation failure on a specific IP address

Stray packets (StrayPkt)Number of packets received on non existant connection

RST packets sent (SentRst)Number of RST packets sent

Bad state connections (BadConn)Number of connections in non of known TCP states

Fast retransmits (FastRetr)Number of fast TCP restransmissions done

1st retransmission (1stRetr)Number of first restransmissions done

2nd retransmission (2ndRetr)Number of second restransmissions done

3rd retransmission (3rdRetr)Number of third restransmissions done

4th retransmission (4thRetr)Number of forth restransmissions done

5th retransmission (5thRetr)Number of fifth restransmissions done

6th retransmission (6thRetr)Number of sixth restransmissions done

7th retransmission (7thRetr)Number of seventh restransmissions done

Data after FIN (TCPDtFin)Number of times data was received after FIN packet

RST threshold dropped (RstThre)Number of RST packets dropped dor to RST threshold


stat protocol tcp

Packets out of window (OOWPkt)Number of packets out of TCP advertised window

SYNs dropped (Congestion) (SynCng)Number of SYN packets dropped because of network congestion

Related Commands


stat protocol http

stat protocol http

Synopsisstat protocol http [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplay HTTP protocol statistics

Counters

GETs (HTGETs)Number of HTTP GET requests received

POSTs (HTPOSTs)Number of HTTP POST requests received

Other methods (HTOthers)Number of non-GET/POST HTTP methods received

Total requests (HTReqRx)Total number HTTP requests received from clients

Total responses (HTRspRx)Number of HTTP responses received from servers

Request bytes received (HTReqbRx)Data received in request including headers (in bytes)

Response bytes received (HTRspbRx)Data received in the response including headers (in bytes)




stat protocol http

Content-length requests (HTCLnReq)Number of content-length requests received

Chunked requests (HTChkReq)Number of chunked requests received



Content-length responses (HTCLnRsp)Number of HTTP requests/responses received with content-length headers

Chunked responses (HTChunk)Number of HTTP requests/responses received with chunked encoding

FIN-terminated responses (HTNoCLnChunk)Number of FIN-terminated responses

Multi-part responses (HTMPrtHd)Number of HTTP multi-part header requests/responses received

Incomplete headers (HTIncHd)Number of incomplete header reassembly failures

Incomplete request headers (HTIncReqHd)Number of incomplete request headers received

Incomplete response headers (HTIncRspHd)Number of incomplete response headers received

Large/Invalid messages (HTInvReq)Number of large/invalid requests/responses received

Large/Invalid chunk requests (HTInvChkRx)Number of large/invalid requests/responses received

Large/Invalid content-length (HTInvCLn)Number of large/invalid content-length requests/responses received


stat protocol http

Related Commands


stat protocol icmp

stat protocol icmp

Synopsisstat protocol icmp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplay ICMP protocol statistics

Counters

ICMP port unreachable received (PortUnRx)Number of ICMP port unreachable packets received.








ICMP rate threshold exceeded (ICRtEx)Number of time ICMP rate threshold was exceeded.


stat protocol icmp


Bad ICMP checksum (BadCkSum)Number of packets with bad ICMP checksum received.

Need fragmentation received (NeedFrag)Number of ICMP error message: need fragmentation received.

PMTU non-first IP fragments (PMTUerr)Number of non-first IP fragments resulting in path MTU error.

PMTU Invalid body len received (IvBdyLen)Number of invalid body length received on a need fragmentation ICMP error message.

PMTU no tcp connection (NoTcpCon)Number of packets with no tcp connection on src/dst, ip/port information received on a need fragmentation ICMP error message.

PMTU no udp conection (NoUdpCon)Number of packets with no udp connection on src/dst, ip/port information received on a need fragmentation ICMP error message.

PMTU invalid tcp seqno recvd (InvSeqNo)Invalid tcp seqno received on need fragmentation ICMP error message.

Invalid next MTU value recvd (IvNxtMTU)Inval (576|>1500) next MTU value received on a need fragmentation ICMP error message.

Next MTU > Current MTU (BigNxMTU)Next MTU information received on a need fragmentation ICMP error message greater than current MTU.

PMTU Invalid protocol recvd (IvPrtRx)Invalid protocol type received on a need fragmentation ICMP error message.

PMTU IP check sum error (CkSumErr)IP checksum error on the IP fragment in the need fragmentation ICMP error message body.


stat protocol icmp

PMTU pcb with no link (NoLnkErr)Need fragmentation ICMP error message received on a pcb with no link.

PMTU Discovery not enabled (PMTUdis)PMTU Discovery mode is not enabled.

ICMP rate threshold (ICThs)This contains the value set for 10ms rate threshold for icmp packets. This implies that within 10ms range , NetScaler can allow (receive or pass through ) the set number of ICMP packets

ICMP port unreachable generated (PortUnTx)Number of ICMP port unreachable packets generated by NetScaler.

Related Commands


stat protocol ip

stat protocol ip

Synopsisstat protocol ip [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplay IP protocol statistics

Counters




Bad IP checksums (badCksum)Number of packets reveived with bad IP checksums.




IP bytes transmitted (IPbTx)Number of IP bytes transmitted by NetScaler.

Megabits received (IPMbRx)Number of IP bits received by the NetScaler, in megabits.


stat protocol ip

Megabits transmitted (IPMbTx)Number of IP bits transmitted by the NetScaler, in megabits.

IP fragments received (IPFragRx)Number of IP fragments received.

Successful reassembly (reasSucc)Number of IP packets for which successful reassembly was done.

Unsuccessful reassembly (reasFail)Number of IP packets for which reassembly failed.

Reassembled data too big (reasBig)Number of IP packets for which reassembled data was too big.

Reassembly attempted (reasAtmp)Number of IP packets for which reassembly was attempted.

Zero fragment length received (zeroLen)Number of IP packets received with fragment length zero.

Duplicate fragments received (dupFrag)Number of duplicate IP fragments received.

Out of order fragment received (oooFrag)Number of out of order fragments received.

Unknown destination received (UnkDst)Number of unknown destinations received, cannot route packet to NSIP.

Bad Transport (badTran)Number of packets for which the service handler is unknown.

VIP down (vipDown)Number of packets received for which the VIP down for natpcb sessions.

Fix header failure (hdrFail)Number of IP packets in which there is an error in the IP header.

IP address lookups (IpLkUp)Number of IP address lookups done


stat protocol ip

IP address lookup failure (IpLkFail)Number of IP address lookups which failed.

max non-TCP clients (maxClt)Number of times one tries to open a new connection to a service having maximum number of allowed open client connections

Unknown services (UnkSvc)Number of packets received for a NetScaler owned IP, but an un-configured port/service

land-attacks (LndAtk)Number of land attack packets received by NetScaler

UDP fragments forwarded (udpFgFwd)Total number of UDP fragments forwarded.

TCP fragments forwarded (tcpFgFwd)Total number TCP fragments forwarded.

Fragmentation packets created (frgPktCr)Total number of fragmentation packets created by NS applications.

Invalid IP header size (errHdrSz)Number of packets with invalid IP header size.

Invalid IP packet size (errPktLen)Number of packets with invalid IP packet size.

Truncated IP packet (trIP)Total number of truncated IP packets

Truncated non-IP packet (trNonIp)truncated non-IP packet

ZERO next hop (zrNxtHop)Total number of IP packets with ZERO next hop.

Packets with bad MAC sent (BadMacTx)The total number of transmitted ip packets with bad MAC addresseses.


stat protocol ip

Packets with len > 1514 rcvd (BadLenTx)The total number of ip packets received with length > 1514.

TTL expired during transit (ttlExp)Number of IP packets for which TTL expired during transit.

Related Commands


stat protocol udp

stat protocol udp

Synopsisstat protocol udp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionDisplay UDP protocol statistics

Counters

Current rate threshold (UDPThs)This contains the value set for 10ms rate threshold for udp packets. This implies that within 10ms range , NetScaler can allow (receive or pass through ) the set number of UDP packets

Packets received (UDPPktRx)Number of UDP packets received

Bytes received (UDPbRx)Number of UDP bytes received

Packets transmitted (UDPPktTx)Number of UDP packets transmitted

Bytes transmitted (UDPbTx)Number of UDP bytes transmitted

Unknown service (UDPUnSvc)Number of UDP packets to unconfigured services

Bad UDP checksum (UDPBadCkSum)Number of packets with bad UDP checksum received.

Rate threshold exceeded (UDPRtEx)Number of time UDP rate threshold was exceeded.

Related Commands


stat protocol udp


Routing Commands

This chapter covers the routing commands.


vtysh

vtysh

Synopsisvtysh

Description

Related Commands


set router ospf

set router ospf

Synopsisset router ospf [-routerID <ip_addr>] [-priority <integer>] [-passiveInterface <string>] [-staticRedistribute [-staticMetricType <integer>]] [-kernelRedistribute [-kernelMetricType <integer>]] [-conRedistribute [-conMetricType <integer>]] [-learnRoute] [-network <ip_addr> <netmask> -area <integer>] [-host <ip_addr> -cost <integer>]

DescriptionUse this command to configure different OSPF parameters.

Arguments

routerIDThe router ID.

priorityThe router priority. A value of 0 indicates that the router will not participate in the election of the Designated Router. Default value: 0

passiveInterfaceUse this option to change the mode of the interface to listen only.

staticRedistributeUse this option to enable the redistribution of static routes.

kernelRedistributeUse this option to enable the redistribution of kernel routes.

conRedistributeUse this option to enable the redistribution of connected routes.

learnRouteUse this option to enable route learning from OSPF.


set router ospf

networkThe broadcast network on which OSPF is to be run.

hostThe stub link.

Exampleset ospf -routerID 1.2.3.4

Related Commandsunset router ospfshow router ospf


unset router ospf

unset router ospf

Synopsisunset router ospf [-routerID] [-priority] [-learnRoute] [-conRedistribute] [-kernelRedistribute] [-staticRedistribute] [-network <ip_addr> <netmask> -area <integer>] [-host <ip_addr> -cost <integer>] [-passiveInterface <string>]

DescriptionUse this command to clear the OSPF parameters that were configured using the set ospf command.

Arguments

routerIDUse this option to specify that the OSPF router ID be unset.

priorityUse this option to specify that the OSPF priority be unset.

learnRouteUse this option to stop route learning from OSPF.

conRedistributeUse this option to unset the redistribution of connected routes.

kernelRedistributeUse this option to unset the redistribution of kernel routes.

staticRedistributeUse this option to unset the redistribution of static routes.

networkUse this option to stop the protocol from running on a specific broadcast network.

hostThe stub host link in the OSPF domain.


unset router ospf

passiveInterfaceUse this option to unset the passive setting of the interface.

Exampleunset ospf -router-id

Related Commandsset router ospfshow router ospf


show router ospf

show router ospf

Synopsisshow router ospf [<ospfoptions>]

DescriptionUse this option to display the state of the OSPF daemon.

Arguments

ospfoptionsUse this option to display one of border-routers, database, interface, neighbor, route, and virtual-links. Possible values: border-routers, database, interface, neighbor, route, virtual-links

Output

networkThe network on which OSPF is running.

netmaskNetmask of the network on which OSPF is running

Exampleshow ospf neighbor

Related Commandsset router ospfunset router ospf


set router rip

set router rip

Synopsisset router rip [-defaultMetric <integer>] [-passiveInterface <string>] [-learnRoute] [-staticRedistribute] [-kernelRedistribute] [-network <ip_addr> <netmask>]

DescriptionUse this command to configure the RIP daemon.

Arguments

defaultMetricUse this option to set the default metrics when advertising routes. Default value: 1

passiveInterfaceUse this option to set the mode of the interface to listen only.

learnRouteUse this option to enable route learning and installation in the kernel.

staticRedistributeUse this option to redistribute static routes.

kernelRedistributeUse this option to redistribute kernel routes.

networkUse this option to set the broadcast network on which RIP must run.

Exampleset router rip -kernelRedistribute

Related Commandsunset router ripshow router rip


unset router rip

unset router rip

Synopsisunset router rip [-defaultMetric] [-staticRedistribute] [-learnRoute] [-kernelRedistribute] [-passiveInterface <string>] [-network <ip_addr> <netmask>]

DescriptionUse this command to clear the RIP parameters.

Arguments

defaultMetricSpecifies that the RIP default-metric be unset.

staticRedistributeSpecifies that the RIP redistribute static be unset.

learnRouteUse this option to disable route learning.

kernelRedistributeSpecifies that the RIP redistribute kernel be unset.

passiveInterfaceUse this option to set the mode of the interface to listen only.

networkUse this option to unset the broadcast network on which RIP is running.

Exampleunset rip -default-metric

Related Commandsset router ripshow router rip


show router rip

show router rip

Synopsisshow router rip [<ripoptions>]

DescriptionUse this command to display the RIP configuration.

Arguments

ripoptionsRIP option in show command, one of database or interface. Possible values: database, interface

Output

network

netmask

Exampleshow rip interface

Related Commandsset router ripunset router rip


set router bgp

set router bgp

Synopsisset router bgp [<autonomousSystem>] [-routerID <ip_addr>] [-learnRoute] [-staticRedistribute [-staticRouteMap <string>]] [-kernelRedistribute [-kernelRouteMap <string>]] [-conRedistribute [-connectedRouteMap <string>]] [-neighbor <ip_addr> [<remoteAS>] [-neighborRouteMap <string>]] [-network <ip_addr> <netmask>]

DescriptionUse this option to configure BGP on the NetScaler system.

Arguments

autonomousSystemThe autonomous system for BGP.

routerIDThe Router ID of this router.

learnRouteUse this option to enable route learning and installation from BGP.



conRedistributeUse this option to enable the redistribution of connected routes into the BGP domain.

neighborThe IP address of a BGP peer for the router.


set router bgp

networkThe network to be advertized.

Exampleset router bgp -kernelRedistribute

Related Commandsshow router bgpunset router bgpadd router bgpclear router bgp


show router bgp

show router bgp

Synopsisshow router bgp (<bgpoptions> | -routeMap <string>)

DescriptionUse this command to view the BGP configuration.

Arguments

bgpoptionsoption to show BGP command either neighbors or summary Possible values: neighbors, summary

routeMapUse this option to view the BGP route map.

Exampleshow router bgp summary

Related Commandsset router bgpunset router bgpadd router bgpclear router bgp


unset router bgp

unset router bgp

Synopsisunset router bgp [<autonomousSystem>] [-routerID <ip_addr>] [-learnRoute] [-staticRedistribute [-staticRouteMap <string>]] [-kernelRedistribute [-kernelRouteMap <string>]] [-conRedistribute [-connectedRouteMap <string>]] [-neighbor <ip_addr> [-neighborRouteMap <string>]] [-network <ip_addr> <netmask>]

DescriptionUse this option to clear the BGP parameters.

Arguments

autonomousSystemThe autonomous system.

routerIDThe router ID of the router.

learnRouteUse this option to enable route learning from BGP.



conRedistributeunset redistribute connected

neighborThe IP address of the BGP neighbor.


unset router bgp

networkThe network to be advertised.

Exampleunset router bgp -kernelRedistribute

Related Commandsset router bgpshow router bgpadd router bgpclear router bgp


add router bgp

add router bgp

Synopsisadd router bgp [<autonomousSystem>]

DescriptionUse this option to add BGP neighbors.

Arguments

autonomousSystemThe BGP autonomous system.

routerIDThe router ID of the router.

learnRouteUse this option to enable route learning from BGP.



conRedistributeUse this option to enable the redistribution of connected routes.

neighborUse this option to add a BGP neighbor.

networkThe neighbor to be advertised.

Exampleadd router bgp 10 neighbor 10.102.10.10 10


add router bgp

Related Commandsset router bgpshow router bgpunset router bgpclear router bgp


clear router bgp

clear router bgp

Synopsisclear router bgp (-neighbor <ip_addr> | -all)

DescriptionUse this command to tear down the BGP connection to a specified neighbor.

Arguments

neighborUse this option to specify the neighbor associated with the connection that needs to be torn down.

allUse this option to reset TCP connections to all neighbors.

Exampleclear ip bgp neighbor 10.102.10.10

Related Commandsset router bgpshow router bgpunset router bgpadd router bgp


add router map

add router map

Synopsisadd router map <action>

DescriptionUse this command to add a route map entry.

Arguments

actionThe action associated with the routemap. Possible values: BRIDGE, DENY, ALLOW

mapElementThe index of the entry.

nextHopThe next hop for BGP updates.

matchIPThe filter on the IP address.

metricTypeThe metric type of the route map entry.

metricThe metric for external routes advertised via OSPF.

Exampleadd router map deny 1 permit -nexthop 10.102.101.1

Related Commandsset router mapunset router mapshow router map


set router map

set router map

Synopsisset router map <action> [-mapElement <integer>] [-nextHop <ip_addr>] [-matchIP <ip_addr>] [-metricType <integer>] [-metric <integer>]

DescriptionUse this command to set the route map attributes.

Arguments

actionThe action associated with the ACL. Possible values: BRIDGE, DENY, ALLOW

mapElementThe index of this entry.

nextHopThe next hop to be advertised to BGP neighbors.

matchIPThe filter on the IP prefix.

metricTypeThe OSPF metric type for the route map.

metricThe OSPF metric for external routes.

Related Commandsadd router mapunset router mapshow router map


unset router map

unset router map

Synopsisunset router map <action> [-mapElement <integer>] [-nextHop <ip_addr>] [-matchIP <ip_addr>] [-metricType <integer>] [-metric <integer>]

DescriptionUse this command to clear the route map settings.

Arguments

actionThe action associated with the route map. Possible values: BRIDGE, DENY, ALLOW

mapElementThe index of the entry.

nextHopThe next hop to advertised to the BGP neighbors.

matchIPThe filter on the IP prefix.

metricTypeThe OSPF metric type for the route map.

metricThe OSPF metric for the external routes.

Exampleunset router map mapelement 1 nextHop 10.102.10.10

Related Commandsadd router mapset router mapshow router map


show router map

show router map

Synopsisshow router map

DescriptionUse this command to view the route map.

Exampleshow router map

Related Commandsadd router mapset router mapunset router map


SureConnect Commands

This chapter covers the SureConnect commands.


set sc parameter

set sc parameter

Synopsisset sc parameter [-sessionlife <secs>] [-vsr <string>]

DescriptionUse this command to set SureConnect parameters.

Arguments

sessionlifeThe SureConnect alternate content window is displayed only once during a session. For the same browser accessing a configured URL, this argument specifies the time between the first time the window displays and the next time it displays. The value is in seconds. The default session life is 300 seconds (5 minutes).

vsrThe file containing the customized response that is to be displayed with ACTION as NS in the SureConnect policy.

Exampleset sc parameter -sessionlife 200 -vsr /etc/vsr.htm

Related Commandsshow sc parameter


show sc parameter

show sc parameter

Synopsisshow sc parameter

DescriptionUse this command to display the SureConnect parameters set through the use of the set sc parameter CLI command.

Arguments

Output

aspq

sessionlifeThe SureConnect alternate content window is displayed only once during a session. For the same browser accessing a configured URL, this argument specifies the time between the first time the window displays and the next time it displays. The value is in seconds. The default session life is 300 seconds (5 minutes).

vsrUse this parameter to specify that the customized response will be displayed to the user if the alternate content server has been determined by the NetScaler 9000 system to have failed. If you have created a customized response that you want the NetScaler 9000 system to use, enter its filename (if you renamed the vsr.htm file supplied by NetScaler 9000 system). If you have not renamed the file, enter /etc/vsr.htm as the filename.

Example> show sc parameter Sure Connect Parameters: Sessionlife: 300 Vsr: DEFAULT Done

Related Commandsset sc parameter


add sc policy

add sc policy

Synopsisadd sc policy <name> [-url <URL> | -rule <expression>] [-action <action>] [<altContentSvcName> <altContentPath>]

DescriptionUse this command to specify the SureConnect policy.

Arguments

nameThe name of the SureConnect policy to be added.

urlThe URL name. The NetScaler 9000 system matches the incoming client request against the URL you enter here. If the incoming request does not match any of the configured URLs or the rules that have been configured, then SureConnect does not trigger.

ruleThe rule that the NetScaler 9000 system matches with the incoming request. The NetScaler 9000 system matches the incoming request against the rules you enter here. Before matching against the configured rules, the NetScaler 9000 system matches the requests with any of the configured URLs. Thus, URLs have a higher precedence over rules. If the incoming request does not match any of the configured URLs or the rules that have been configured, then SureConnect does not trigger. Expression logic is expression names, separated by the logical operators || and && , and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes.The following are valid expression logic: ns_ext_cgi||ns_ext_asp ns_non_get && (ns_header_cookie||ns_header_pragma)

delayThe delay threshold in microseconds for the configured URL or the rule. If the delay statistics gathered for the configured URL or rule exceeds the configured delay, then SureConnect is triggered on the incoming request which matched the corresponding delay.


add sc policy

maxConnThe maximum number of concurrent connections that can be open for the configured URL or rule. You can enter this argument as any integer value greater than zero.

actionThe action to be taken when the thresholds are met. The valid options are ACS , NS and NOACTION . ACS - Specifies that alternate content is to be served from altContSvcName with the path altContPath . NS - Specifies that alternate content is to be served from the NetScaler 9000 system. See the set sc parameter command to customize the response served from the NetScaler 9000 system. NOACTION - Specifies that no alternate content is to be served. However, delay statistics are still collected for the configured URLs. If the - maxconn argument is specified, the number of connections is limited to that specified value for that configured URL or rule (alternate content will not served even if the - maxconn threshold is met). Possible values: ACS, NS, NOACTION

altContentSvcNameThe alternate content service name used in the ACS action.

altContentPathThe alternate content path for the ACS action.

Exampleadd sc policy scpol_ns -delay 1000000 -url /delay.asp -action NS add policy expression exp_acs "url == /mc_acs.asp" add service svc_acs 10.110.100.253 http 80 add scpolicy scpol_acs -maxconn 10 -rule exp_acs -action ACS svc_acs /altcont.htm

Related Commandsrm sc policyset sc policyshow sc policy


rm sc policy

rm sc policy

Synopsisrm sc policy <policyName>

DescriptionUse this command to remove the SureConnect policy (that has been previously specified using the add sc policy CLI command) for a service or virtual server.

Arguments

policyNameThe name of the SureConnect policy to be removed.

Examplerm sc policy scpol_ns rm sc policy scpol_acs

Related Commandsadd sc policyset sc policyshow sc policy


set sc policy

set sc policy

Synopsisset sc policy <name> [-delay <usecs>] [-maxConn <positive_integer>]

DescriptionUse this command to set the delay and maxConn parameters for the specified SureConnect policy.

Arguments

nameThe name of the SureConnect policy that needs to be modified.

delayThe delay threshold in microseconds for the configured URL or the rule. If the delay statistics gathered for the configured URL or rule to exceed the configured delay, then SureConnect is triggered on the incoming request which matched the corresponding delay.


Exampleset sc policy scpol_ns -delay 2000000 set sc policy scpol_acs -maxconn 100

Related Commandsadd sc policyrm sc policyshow sc policy


show sc policy

show sc policy

Synopsisshow sc policy

DescriptionUse this command to display all of the SureConnect policies that have been configured (by use of the add sc policy CLI command).

Arguments

Output

nameThe name of the SureConnect policy whose parameters need to be displayed.

urlThe URL name. The NetScaler 9000 system matches the incoming client request against the URL you enter here.

ruleThe rule that the NetScaler 9000 system matches with the incoming request. The NetScaler 9000 system matches the incoming request against the rules you enter here. Before matching against the configured rules, the NetScaler 9000 system matches the requests with any of the configured URLs. Thus, URLs have a higher precedence over rules. If the incoming request does not match any of the configured URLs or the rules that have been configured, then SureConnect does not trigger. Expression logic is expression names, separated by the logical operators || and && , and possibly grouped using parenthesis. If the expression contains blanks (for example, between an expression name and a logical operator), then the entire argument must be enclosed in double quotes.The following are valid expression logic: ns_ext_cgi||ns_ext_asp ns_non_get && (ns_header_cookie||ns_header_pragma)

delayThe delay threshold in microseconds for the configured URL or the rule. If the delay statistics gathered for the configured URL or rule exceeds the configured delay, then SureConnect is triggered on the incoming request which matched the corresponding delay.


show sc policy


actionThe action to be taken when the thresholds are met. The valid options are ACS , NS and NOACTION . ACS - Specifies that alternate content is to be served from altContSvcName with the path altContPath . NS - Specifies that alternate content is to be served from the NetScaler 9000 system. See the set sc parameter command to customize the response served from the NetScaler 9000 system. NOACTION - Specifies that no alternate content is to be served. However, delay statistics are still collected for the configured URLs. If the - maxconn argument is specified, the number of connections is limited to that specified value for that configured URL or rule (alternate content will not served even if the - maxconn threshold is met).

altContentSvcNameThe alternate content service name used in the ACS action.

altContentPathThe alternate content path for the ACS action.

Example> show sc policy 2 monitored Sure Connect Policies: 1) Name: scpol_ns RULE: exp1 Delay: 1000000 microsecs Alternate Content from NS 2) Name: scpol_acs RULE: exp_acs Max Conn: 10 Alternate Content from ACS, svc_acs /delay/alcont.htm Done

Related Commandsadd sc policyrm sc policyset sc policy


show sc policy


SNMP Commands

This chapter covers the SNMP commands.


stat snmp

stat snmp

Synopsisstat snmp [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays the snmp statistics.

Counters

SNMP packets received (PktsRx)The total number of SNMP packets received.

SNMP packets sent (PktsTx)The total number of SNMP packets transmitted.

Unsupported SNMP version (UnkVrsRx)The total number of SNMP Messages received which were for an unsupported SNMP version.

Unknown community name (UnkCNRx)The total number of SNMP Messages received which used a SNMP community name not known to NetScaler.

No permission on community (BadCURx)The total number of SNMP Messages received that represented an SNMP operation which was not allowed by the SNMP community named in the Message.

ASN.1/BER errors in requests (PrsErrRx)The total number of ASN.1 or BER errors encountered when decoding received SNMP Messages.

Get requests receieved (GetReqRx)The total number of SNMP Get-Request PDUs which have been accepted and processed.

Get-next requests receieved (GtNextRx)The total number of SNMP Get-Next PDUs which have been accepted and processed.


stat snmp

Get-bulk requests received (GtBulkRx)The total number of SNMP Get-Bulk PDUs which have been accepted and processed.

Responses sent (RspTx)The total number of SNMP Get-Response PDUs which have been generated by the SNMP protocol entity.

Requests dropped (ReqDrop)The total number of SNMP requests dropped.

Traps messages sent (TrapsTx)The total number of SNMP Trap PDUs which have been generated by the SNMP protocol entity.

Examplestat snmp

Related Commands


show snmp stats

show snmp stats

Synopsisshow snmp stats - alias for 'stat snmp'

Descriptionshow snmp stats is an alias for stat snmp

Related Commandsstat snmp


enable snmp alarm

enable snmp alarm

Synopsisenable snmp alarm <trapName> ...

DescriptionUse this command to enable the specified SNMP alarm.

Arguments

trapNameThe alarm to be enabled. Possible values: CPU, MEMORY, SYNFLOOD, VSERVER-REQRATE, SERVICE-REQRATE, ENTITY-RXRATE, ENTITY-TXRATE, ENTITY-SYNFLOOD, SERVICE-MAXCLIENTS

Exampleenable snmp alarm VSERVER-REQRATE enable snmp alarm CPU SYNFLOOD

Related Commandsdisable snmp alarmset snmp alarmunset snmp alarmshow snmp alarm


disable snmp alarm

disable snmp alarm

Synopsisdisable snmp alarm <trapName> ...

DescriptionUse this command to disable the specified SNMP alarm.

Arguments

trapNameThe alarm to be disabled. Possible values: CPU, MEMORY, SYNFLOOD, VSERVER-REQRATE, SERVICE-REQRATE, ENTITY-RXRATE, ENTITY-TXRATE, ENTITY-SYNFLOOD, SERVICE-MAXCLIENTS

Exampledisable snmp alarm VSERVER-REQRATE disable snmp alarm CPU SYNFLOOD

Related Commandsenable snmp alarmset snmp alarmunset snmp alarmshow snmp alarm


set snmp alarm

set snmp alarm

Synopsisset snmp alarm <trapName> [<thresholdValue> [-normalValue <positive_integer>]] [-time <secs>] [-state ( ENABLED | DISABLED )]

DescriptionUse this command to configure the user-configurable SNMP alarms. For each configured alarm, an SNMP trap is sent when the value exceeds the specified high threshold. When the value falls below the normal threshold, another SNMP trap is sent indicating a return-to-normal state. Note: For any alarm, after a high threshold trap has been sent, it is not sent again until the monitored value falls back to normal. NetScaler supports eight user configurable alarms - CPU:High CPU usage SYNFLOOD:Global unacknowledged SYN count MEMORY:Memory usage VSERVER-REQRATE:Vserver specific request rate SERVICE-REQRATE: Service specific request rate ENTITY-RXRATE:Entity specific Rx bytes per second ENTITY-TXRATE:Entity specific Tx bytes per second ENTITY-SYNFLOOD:Entity specific unacknowledged SYN count. For the purposes of this command, entity includes vservers and services. Note: 1. These traps are sent to "specific" trap destinations added via the 'add snmp trap specific'. 2. Thresholds for SERVICE-MAXCLIENTS should be set through 'set service <name> -maxClients <n>'.

Arguments

trapNameThe name of the alarm. Possible values: CPU, MEMORY, SYNFLOOD, VSERVER-REQRATE, SERVICE-REQRATE, ENTITY-RXRATE, ENTITY-TXRATE, ENTITY-SYNFLOOD, SERVICE-MAXCLIENTS

thresholdValueThe high threshold value that triggers the alarm.

normalValueThe normal threshold value that triggers the return-to-normal alarm. If this value is not specified, the return to normal alarm is triggered by the value falling below the high threshold value.


set snmp alarm

timeThe time interval for SYNFLOOD alarm only. Default value: 1

stateThe current state of the alarm. Possible values: ENABLED, DISABLED Default value: ENABLED

Exampleset snmp alarm VSERVER-REQRATE 10000

Related Commandsadd snmp trapenable snmp alarmdisable snmp alarmunset snmp alarmshow snmp alarm


unset snmp alarm

unset snmp alarm

Synopsisunset snmp alarm <trapName>

DescriptionUse this command to unset a user-configurable SNMP alarm.

Arguments

trapNameThe name of the alarm. Possible values: CPU, MEMORY, SYNFLOOD, VSERVER-REQRATE, SERVICE-REQRATE, ENTITY-RXRATE, ENTITY-TXRATE, ENTITY-SYNFLOOD, SERVICE-MAXCLIENTS

Exampleunset snmp alarm VSERVER-REQRATE

Related Commandsenable snmp alarmdisable snmp alarmset snmp alarmshow snmp alarm


show snmp alarm

show snmp alarm

Synopsisshow snmp alarm

DescriptionThis command displays the alarm thresholds for the user-configurable traps. These thresholds can be set by the set snmp alarm command.

Arguments

Output

trapNameThe name of the alarm.

thresholdValueThe high threshold value.

normalValueThe normal threshold value.

timeThe time interval for the SYNFLOOD alarm.

stateThe current state of the alarm.

Related Commandsenable snmp alarmdisable snmp alarmset snmp alarmunset snmp alarm


add snmp community

add snmp community

Synopsisadd snmp community <communityName> <permissions>

DescriptionUse this command to set the SNMP community string to grant access to an SNMP network management application to manage the NetScaler system. It also defines the specific management tasks that this user can perform. Tip: Use the add SNMP manager command to set the management privileges for the network management application.

Arguments

communityNameThe SNMP community string.

permissionsThe access privileges. Possible values: GET, GET_NEXT, GET_BULK, ALL

Exampleadd snmp community public ALL add snmp community a#12ab GET_BULK

Related Commandsrm snmp communityshow snmp community


rm snmp community

rm snmp community

Synopsisrm snmp community <communityName>

DescriptionUse this command to remove the specified SNMP community string. Once the string is deleted, the user will not be able to use the community to manage the NetScaler system.

Arguments

communityNameSNMP community string

Examplerm snmp community public

Related Commandsadd snmp communityshow snmp community


show snmp community

show snmp community

Synopsisshow snmp community

DescriptionUse this command to display the access privileges set for all the SNMP community strings configured on the NetScaler system.

Arguments

Output

communityNameSNMP community string

permissionsThe access privileges.

Exampleshow snmp community

Related Commandsadd snmp communityrm snmp community


add snmp manager

add snmp manager

Synopsisadd snmp manager <IPAddress> ... [-netmask <netmask>]

DescriptionUse this command to configure the management application, which complies with SNMP version 1 or SNMP version 2, to access to the NetScaler system. If at least one management station is not added through this command, network management applications from any host computer can access the NetScaler system. The netmask parameter can be used to grant access from entire subnets. Up to a maximum of 10 network management hosts or networks can be added.

Arguments

IPAddressThe IP/Network address of the management station(s).

netmaskThe subnet of management stations. Default value: 255.255.255.255

Exampleadd snmp manager 192.168.1.20 192.168.2.42 add snmp manager 192.168.2.16 -netmask 255.255.255.240

Related Commandsrm snmp managershow snmp manager


rm snmp manager

rm snmp manager

Synopsisrm snmp manager <IPAddress> ... [-netmask <netmask>]

DescriptionUse this command to remove the access privileges from a management station, so that the management station no longer has access to the NetScaler system.

Arguments

IPAddressThe IP/Network address of the management station.

netmaskThe subnet of the management station.

Examplerm snmp manager 192.168.1.20 rm snmp manager 192.168.2.16 -netmask 255.255.255.240

Related Commandsadd snmp managershow snmp manager


show snmp manager

show snmp manager

Synopsisshow snmp manager

DescriptionUse this command to list the management stations that are allowed to manage the NetScaler system. The managers are listed by their IP addresses and netmasks.

Arguments

Output

IPAddressThe IP/Network address of the management station.

netmaskNetmask - if a network address was specified

Related Commandsadd snmp managerrm snmp manager


set snmp mib

set snmp mib

Synopsisset snmp mib [-contact <string>] [-name <string>] [-location <string>]

DescriptionUse this command to set the system SNMP MIB information of the NetScaler system.

Arguments

contactThe contact person for the NetScaler system.

nameThe name of the NetScaler system.

locationThe physical location of the NetScaler system.

Related Commandsshow snmp mib


show snmp mib

show snmp mib

Synopsisshow snmp mib

DescriptionUse this command to display the information from the SNMP system MIB in the NetScaler system. The information that is displayed depends on what was specified when the set snmp mib CLI command was issued.

Arguments

Output

contactThe contact person for the NetScaler system.

nameThe name of the NetScaler system.

locationThe physical location of the NetScaler system.

sysDescThe description of the NetScaler system.

sysUptimeThe UP time of the NetScaler system in 100th of a second.

sysServicesThe services offered by the NetScaler system.

sysOIDThe OID of the NetScaler system's management system.

Exampleshow snmp mib


show snmp mib

Related Commandsset snmp mib


add snmp trap

add snmp trap

Synopsisadd snmp trap <trapClass> <trapDestination> ... [-version ( V1 | V2 )]

DescriptionThe SNMP traps are asynchronous events generated by the agent to indicate the state of the system. The destination to which these traps should be sent by the NetScaler system is configured via this command.

Arguments

trapClassThe Trap type. The Generic type causes the standard SNMP traps supported by the NetScaler system to be sent to the destination, while the Specific trap type sets the destination for NetScaler specific traps. Possible values: generic, specific

trapDestinationThe IP address of the trap destination.

versionThe SNMP version of the trap PDU to be sent. Possible values: V1, V2 Default value: V2

Related Commandsrm snmp trapshow snmp trap


rm snmp trap

rm snmp trap

Synopsisrm snmp trap <trapClass> <trapDestination> ...

DescriptionUse this command to delete a trap destination that has been set.

Arguments

trapClassThe Trap type. Possible values: generic, specific


Related Commandsadd snmp trapshow snmp trap


show snmp trap

show snmp trap

Synopsisshow snmp trap

DescriptionUse this command to display the IP addresses of the SNMP managers to which the NetScaler system sends traps and the version of the PDU to be used for these destinations. The location where a trap notification is displayed can be set by using the add snmp trap command.

Arguments

Output

trapClassThe trap type.


versionThe SNMP version of the trap to be sent.

Exampleshow snmp trap

Related Commandsadd snmp traprm snmp trap


show snmp oid

show snmp oid

Synopsisshow snmp oid <entityType> [<name>]

DescriptionUse this command to display the SNMP OID index for entities of given type.

Arguments

entityTypeThe entity type. Possible values: VSERVER

nameThe name of the entity.

Output

Exampleshow snmp oid VSERVER vs1

Related Commands


show snmp oid


SSL Commands

This chapter covers the SSL commands.


stat ssl

stat ssl

Synopsisstat ssl [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays the ssl statistics.

Counters

SSL crypto card status (SSLCard)Status of the SSL card (1=UP, 0=DOWN)

SSL engine statusStatus of the SSL Engine (1=UP, 0=DOWN)

SSL transactions (SSLTrn)Number of SSL transactions

SSLv2 transactions (SSL2Trn)Number of SSLv2 transactions

SSLv3 transactions (SSL3Trn) Total number of SSLv3 Transactions.

TLSv1 transactions (TLS1Trn)Number of TLSv1 transactions

SSL sessions (SSLSe)Number of SSL sessions


TLSv1 sessions (TLS1Se)Number of TLSv1 sessions


stat ssl

new SSL sessions (NewSe)Number of new SSL sessions

SSL session hits (SeHit)Number of SSL session reuse hits

SSL session misses (SeMiss)Number of SSL session reuse misses

Export sessions (40-bit) (ExpSe)Total number of Expired SSL Sessions.

SSL session renegotiations (SSLRn)Number of SSL session renegotiations

SSLv3 session renegotiations (SSL3Rn)Number of session renegotiations done on SSLv3

TLSv1 session renegotiations (TLS1Rn)Number of SSL session renegotiations done on TLSv1









stat ssl




RSA authentications (RSAAt)Number of RSA authentications

DH authentications (DHAt)Number of Diffie-Helman authentications

DSS (DSA) authentications (DSSAt) Total number of times DSS authorization used.

Null authentications (NullAt)Number of Null authentications







DES 168-bit encryptions (3DESEn1)Number of DES 168-bit cipher encryptions


stat ssl




IDEA 128-bit encryptions (IDEAEn1)Number of IDEA 128-bit cipher encryptions



Null cipher encryptions (NullEn)Number of Null cipher encryptions

MD5 hashes (MD5Hsh)Number of MD5 hashes

SHA hashes (SHAHsh)Number of SHA hashes



TLSv1 client authentications (TLS1CAt)Number of client authentications done on TLSv1

Backend SSL sessions (BSSLSe)Number of Backend SSL sessions

Backend SSLv3 sessions (BSSL3Se)Number of Backend SSLv3 sessions


stat ssl

Backend TLSv1 sessions (BTLS1Se)Number of Backend TLSv1 sessions

Backend SSL sessions reused (BSeRe)Number of Backend SSL sessions reused

Backend session multiplex attempts (BSeMx)Number of Backend SSL session multiplex attempts

Backend session multiplex successes (BSeMxS)Number of Backend SSL session multiplex successes

Backend SSL multiplex failures (BSeMxF)Number of Backend SSL session multiplex failures

Backend SSL session renegotiations (BSSLRn)Number of Backend SSL session renegotiations

Backend SSLv3 session renegotiations (BSSL3Rn)Number of Backend SSLv3 session renegotiations

Backend TLSv1 session renegotiations (BTLS1Rn)Number of Backend TLSv1 session renegotiations








stat ssl







Backend 3DES 168-bit encryptions (B3DESE1n)Number of Backend 3DES 168-bit cipher encryptions






Backend IDEA 128-bit encryptions (BIDEAEn1)Number of Backend IDEA 128-bit cipher encryptions

Backend null encryptions (BNullEn)Number of Backend null cipher encryptions


stat ssl

Backend MD5 hashes (BMD5Hsh)Number of Backend MD5 hashes

Backend SHA hashes (BSHAHsh)Number of Backend SHA hashes




Backend SSLv3 handshakes (BSSL3Hs)Number of Backend SSLv3 handshakes

Backend TLSv1 handshakes (BTLS1Hs)Number of Backend TLSv1 handshakes

Backend SSLv3 client authentications (BSSL3CAt)Number of Backend SSLv3 client authentications

Backend TLSv1 client authentications (BTLS1CAt)Number of Backend TLSv1 client authentications

Backend RSA authentications (BRSAAt)Number of Backend RSA authentications

Backend DH authentications (BDHAt)Number of Backend DH authentications

Backend DSS authentications (BDSSAt)Number of Backend DSS authentications

Backend Null authentications (BNullAt)Number of Backend null authentications

Related Commands


show ssl stats

show ssl stats

Synopsisshow ssl stats - alias for 'stat ssl'

Descriptionshow ssl stats is an alias for stat ssl

Related Commandsstat ssl


create ssl cert

create ssl cert

Synopsiscreate ssl cert <certFile> <reqFile> <certType> [-keyFile <input_filename>] [-keyform ( DER | PEM )] [-days <positive_integer>] [-certForm ( DER | PEM )] [-CAcert <input_filename>] [-CAcertForm ( DER | PEM )] [-CAkey <input_filename>] [-CAkeyForm ( DER | PEM )] [-CAserial <output_filename>]

DescriptionUse this command to generate a signed X509 Certificate.

Arguments

certFileThe name of the generated certificate file. The default path of the certificate file is /nsconfig/ssl/.

reqFileThe Certificate Signing Request (CSR) file that is used to generate the certificate. This file is created using the "create ssl certreq" command or an existing CSR. The default input path for the CSR file is /nsconfig/ssl/.

certTypeThe type of the certificate to be generated. ROOT_CERT : The certificate generated will be a self-signed Root-CA certificate. For this, you need to specify the -keyfile parameter. The generated Root-CA certificate can be used for signing end-user certificates (Client/Server) or to create Intermediate-CA certificates. INTM_CERT : The certificate generated will be an Intermediate-CA certificate. For this, you need to specify the following parameters: -CAcert , -CAkey, and -CAserial. NOTE:The three parameters are also mandatory for the CLNT_CERT or SRVR_CERT certificate types. CLNT_CERT : The certificate generated will be an end-user client certificate. This can be used in a Client-Authentication setup. SRVR_CERT : The certificate generated will be an end-user Server certificate. This can be used as an SSL server certificate on the backend SSL servers for an SSL backend-encryption setup with the NetScaler system. NOTE:Avoid


create ssl cert

using the Server certificate (generated above) for a front-end SSL virtual server (or SSL service) on a NetScaler system or on any frontend SSL server if the certificate is signed by NetScaler. The same is true with NetScaler generated Intermediate-CA or Root-CA certificate. The reason being, the NetScaler generated CA certificates will not be present in browsers (such as IE, Netscape, and other browsers) by default. So during the SSL handshake the Server Certificate verification will fail. Browsers generally display a warning message and prompt the user to either continue with the SSL handshake or terminate it. If the NetScaler generated CA certificates are installed in the browsers as trusted CA certificates, the SSL handshake will proceed without any errors or warnings. Possible values: ROOT_CERT, INTM_CERT, CLNT_CERT, SRVR_CERT

keyFileThe input keyFile to sign the certificate being generated. This keyFile is created using the "create ssl rsakey" or "create ssl dsakey" commands, or an existing RSA/DSA key. This file is required only when creating a self-signed Root-CA certificate. The default input path for the keyFile is /nsconfig/ssl/. Note: If the input key specified is an encrypted key, the user will be prompted to enter the PEM pass-phrase that was used for encrypting the key.

keyformThe format for the input key file: PEM : Privacy Enhanced Mail DER : Distinguished Encoding Rule. Possible values: DER, PEM Default value: PEM

daysThe number of days for which the certificate will be valid. The certificate is valid from the time and day (NetScaler 9000 system time) of the creation, to the number of days specified in the -days field. Default value: 365

certFormThe output certificate format: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM

CAcertThe CA certificate file that will issue and sign the Intermediate-CA certificate or the end-user certificates (Client/Server). The default input path for the CA certificate file is /nsconfig/ssl/.


create ssl cert

CAcertFormThe format of the input CA certificate file: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM

CAkeyThe CA key file that will be used to sign the Intermediate-CA certificate or the end-user certificates (Client/Server). The default input path for the CA key file is /nsconfig/ssl/. Note: If the CA key file is password protected, the user will be prompted to enter the pass-phrase used for encrypting the key.

CAkeyFormThe format of the input CA key file: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM

CAserialThe Serial number file maintained for the CA certificate. This will contain the serial number of the next certificate to be issued/signed by the CA (-CAcert). If the specified file does not exist, a new file will be created. The default input path for the CAserial file name is /nsconfig/ssl/. Note: Specify the proper path of the existing serial file; else a new serial file will be created. This may change the certificate serial numbers assigned by the CA certificate to each of the certificate it signs.

Example1) create ssl cert /nsconfig/ssl/root_cert.pem /nsconfig/ssl/root_csr.pem ROOT_CERT -keyFile /nsconfig/ssl/root_key.pem -days 1000 The above example creates a self signed Root-CA certificate. 2) create ssl cert /nsconfig/ssl/server_cert.pem /nsconfig/ssl/server_csr.pem SRVR_CERT -CAcert /nsconfig/ssl/root_cert.pem -CAkey /nsconfig/ssl/root_key.pem -CAserial /nsconfig/ssl/root.srl The above example creates a Server certificate which is signed by the Root-CA certificate: root_cert.pem

Related Commandscreate ssl certreqcreate ssl rsakeycreate ssl dsakeyadd ssl certkey


add ssl certkey

add ssl certkey

Synopsisadd ssl certkey <certkeyName> -cert <string> [(-key <string> [-password]) | -fipsKey <string>] [-inform ( DER | PEM )]

DescriptionUse this command to add a certificate-key pair object. Notes: 1)For server certificate-key pair, use both -cert and -key arguments. 2)The CLI command "bind ssl certkey", used for binding a certificate-key pair to an SSL virtual server, fails if the certificate-key pair does not include the private key. 3)In an HA configuration, the certificate should be located as specified in the -cert <string> parameter, on both the primary and secondary nodes. If the optional parameter -key is used, the key must be located as specified in the -key <string> parameter.

Arguments

certkeyNameThe name of the certificate and private-key pair.

certThe file name and path for the X509 certificate file. The certificate file should be present on the NetScaler system device (HDD). The default input path for the certificate file is /nsconfig/ssl/.

keyThe file name and path for the private-key file. The private-key file should be present on the NetScaler system device (HDD). The default input path for the key file is /nsconfig/ssl/. Notes: 1) This argument is optional when adding a Certificate-Authority (CA) certificate file. In this case the CA's private-key will not be available to the user. 2) The NetScaler FIPS system does not support external keys (non-FIPS keys). On a NetScaler FIPS system, you will not be able to load keys from a local storage device such as a hard disc or flash memory.

fipsKeyThe name of the FIPS key. The FIPS key is created inside the FIPS HSM (Hardware Security Module). This is applicable only to the SSL FIPS system.


add ssl certkey

informThe input format of the certificate and the private-key files. The two formats supported by the NetScaler system are: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM

Example1)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command loads a certificate and private key file. 2)add ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ******** The above command loads a certificate and private key file. Here the private key file is an encrypted key. 3)add ssl certkey fipscert -cert /nsconfig/ssl/cert.pem -fipskey fips1024 The above command loads a certificate and associates it with the corresponding FIPS key that resides within the HSM.

Related Commandsbind ssl certkeylink ssl certkeyrm ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey


bind ssl certkey

bind ssl certkey

Synopsisbind ssl certkey (<vServerName>@ | <serviceName>@) <certkeyName> [-CA] [-vServer | -service]

DescriptionUse this command to bind a certificate-key pair to an SSL virtual server or an SSL service

Arguments

vServerNameThe name of the SSL virtual server name to which the certificate-key pair needs to be bound.

serviceNameThe name of the SSL service to which the certificate-key pair needs to be bound. Use the "add service" command to create this service.

certkeyNameThe object name for the certificate-key pair.

CAIf this option is specified, it indicates that the certificate-key pair being bound to the SSL virtual server is a CA certificate. If this option is not specified, the certificate-key pair is bound as a normal server certificate. Note: In case of a normal server certificate, the certificate-key pair should consist of both the certificate and the private-key.

vServerSpecify this option to bind the certificate to a SSL virtual server. Note: The default option is -vServer.

serviceSpecify this option to bind the certificate to a SSL Service.


bind ssl certkey

Example1)bind ssl certkey sslvip siteAcertkey In the above example, the certificate-key pair siteAcertkey is bound to the SSL virtual sever as server certificate. 2)bind ssl certkey sslvip CAcertkey -CA In the above example, the certificate-key pair CAcertkey is bound to the SSL virtual sever as CA certificate. 3)bind ssl certkey sslsvc siteAcertkey -service In the above example, the certificate-key pair CAcertkey is bound to the SSL Service as server certificate.

Related Commandsshow ssl vserveradd ssl certkeylink ssl certkeyrm ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey


link ssl certkey

link ssl certkey

Synopsislink ssl certkey <certkeyName> <linkcertkeyName>

DescriptionUse this command to link a certificate-key pair to its Certificate Authority (CA) certificate-key pair. Note:The two certificate-key pairs are linked only if the certificate specified in the certKeyName parameter is issued by the Certificate-Authority specified in the linkCertKeyName parameter.

Arguments

certkeyNameThe certificate-key name that is to be bound to its issuer certificate-key pair.

linkcertkeyNameSpecifies the name of the Certificate-Authority.

Example1)link ssl certkey siteAcertkey CAcertkey In the above example, the certificate-key siteAcertkey is bound to its issuer certificate-key pair CAcertkey.

Related Commandsshow ssl certlinkadd ssl certkeybind ssl certkeyrm ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey


rm ssl certkey

rm ssl certkey

Synopsisrm ssl certkey <certkeyName> ...

DescriptionUse this command to remove the specified certificate-key pair from the NetScaler system.

Arguments

certkeyNameThe name of the certificate-key pair. Note: The certificate-key pair is removed only when it is not referenced by any other object. The reference count is updated when the certificate-key pair is bound to an SSL virtual server (using the "bind ssl certkey" CLI command) or linked to another certificate-key pair (using the "link ssl certkey" CLI command).

Example1)rm ssl certkey siteAcertkey The above command removes the certificate-key pair siteAcertkey from the NetScaler 9000 system.

Related Commandsadd ssl certkeybind ssl certkeylink ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey


show ssl certkey

show ssl certkey

Synopsisshow ssl certkey [<certkeyName>]

DescriptionUse this command to display the information pertaining to the certificate-key pairs configured on the NetScaler system: 1)If no argument is specified, the command will display all the certificate-key pairs configured on the NetScaler system. 2)If the certKeyName argument is specified, the command will display the details of the certificate.

Arguments

certkeyNameThe certificate-key pair object name for which the certificate details are to be displayed.

Output

cert

key

inform

signatureAlg

description

issuer


show ssl certkey

notbefore

notafter

subject

publickey

publickeysize

version

status

fipsKey

passcrypt

serial

serverNamevsrvsvcname_len

serviceNamevsrvsvcname_len

Example1) An example of the output of the show ssl certkey command is shown below: 2 configured certkeys: 1)Name: siteAcertkey Cert Path: /nsconfig/ssl/siteA-cert.pem Key Path: /nsconfig/ssl/siteA-key.pem Format: PEM Status: Valid 2)Name: cert1 Cert Path: /nsconfig/ssl/server_cert.pem Key Path: /nsconfig/ssl/server_key.pem Format: PEM


show ssl certkey

Status: Valid 2) An example of the output of the show ssl certkey siteAcertkey command is shown below: Name: siteAcertkeyStatus: Valid Version: 3 Serial Number: 02 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=Santa Clara/O=siteA/OU=Tech Validity Not Before: Nov 11 14:58:18 2001 GMT Not After: Aug 7 14:58:18 2004 GMT Subject: /C=US/ST-CA/L=San Jose/O=CA/OU=Security Public Key Algorithm: rsaEncryption Public Key size: 1024

Related Commandsadd ssl certkeybind ssl certkeylink ssl certkeyrm ssl certkeyunbind ssl certkeyunlink ssl certkeyupdate ssl certkey


unbind ssl certkey

unbind ssl certkey

Synopsisunbind ssl certkey (<vServerName>@ | <serviceName>@) <certkeyName> [-CA] [-vServer | -service]

DescriptionUse this command to unbind the certificate-key pair from the specified SSL vserver or SSL service. Use the "bind ssl certkey " command to bind the certificate-key pair to the specified SSL vserver or SSL service.

Arguments

vServerNameThe name of the SSL virtual server.

serviceNameThe name of the SSL service

certkeyNameThe certificate-key object name that needs to be unbound from the SSL virtual server or SSL service.

CASpecifies that the certificate-key pair being unbound is a Certificate Authority (CA) certificate. If you choose this option, the certificate-key pair is unbound from the list of CA certificates that were bound to the specified SSL virtual server or SSL service.

vServerSpecify this option to unbind the certificate from a SSL virtual server. Note: The default option is -vServer.

serviceSpecify this option to unbind the certificate from a SSL Service.


unbind ssl certkey

Example1)unbind ssl certkey sslvip siteAcertkey In the above example, the server certificate siteAcertkey is unbound from the SSL virtual server. 2) unbind ssl certkey sslvip CAcertkey -CA In the above example, the CA certificate CAcertkey is unbound from the SSL virtual server.

Related Commandsshow ssl vserveradd ssl certkeybind ssl certkeylink ssl certkeyrm ssl certkeyshow ssl certkeyunlink ssl certkeyupdate ssl certkey


unlink ssl certkey

unlink ssl certkey

Synopsisunlink ssl certkey <certkeyName>

DescriptionUse this command to unlink the certificate-key name from its Certificate-Authority (CA) certificate-key pair.

Arguments

certkeyNameThe certificate-key object name that has to be unlinked from the CA certificate. The CA certificate name is taken internally.

Example1)unlink ssl certkey siteAcertkey The above example unlinks the certificate 'siteAcertkey' from its Certificate-Authority (CA) certificate.

Related Commandsshow ssl certlinkadd ssl certkeybind ssl certkeylink ssl certkeyrm ssl certkeyshow ssl certkeyunbind ssl certkeyupdate ssl certkey


update ssl certkey

update ssl certkey

Synopsisupdate ssl certkey <certkeyName> [-cert <string>] [(-key <string> [-password]) | -fipsKey <string>] [-inform ( DER | PEM )] [-noDomainCheck]

DescriptionUse this command to update a certificate-key pair object. Notes: 1)In a HA configuration, the certificate should be located as specified in the -cert <string> parameter, on both the primary and secondary nodes. If the optional parameter -key is used, the key must be located as specified in the -key <string> parameter.

Arguments

certkeyNameThe name of the certificate and private-key pair.

certThe file name and pathfor the X509 certificate file. The certificate file should be present on the NetScaler system device (HDD). The default input path for the certificate file is /nsconfig/ssl/.

keyThe file name and pathfor the private-key file. The private-key file should be present on the NetScaler system device (HDD). The default input path for the key file is /nsconfig/ssl/.

fipsKeyThe name of the FIPS key. The FIPS key is created inside the FIPS HSM (Hardware Security Module). This is applicable only to the SSL FIPS system.

informThe input format of the certificate and the private-key files. The two formats supported by the NetScaler system are: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM


update ssl certkey

noDomainCheckSpecify this option to override the check for matching domain names during certificate update operation

Example1) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem The above command updates a certificate and private key file. 2) update ssl certkey siteAcertkey -cert /nsconfig/ssl/cert.pem -key /nsconfig/ssl/pkey.pem -password Password: ******** The above command updates a certificate and private key file. Here the private key file is an encrypted key. 3) update ssl certkey mydomaincert The above command updates the certificate using the same parameters (-cert path/-key path) that it was added with.

Related Commandsadd ssl certkeyrm ssl certkeybind ssl certkeylink ssl certkeyshow ssl certkeyunbind ssl certkeyunlink ssl certkey


show ssl certlink

show ssl certlink

Synopsisshow ssl certlink

DescriptionUse this command to display all the linked certificate-key pairs in the NetScaler system.

Arguments

Output

certkeyName

linkcertkeyName

ExampleThe following shows an example of the output of the show ssl certlink command: linked certificate: 1) Cert Name: siteAcertkey CA Cert Name: CAcertkey

Related Commandslink ssl certkeyunlink ssl certkey


create ssl certreq

create ssl certreq

Synopsiscreate ssl certreq <reqFile> [-keyFile <input_filename>] [-fipsKeyName <string>] [-keyform ( DER | PEM )]

DescriptionUse this command to generate a new Certificate Signing Request (CSR). The generated CSR can be sent to a Certificate-Authority (CA) to obtain an X509 certificate for the user domain (web site).

Arguments

reqFileThe file name where the generated Certificate Signing Requests are stored. The default output path for the CSR file is /nsconfig/ssl/.

keyFileThe key file name to be used. The key can be an RSA or a DSA key. The default input path for the key file is /nsconfig/ssl/.

fipsKeyNameThe FIPS key name to be used. FIPS keys are created inside the FIPS HSM (Hardware Security Module). This is applicable only to the SSL FIPS system.

keyformThe format for the input key file specified in the keyFileName: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule The command prompts the user for information that is incorporated in the Certificate Signing Request. For example, this information forms the Distinguished Name (DN) for the domain or the site. Country Name - Two letter ISO code for your country. For example, US for United States. State or Province Name - Full name for the state or province where your organization is located. Do not abbreviate. Locality Name - Name of the city or town in which your organization's head office is located. Organization Name - Name of the organization. The organization name (corporation, limited partnership, university, or government agency) must be registered with some authority at the national, state, or city level. Use the legal name under which the organization is registered. Do not abbreviate the organization name and do not use the


create ssl certreq

following characters in the name: < > ~ ! @ # 0 ^ * / ( )?. Organization Unit Name - Division or Section name in the organization that will use the certificate. Common Name - Fully qualified domain name for the company/Web site. The common name is the fully qualified domain name (FQDN) for the company/Web site. The common name must match the name used by DNS servers to do a DNS lookup of your server (for example, www.mywebsite.com <http://www.mywebsite.com>). Most browsers use this information for authenticating the server's certificate during the SSL handshake. If the server name does not match the common name as given in the server certificate, the browsers will terminate the SSL handshake or prompt the user with a warning message. CAUTION: Do not use wildcard characters such as * or ? and do not use an IP address as the common name. The common name should be without the protocol specifier <http://> or <https://>. Challenge Password - Challenge password for this certificate. Optional Company Name - Additional name of the company/web-site. Challenge Password - The contact person's E-mail address. Note: If the input key specified is an encrypted key, the user will be prompted to enter the PEM pass-phrase that was used to encrypt the key. Possible values: DER, PEM Default value: PEM

Examplecreate ssl certreq /nsconfig/ssl/csr.pem -keyFile /nsconfig/ssl/rsa1024.pem

Related Commandscreate ssl certcreate ssl rsakeycreate ssl dsakey


add ssl cipher

add ssl cipher

Synopsisadd ssl cipher <cipherGroupName> <cipherAliasName/cipherName/cipherGroupName> ...

DescriptionUse this command to either create a user-defined cipher group or to add ciphers to an existing group. The cipher group can be used to set the cipher-suite of an SSL virtual server.

Arguments

cipherGroupNameThe name of the user-defined cipher group. If the cipher group does not exist on the NetScaler system, a new group is created with the specified name. The ciphers are added to this group. If a group identified by cipherGroupName already exists on the NetScaler system, the ciphers are added to it.

cipherAliasName/cipherName/cipherGroupNameThe individual cipher name(s), a user-defined cipher group, or a NetScaler system predefined cipher alias that will be added to the predefined cipher alias that will be added to the group cipherGroupName. If a cipher alias or a cipher group is specified, all the individual ciphers in the cipher alias or group will be added to the user-defined cipher group.

Example1)add ssl cipher mygroup SSL2-RC4-MD5 SSL2-EXP-RC4-MD5 The above command creates a new cipher-group by the name: mygroup, with the two ciphers SSL2-RC4-MD5 and SSL2-EXP-RC4-MD5, as part of the cipher-group. If a cipher-group by the name: mygroup already exists in NetScaler 9000 system, then the two ciphers is added to the list of ciphers contained in the group. 2)add ssl cipher mygroup HIGH MEDIUM The above command creates a new cipher-group by the name: mygroup, with the ciphers from the cipher alias "HIGH" and "MEDIUM" as part of the cipher group. If a cipher-group by the name, mygroup, already exists in NetScaler 9000 system, then the ciphers from the two aliases is added to the list of ciphers contained in the group.


add ssl cipher

Related Commandsbind ssl cipherrm ssl ciphershow ssl cipher


bind ssl cipher

bind ssl cipher

Synopsisbind ssl cipher (<vServerName>@ | <serviceName>@) <cipherOperation> <cipherAliasName/cipherName/cipherGroupName> [-vServer | -service]

DescriptionUse this command to change the default cipher-suite defined for an SSL virtual server. By default, the predefined cipher alias on the NetScaler system is bound to all SSL virtual servers. The DEFAULT alias contains all ciphers supported by the NetScaler system, with the exception of NULL ciphers (ciphers with no encryption). Note:To view the individual ciphers in the alias DEFAULT, use the show ssl cipher DEFAULT CLI command

Arguments

vServerNameThe name of the SSL virtual server to which the cipher-suite is to be bound.

serviceNameThe name of the SSL service name to which the cipher-suite is to be bound.

cipherOperationThe operation that is performed when adding the cipher-suite. Possible cipher operations are: ADD - Appends the given cipher-suite to the existing one configured for the virtual server. REM - Removes the given cipher-suite from the existing one configured for the virtual server. ORD - Overrides the current configured cipher-suite for the virtual server with the given cipher-suite. Possible values: ADD, REM, ORD

cipherAliasName/cipherName/cipherGroupNameA cipher-suite can consist of an individual cipher name, the NetScaler system predefined cipher-alias name, or user defined cipher-group name.

vServerSelect the -vServer flag when the cipher operation is performed on an SSL virtual server. Note: By default the bind ssl cipher command internally assumes the flag of -vServer argument. Hence, while working with the SSL vserver, you need not specify this flag.


bind ssl cipher

serviceSelect the -service flag value when the cipher operation is performed on an SSL Service.

Example1)bind ssl cipher sslvip ADD SSL3-RC4-SHA The above example appends the cipher SSL3-RC4-SHA to the cipher-suite already configured for the SSL virtual server sslvip. 2)bind ssl cipher sslvip REM NULL The above example removes the ciphers identified by the NetScaler 9000 system's predefined cipher-alias -NULL from the cipher-suite already configured for the SSL virtual server sslvip. 3)bind ssl cipher sslvip ORD HIGH The above example overrides the existing cipher-suite configured for the SSL virtual server with ciphers, having HIGH encryption strength (ciphers supporting 168-bit encryption). Note: The individual ciphers contained in a NetScaler 9000 system predefined cipher-alias can beviewed by using the following command: show ssl cipher <cipherAlaisName>

Related Commandsshow ssl vserveradd ssl cipherrm ssl ciphershow ssl cipher


rm ssl cipher

rm ssl cipher

Synopsisrm ssl cipher <cipherGroupName> [<cipherName> ...]

DescriptionUse this command to remove cipher(s) from a user-defined cipher group. It can also remove an entire cipher group from the NetScaler system. If there is no cipherName included with the cipherGroupName, the cipher group specified by cipherGroupName is deleted. If there is a cipherName included, the specified cipher(s) are removed from the cipher group.

Arguments

cipherGroupNameThe user defined cipher group on the NetScaler 9000 system.

cipherNameThe cipher(s) to be removed from the cipher group.

Example1)rm ssl cipher mygroup SSL2-RC4-MD5 The above example removes the cipher SSL2-RC4-MD5 from the cipher group mygroup. 2)rm ssl cipher mygroup The above example will remove the cipher group 'mygroup' from the NetScaler 9000 system.

Related Commandsadd ssl cipherbind ssl ciphershow ssl cipher


show ssl cipher

show ssl cipher

Synopsisshow ssl cipher [<cipherAliasName/cipherName/cipherGroupName>]

DescriptionUse this command to display the details of a cipher, cipher-group, or cipher-alias defined on the NetScaler system. If no argument is specified, the command displays all the predefined cipher-aliases and user-defined cipher-groups on the NetScaler system. If a cipher name is specified, the details of the cipher are displayed. If a user defined cipher-group name is specified, all the individual ciphers in the group are displayed along with the individual cipher description. If a NetScaler system predefined cipher-alias name is specified, all the individual ciphers in the alias are displayed along with the individual cipher description.

Arguments

cipherAliasName/cipherName/cipherGroupNamecipherName: The individual cipher name for which the cipher details are displayed. cipherGroupName: The user defined cipher-group name for which the cipher details are displayed. cipherAliasName: The NetScaler system predefined cipher-alias name for which the cipher details aredisplayed.

Output

cipherGroupName

description

cipherName

Example1) An example of the output of the show ssl cipher SSL3-RC4-MD5 command is as follows: Cipher Name: SSL3-RC4-MD5 Description: SSLv3 Kx=RSA Au=RSA


show ssl cipher

Enc=RC4(128) Mac=MD5 2) This example displays the details of individual ciphers in the NetScaler 9000 system predefinedcipher-alias: SSLv2 (the command show ssl cipher SSLv2 has been entered): 8 configured cipher(s)in alias 1) Cipher Name: SSL2-RC4-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 2) Cipher Name: SSL2-EXP-RC4-MD5 Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export 3) Cipher Name: SSL2-RC2-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 4) Cipher Name: SSL2-EXP-RC2-CBC-MD5 Description: SSLv2 Kx=RSA(512) Au=RSA Enc=RC2(40) Mac=MD5 export 5) Cipher Name: SSL2-IDEA-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 6) Cipher Name: SSL2-DES-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 7) Cipher Name: SSL2-DES-CBC3-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5 8) Cipher Name: SSL2-RC4-64-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=RC4(64) Mac=MD5

Related Commandsadd ssl cipherbind ssl cipherrm ssl cipher


create ssl crl

create ssl crl

Synopsiscreate ssl crl <CAcertFile> <CAkeyFile> <indexFile> (-revoke <input_filename> | -genCRL <output_filename>) [-password <string>]

DescriptionUse this command to either revoke a certificate or list of certificates or generate a CRL for the list of certificates that are revoked.

Arguments

CAcertFilePath to the CA certificate file. The default input path for the CA certificate is /nsconfig/ssl/.

CAkeyFilePath to the CA key file. The default input path for the CA key is /nsconfig/ssl/.

indexFileThis file contains the serial number of all the certificates that are revoked. This file is created the first time. New certificate revocation will be added to it subsequently. The default input path for the index file is /nsconfig/ssl/.

revokeThe certificate file to be revoked. The default input path for the certificate(s) is /nsconfig/ssl/.

genCRLThe CRL file to be created. The list of certificates that have been revoked is obtained from the index file. The default output path for the CRL file is /var/netscaler/ssl/.

passwordThe password for the CA key file.


create ssl crl

Example1)create crl /nsconfig/ssl/cacert.pem /nsconfig/ssl/cakey.pem /nsconfig/ssl/index.txt -gencrl /var/netscaler/ssl/crl.pem

Related Commandsadd ssl crlrm ssl crlset ssl crlshow ssl crl


add ssl crl

add ssl crl

Synopsisadd ssl crl <crlName> <crlPath> [-inform ( DER | PEM )]

DescriptionUse this command to add a Certificate Revocation List (CRL) object. Note:In an HA configuration, the CRL on both the primary and secondary nodes must be present in the location specified by <crlPath>.

Arguments

crlNameThe object name for the CRL.

crlPathThe file name and path for the CRL file. The default input path for the CRL is /var/netscaler/ssl/.

informThe input format of the CRL file. PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM

refreshEnables or disables the auto refresh feature for the CRL identified by the crlName Possible values: ENABLED, DISABLED

CAcertThe corresponding CA certificate that has issued the CRL. This is the NetScaler object identifying the CA certificate that is loaded in NetScaler. Note: This is a mandatory field when the "-refresh" option is enabled. The CA certificate needs to be installed before loading the CRL.

methodThe method for CRL refresh - HTTP or LDAP. Possible values: HTTP, LDAP Default value: LDAP


add ssl crl

serverThe IP address of the LDAP server from which the CRLs are to be fetched.

urlURI of the CRL Distribution Point.

portThe port for the LDAP server.

baseDNThe baseDN attribute used by LDAP search to query for the attribute certificateRevocationList. Note: It is recommended to use the baseDN attribute over the Issuer Name from the CA certificate for the CRL, if the Issuer-Name fields does not exactly match the LDAP directory structure's DN.

scopeExtent of the search operation on the LDAP server. Base: Exactly the same level as basedn One : One level below basedn Possible values: Base, One Default value: One

intervalThe CRL refresh interval. The valid values are monthly, weekly, and daily. This along with the -days and -time option will identify the exact time/time-interval for CRL refresh. -interval NONE can be used to reset previously set interval settings. Possible values: MONTHLY, WEEKLY, DAILY, NONE

dayThe purpose of this option varies with the usage of the -interval option. If the -interval option has been set to MONTHLY, the -days option can be used to set a particular day of the month (1-30/31/28) on which the CRL needs to be refreshed. If the -interval option has been set to WEEKLY, the -days option can be used to set a particular day of the week, i.e. 1...7 (Sun=1,Sat=7) on which the CRL needs to be refreshed. The NetScaler system handles the valid number of days in a Month or Week, if the input value for the corresponding -day option is set incorrectly. If the -interval option has been set to DAILY, the -days parameter is not used. If the -days option is used without the -interval option, it specifies the number of days after which the refresh is to be done.

timeThe exact time of the day when the CRL is to be refreshed. The time is specified in 24-hour time format, where HH stands for Hours and MM stands for minutes.


add ssl crl

bindDNThe bindDN to be used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, i.e. anonymous access is not allowed.

passwordThe password to be used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted i.e. anonymous access is not allowed.

Example1)add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl.pem -cacert CAcert The above command adds a CRL from local storage system (HDD) with no refresh set. 2)add ssl certkey CAcert -cert /nsconfig/ssl/ca_cert.pem add ssl crl crl_file /var/netscaler/ssl/crl_new.pem -cacert Cacert -refresh ENABLED -server 10.102.1.100 -port 389 -interval DAILY -baseDN o=example.com,ou=security,c=US The above command adds a CRL to the NetScaler 9000 system by fetching the CRL from the LDAP server and setting the refresh interval as daily.

Related Commandscreate ssl crlrm ssl crlset ssl crlshow ssl crl


rm ssl crl

rm ssl crl

Synopsisrm ssl crl <crlName> ...

DescriptionUse this command to remove the specified CRL object from the NetScaler system.

Arguments

crlNameThe name of the CRL object to be removed from the NetScaler system.

Example1)rm ssl crl ca_crl The above CLI command to delete the CRL object ca_crl from the NetScaler 9000 system is.

Related Commandscreate ssl crladd ssl crlset ssl crlshow ssl crl


set ssl crl

set ssl crl

Synopsisset ssl crl <crlName> [-refresh ( ENABLED | DISABLED )] [-CAcert <string>] [-method ( HTTP | LDAP )] [-server <ip_addr> | -url <URL>] [-port <port>] [-baseDN <string>] [-scope ( Base | One )] [-interval <interval>] [-day <integer>] [-time <HH:MM>] [-bindDN <string>] [-password <string>]

DescriptionUse this command to enable the automatic refresh option on a CRL and set different refresh parameters.

Arguments

crlNameThe object name for the CRL.

refreshThe state of the auto refresh feature for the CRL. The valid states are ENABLED and DISABLED. Possible values: ENABLED, DISABLED

CAcertThe corresponding CA certificate that has issued the CRL. This is the NetScaler object identifying the CA certificate that is loaded in NetScaler.

methodThe method for CRL refresh - HTTP or LDAP. Possible values: HTTP, LDAP Default value: LDAP

serverThe IP address of the LDAP server from which the CRLs are to be fetched.

urlURI of the CRL Distribution Point.


set ssl crl

portThe port of the LDAP server.

baseDNThe bindDN to be used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, i.e. anonymous access is not allowed.

scopeExtent of the search operation on the LDAP server. Base: Exactly the same level as basedn One : One level below basedn Possible values: Base, One

intervalMONTHLY | WEEKLY | DAILY| NOW| NONE The CRL refresh interval. This option, when used in conjunction with the -days and -time option, can identify the exact time/time-interval for the CRL refresh. -interval NONE can be used to reset previously set interval settings. -interval NOW can be used to force a instantaneous CRL refresh. This is a one time operation. Possible values: MONTHLY, WEEKLY, DAILY, NOW, NONE

dayThe purpose of this option varies with the usage of the -interval option. If the -interval option has been set to MONTHLY, the -days option can be used to set a particular day of the month (1-30/31/28) on which the CRL needs to be refreshed. If the -interval option has been set to WEEKLY, the -days option can be used to set a particular day of the week, i.e. 1...7 (Sun=1,Sat=7) on which the CRL needs to be refreshed. NetScaler handles the valid number of days in a Month or Week, if the input value for the corresponding -day option is set incorrectly. For -interval daily, the -days parameter is not used. If -days is used without the -interval option, it specifies the number of days after which the refresh is to be performed.

timeThe exact time of the day when the CRL is to be refreshed. The time is specified in 24-hour time format, where HH stands for Hours and MM stands for minutes.

bindDNThe bindDN to be used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, i.e. anonymous access is not allowed.


set ssl crl

passwordThe password to be is used to access the CRL object in the LDAP repository. This is required if the access to the LDAP repository is restricted, i.e. anonymous access is not allowed.

Example1)set ssl crl crl_file -refresh ENABLE -interval MONTHLY -days 10 -time 12:00 The above example sets the CRL refresh to every Month, on date=10, and time=12:00hrs. 2)set ssl crl crl_file -refresh ENABLE -interval WEEKLY -days 1 -time 00:10 The above example sets the CRL refresh every Week, on weekday=Sunday, and at time 10 past midnight. 3)set ssl crl crl_file -refresh ENABLE -interval DAILY -days 1 -time 12:00 The above example sets the CRL refresh every Day, at 12:00hrs. 4)set ssl crl crl_file -refresh ENABLE -days 10 The above example sets the CRL refresh after every 10 days. Note: The CRL will be refreshed after every 10 days. The time for CRL refresh will be 00:00 hrs. 5)set ssl crl crl_file -refresh ENABLE -time 01:00 The above example sets the CRL refresh after every 1 hour. 6)set ssl crl crl_file -refresh ENABLE -interval NOW The above example sets the CRL refresh instantaneously.

Related Commandscreate ssl crladd ssl crlrm ssl crlshow ssl crl


show ssl crl

show ssl crl

Synopsisshow ssl crl [<crlName>]

DescriptionUse this command to display the information pertaining to the Certificate Revocation Lists (CRL) configured on the NetScaler system: If the crlName argument is specified, the command displays the details of the CRL. If the crlName argument is not specified, the command displays all the CRLs.

Arguments

crlNameThe CRL object name for which details are to be displayed.

Output

crlName

crlPath

inform

CAcert

refresh

scope

server


show ssl crl

port

url

baseDN

interval

day

time

bindDN

password

flags

lastupdatetime

version

signaturealgo

issuer

lastupdate


show ssl crl

nextupdate

date

number

Example1) An example output of the show ssl crl command is as follows: 1 configured CRL(s) 1 Name: ca_crl CRL Path: /var/netscaler/ssl/cr1.der Format: DER Cacert: ca_cert Refresh: DISABLED 2) An example of the output of the show ssl crl ca_crl command is as follows: Name: ca_crl Version: 1 Signature Algorithm: md5WithRSAEncryption Issuer: /C=US/ST=CA/L=santa clara /O=CA/OU=security Last_update:Dec 21 09:47:16 2001 GMT Next_update:Jan 20 09:47:16 2002 GMT Revoked Certificates: Serial Number: 01 Revocation Date:Dec 21 09:47:02 2001 GMT Serial Number: 02 Revocation Date:Dec 21 09:47:02 2001 GMT

Related Commandscreate ssl crladd ssl crlrm ssl crlset ssl crl


create ssl dhparam

create ssl dhparam

Synopsiscreate ssl dhparam [<dhFile>] [<bits>] [-gen ( 2 | 5 )]

DescriptionUse this command to generate the Diffie-Hellman (DH) parameters.

Arguments

dhFileThe name of the output file where the generated DH parameter is stored.

bitsThe bit value for the DH parameters.

genThe DH generator value (g) to be used. Possible values: 2, 5 Default value: 2

Example1)create ssl dhparam /nsconfig/ssl/dh1024.pem 1024 -gen 5

Related Commandsset ssl vservershow ssl vserver


create ssl dsakey

create ssl dsakey

Synopsiscreate ssl dsakey <keyFile> <bits> [-keyform ( DER | PEM )] [-des] [-des3] [-password <string>]

DescriptionUse this command to generate a DSA key.

Arguments

keyFileThe name of the output file where the generated DSA key is stored. The default output path for the DH file is /nsconfig/ssl/.

bitsThe bit value (key length) for the DSA key.

keyformThe format of the key file: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule. Possible values: DER, PEM Default value: PEM

desUse this option to encrypt the generated DSA key using the DES algorithm. It prompts you to enter the pass-phrase (password) that is used to encrypt the key.

des3Use this option to encrypt the generated DSA key using Triple-DES algorithm. You will be prompted to enter the pass-phrase (password) that is used to encrypt the key.

passwordThe pass-phrase to use for encryption if '-des' or '-des3' option is selected.

Examplecreate ssl dsakey /nsconfig/ssl/dsa1024.pem 1024


create ssl dsakey

Related Commandscreate ssl certcreate ssl certreqadd ssl certkey


set ssl fips

set ssl fips

Synopsisset ssl fips -initHSM Level-2 <soPassword> <oldSoPassword> <userPassword> [-hsmLabel <string>]

DescriptionUse this command to initialize the Hardware Security Module (HSM) or the FIPS card and set a new Security Officer password and User password. CAUTION: This command will erase all data on the FIPS card. You will be prompted before proceeding with the command execution. Save the current configuration after executing this command.

Arguments

initHSMThe FIPS initialization level. The NetScaler system currently supports Level-2 (FIPS 140-2 Level-2). Possible values: Level-2

soPasswordThe Hardware Security Module's (HSM) Security Officer password.

oldSoPasswordThe old Security Officer password. This is used for authentication.

userPasswordThe Hardware Security Module's (HSM) User password.

hsmLabelThe label to identify the Hardware Security Module (HSM).

Example1) set fips -initHSM Level-2 fipsso123 oldfipsso123 fipuser123 -hsmLabel FIPS-140-2 >This command will erase all data on the FIPS card. You must save the configuration (saveconfig) after executing this command.Do you want to continue?(Y/N)y The above command initializes the FIPS card to FIPS-140-2 Level-2 and sets the HSM's Security Officer and User passwords.


set ssl fips

Related Commandsreset ssl fipsshow ssl fips


reset ssl fips

reset ssl fips

Synopsisreset ssl fips

DescriptionUse this command to reset the FIPS card to default password for SO and User accounts. Note: This command can be used only if the FIPS card has been locked due to three or more unsuccessful login attempts

Arguments

Examplereset fips

Related Commandsset ssl fipsshow ssl fips


show ssl fips

show ssl fips

Synopsisshow ssl fips

DescriptionUse this command to display the information on the FIPS card.

Output

initHSM

soPassword

userPassword

oldSoPassword

eraseData

hsmLabel

serial

majorVersion

minorVersion


show ssl fips

flashMemoryTotal

flashMemoryFree

sramTotal

sramFree

sramFree

status

ExampleAn example of the output for show ssl fips command is as follows: FIPS HSM Info: HSM Label : FIPS1 Initialization : FIPS-140-2 Level-2 HSM Serial Number : 238180016 Firmware Version : 4.3.0 Total Flash Memory : 1900428 Free Flash Memory : 1899720 Total SRAM Memory : 26210216 Free SRAM Memory : 17857232

Related Commandsset ssl fipsreset ssl fips


create ssl fipskey

create ssl fipskey

Synopsiscreate ssl fipskey <fipsKeyName> -modulus <positive_integer> [-exponent ( 3 | F4 )]

DescriptionUse this command to generate a FIPS key within the Hardware Security Module (HSM)-FIPS card.

Arguments

fipsKeyNameThe object name for the FIPS key.

modulusThe modulus of the key to be created. Minimum value is 512bits and maximum value is 2048bits. The modulus value should be a multiple of 64.

exponentThe exponent value for the key to be created. 3: Hex value 0x3 F4: Hex value 0x10001 Possible values: 3, F4 Default value: 3

Examplecreate fipskey fips1 -modulus 1024 -exp f4

Related Commandsrm ssl fipskeyshow ssl fipskeyimport ssl fipskeyexport ssl fipskey


rm ssl fipskey

rm ssl fipskey

Synopsisrm ssl fipskey <fipsKeyName> ...

DescriptionUse this command to remove the specified FIPS key(s) from the NetScaler system.

Arguments

fipsKeyNameThe name of the FIPS key(s) to be removed from the NetScaler 9000 system.

Examplerm fipskey fips1

Related Commandscreate ssl fipskeyshow ssl fipskeyimport ssl fipskeyexport ssl fipskey


show ssl fipskey

show ssl fipskey

Synopsisshow ssl fipskey [<fipsKeyName>]

DescriptionUse this command to display the information on the FIPS keys configured on the NetScaler system. If no FIPS key name is specified then the command will list all the FIPS keys configured in the system. If a FIPS key name is specified, the command will display the details of the FIPS key.

Arguments

fipsKeyNameThe name of the FIPS key for which details are to be displayed.

Output

modulus

exponent

size

Example1) An example of output of show ssl fipskey command is as follows: show fipskey 2 FIPS keys: 1) FIPS Key Name: fips1 2) FIPS Key Name: fips2 2) An example of output of show fipskey command with FIPS key name specified is as follows: show fipskey fips1 FIPS Key Name: fips1 Modulus: 1024 Public Exponent: 3 (Hex: 0x3)

Related Commandscreate ssl fipskeyrm ssl fipskeyimport ssl fipskey


show ssl fipskey

export ssl fipskey


import ssl fipskey

import ssl fipskey

Synopsisimport ssl fipskey <fipsKeyName> -key <string> [-inform ( SIM | DER )] [-wrapKeyName <string>] [-iv <string>]

DescriptionUse this command to import a key into the Hardware Security Module (HSM) -FIPS card. You can also use this command to import a FIPS key from another NetScaler FIPS system (example Primary system), or for importing a non-FIPS key from an external Web server (Apache/IIS).

Arguments

fipsKeyNameThe object name for the FIPS key being imported.

keyThe path to the key file. The default input path for the key is /nsconfig/ssl/.

informThe input format of the key file. SIM: Secure Information Management. This is used when a FIPS key is transferred from one FIPS system to other. DER: Distinguished Encoding Rule. This is used when a non-FIPS key is to be imported inside a FIPS system. The non-FIPS key has to be converted to PKCS#8 form using the CLI command "convert pkcs8". Possible values: SIM, DER Default value: SIM

wrapKeyNameThe object name of the wrapkey to use for importing the key. The wrapkey is created using the CLI command "create ssl wrapkey". This is required if the key being imported is a non-FIPS key.

ivThe Initialization Vector (IV) to use for importing the key. This is required if the key being imported is a non-FIPS key.


import ssl fipskey

Example1)import fipskey fips1 -key /nsconfig/ssl/fipskey.sim The above example imports a FIPS key stored in the file fipskey.sim in the NetScaler 9000 system. 2)import fipskey fips2 -key /nsconfig/ssl/key.der -inform DER -wrapKeyName wrapkey1 -iv wrap123 The above example imports a non-FIPS key stored in the file key.der in the NetScaler 9000 system.

Related Commandscreate ssl fipskeyrm ssl fipskeyshow ssl fipskeyexport ssl fipskey


export ssl fipskey

export ssl fipskey

Synopsisexport ssl fipskey <fipsKeyName> -key <string>

DescriptionUse this command to export a FIPS key from one system to another or to backup the FIPS key in a secure manner. The exported key is secured using a strong asymmetric key encryption methods.

Arguments

fipsKeyNameThe name of the FIPS key to be exported.

keyThe path and file name to store the exported key. The default output path for the key is /nsconfig/ssl/.

Exampleexport fipskey fips1 -key /nsconfig/ssl/fips1.key

Related Commandscreate ssl fipskeyrm ssl fipskeyshow ssl fipskeyimport ssl fipskey


create ssl rsakey

create ssl rsakey

Synopsiscreate ssl rsakey <keyFile> <bits> [-exponent ( 3 | F4 )] [-keyform ( DER | PEM )] [-des] [-des3] [-password <string>]

DescriptionUse this command to generate an RSA key.

Arguments

keyFileThe file in which the generated RSA key is stored. The default output path for the key file is /nsconfig/ssl/.

bitsThe bit value (key length) for the RSA key. Minimum value is 512 bits and maximum value is 2048 bits.

exponentThe public exponent value for the RSA key. The supported values are F4 (Hex: 0x10001) or 3 (Hex: 0x3). Possible values: 3, F4 Default value: F4

keyformThe format for the key file: PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM

desUse this option to encrypt the generated RSA key using DES algorithm. You will be prompted to enter the pass-phrase (password) that will be used to encrypt the key.

des3Use this option to encrypt the generated RSA key using the Triple-DES algorithm. You will be prompted to enter the pass-phrase (password) that will be used to encrypt the key.

passwordThe pass-phrase to use for encryption if '-des' or '-des3' option is selected.


create ssl rsakey

Examplecreate ssl rsakey /nsconfig/ssl/rsa1024.pem 1024 -exp F4

Related Commandscreate ssl certcreate ssl certreqadd ssl certkey


convert ssl pkcs12

convert ssl pkcs12

Synopsisconvert ssl pkcs12 <outfile> [-import [-pkcs12File <input_filename>] [-des | -des3] ] [-pkcs12File <input_filename>] [-des] [-des3] [-export [-certFile <input_filename>] [-keyFile <input_filename>]]

DescriptionUse this command to convert the end-user certificate (Client-certificate/Server-Certificate) from PEM encoding format to PKCS#12 format. These certificates can then be distributed and installed in browsers as Client certificates.

Arguments

outfileThe output file to be generated. If the -import option is used, this file will be used to store the certificate and the private-key in PEM format. If the -export option is used, the certificate and private-key will be stored in the PKCS12 format. The default output path for the file is /nsconfig/ssl/.

importUse this option to convert the certificate and private-key from PKCS12 format to PEM format.

pkcs12FileThe input file which contains the certificate and the private-key in PKCS12 format. The default input path is /nsconfig/ssl/. Note: During the import operation, the user will be prompted to enter the 'Import password'.

desUse this option to encrypt the private key with DES in CBC mode during -import operation. You will be prompted to enter the pass-phrase if this option is mentioned.


convert ssl pkcs12

des3Use this option to encrypt the private key with DES in EDE CBC mode(168 bit key) during the -import operation. You will be prompted to enter the pass-phrase if this option is mentioned.

exportUse this option to convert the certificate and private-key from PEM format to PKCS12 format. Note: During the export operation, you will be prompted to enter the 'Export password'

certFileThe input certificate file in PEM format. The default input path for the file is /nsconfig/ssl/.

keyFileThe input private-key file in PEM format. The default input path for the file is /nsconfig/ssl/. Note: If the key file is in encrypted form, then the user will be prompted to enter the pass-phrase used for encrypting the key.

Example1)convert ssl pkcs12 /nsconfig/ssl/client_certkey.p12 -export -cert /nsconfig/ssl/client_certcert.pem -key /nsconfig/ssl/client_key.pem The above example CLI command converts the PEM encoded certificate and key file to PKCS#12. 2)convert ssl pkcs12 /nsconfig/ssl/client_certkey.pem -import -pkcs12 /nsconfig/ssl/client_certcertkey.p12 The above example CLI command converts the PKCS12 file to PEM format. 3)convert ssl pkcs12 /nsconfig/ssl/client_certkey.pem -import -pkcs12 /nsconfig/ssl/client_certcertkey.p12 -des The above example CLI command converts the PKCS12 file to PEM format, with encrypted key. Note:The -des option will encrypt the output key using DES algorithm. User will be prompted to enter the pass-phrase to be used for encryption.

Related Commandscreate ssl rsakeycreate ssl dsakeycreate ssl certreqcreate ssl cert


convert ssl pkcs8

convert ssl pkcs8

Synopsisconvert ssl pkcs8 <pkcs8File> <keyFile> [-keyform ( DER | PEM )] [-password <string>]

DescriptionUse this command to convert a PEM or DER encoded key file to PKCS#8 format before importing it into the NetScaler FIPS system.

Arguments

pkcs8FileThe name of the output file where the PKCS8 format key file will be stored. The default output path for the PKCS8 file is /nsconfig/ssl/.

keyFileThe input key file. The default input path for the key file is /nsconfig/ssl/.

keyformThe format of the keyFile. PEM: Privacy Enhanced Mail DER: Distinguished Encoding Rule Possible values: DER, PEM Default value: PEM

passwordThe password if the key is encrypted. Valid for PEM encoded files only.

Exampleconvert ssl pkcs8 /nsconfig/ssl/key.pk8 /nsconfig/ssl/key.pem

Related Commands


set ssl service

set ssl service

Synopsisset ssl service <serviceName>@ [-dh ( ENABLED | DISABLED ) -dhFile <string>] [-dhCount <positive_integer>] [-eRSA ( ENABLED | DISABLED ) [-eRSACount <positive_integer>]] [-sessReuse ( ENABLED | DISABLED ) [-sessTimeout <positive_integer>]] [-certHeader ( ENABLED | DISABLED ) -certH <string>] [-certSubject ( ENABLED | DISABLED ) -certS <string>] [-certIssuer ( ENABLED | DISABLED ) -certI <string>] [-sessHeader ( ENABLED | DISABLED ) -sessH <string>] [-cipherHeader ( ENABLED | DISABLED ) -cipherH <string>] [-cipherRedirect ( ENABLED | DISABLED ) [-cipherURL <URL>]] [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL <URL>]] [-clientAuth ( ENABLED | DISABLED ) [-clientCert ( Mandatory | Optional )]] [-owa_support ( ENABLED | DISABLED )] [-ssl_redirect ( ENABLED | DISABLED )] [-redirectPortRewrite ( ENABLED | DISABLED )] [-nonFipsCiphers ( ENABLED | DISABLED )] [-ssl2 ( ENABLED | DISABLED )] [-ssl3 ( ENABLED | DISABLED )] [-tls1 ( ENABLED | DISABLED )] [-serverAuth ( ENABLED | DISABLED )]

DescriptionUse this command to set the Advance SSL Configurations for a SSL service.

Arguments

serviceNameThe SSL service name for which the advance configurations are to be set.

dhUse this option to enable or disable Diffie-Hellman (DH) key exchange support for the SSL service. Possible values: ENABLED, DISABLED Default value: DISABLED


set ssl service

dhFileThe file name and path for the DH parameter. You need to enable the -dh option. File format is PEM. The default input path for the DH file is /nsconfig/ssl/.

dhCountThe refresh count for regeneration of DH public-key and private-key from the DH parameter. The value has to be a positive integer and can be 0, or any number greater than or equal to 500. Zero means infinite usage (no refresh). Option '-dh' has to be enabled Default value: 0

eRSAUse this option to enable or disable Ephemeral RSA key exchange support for the SSL service. Possible values: ENABLED, DISABLED Default value: ENABLED

eRSACountThe refresh count for re-generation of RSA public-key and private-key pair. The value has to be a positive integer and can be 0, or any number greater than or equal to 500. Zero means infinite usage (no refresh). Option '-eRSA' has to be enabled Default value: 0

sessReuseUse this option to enable or disable session reuse support for the SSL service. Possible values: ENABLED, DISABLED Default value: ENABLED

sessTimeoutThe session timeout value in seconds. The value has to be a positive integer. Option '-sessReuse' has to be enabled. Default value: 300

certHeaderUse this option to enable or disable the insertion of a client certificate in the HTTP header of the request being sent to the web-server. The client certificate is inserted only when the SSL service is configured to perform Client-Authentication. See '-clientAuth' option below. Possible values: ENABLED, DISABLED Default value: DISABLED

certHThe tag name to be used while inserting the certificate in the HTTP header. Option '-certHeader' has to the enabled.


set ssl service

certSubjectUse this option to enable or disable the insertion of the client Certificate's Subject Name in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED

certSThe tag name that is used when inserting the Certificate Subject Name in the HTTP header. The '-certSubject' argument must be enabled if this argument is specified.

certIssuerUse this option to enable or disable the insertion of the client Certificate's Issuer Name in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED

certIThe tag name that is used when inserting the Certificate Issue Name in the HTTP header. The '-certIssuer' argument must be enabled if this argument is specified.

sessHeaderUse this option to enable or disable the insertion of the Session-ID in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED

sessHThe tag name to be used while inserting the Session-ID in the HTTP header. Option '-sessHeader' has to the enabled.

cipherHeaderUse this option to enable or disable the insertion of the Cipher, negotiated with the client, in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED

cipherHThe tag name that is used when inserting the Cipher negotiated in the HTTP header. The '-cipherHeader' argument must be enabled if this argument is specified.

cipherRedirectUse this option to control the Cipher Redirect feature. The valid options are ENABLE and DISABLE. Possible values: ENABLED, DISABLED Default value: DISABLED


set ssl service

cipherURLThe redirect URL to be used with the Cipher Redirect feature.

sslv2RedirectUse this option to enable or disable the SSLv2 Redirect feature. Possible values: ENABLED, DISABLED Default value: DISABLED

sslv2URLThe redirect URL to be used with the SSLv2 Redirect feature.

clientAuthUse this option to enable or disable Client-Authentication support for the SSL service. Possible values: ENABLED, DISABLED Default value: DISABLED

clientCertUse this option to set the rule for client authentication. If clientCert is set to Mandatory, NetScaler will terminate the SSL handshake if SSL client does not provide a valid certificate. If the setting is optional, then NetScaler will allow SSL clients with no certificate or invalid certificates to access the secure resource. Note: Make sure proper access control policies are defined before changing the above setting to Optional. Possible values: Mandatory, Optional

owa_supportUse this option to enable or disable the Outlook Web-Access support. The default setting is DISABLED. If you are using the NetScaler system SSL Accelerator in front of an Outlook Web-access (OWA) Front-end server, a special header field, 'FRONT-END-HTTPS: ON', needs to be inserted in the HTTP requests going to the OWA Back-end servers. This is required to inform the back-end servers to generate proper URL links as https:// instead of http://. Possible values: ENABLED, DISABLED Default value: DISABLED

ssl_redirectUse this option to enable or disable HTTPS redirects for the SSL service. Default setting is disabled. This is required for the proper functioning of the redirect messages from the server. The redirect message from the server provides the new location for the moved object. This is contained in the HTTP header field: Location, e.g. Location: http://www.moved.org/here.html For the SSL session, if the client browser receives this message, the browser will try to connect to the new location. This will break the secure SSL session, as the object has moved from a secure site (https://) to an un-secure one


set ssl service

(http://). Generally browsers flash a warning message on the screen and prompt the user, either to continue or disconnect. The above feature, when enabled will automatically convert all such http:// redirect message to https://. This will not break the client SSL session. Note: The set ssl service command can be used for configuring a front-end SSL service for service based SSL Off-Loading, or a backend SSL service for backend-encryption setup. Some of the command options are not applicable while configuring a backend service. CLI will not report an error if these options are used for a backend SSL service. These are: [-dh (ENABLED|DISABLED) (-dhFile < file_name >)] [(-dhCount <pos_int>)] [-eRSA (ENABLED|DISABLED)] [(-eRSACount <pos_int>)] [-certHeader (ENABLED|DISABLED) (-certH <string>)] [-certSubject ( ENABLED | DISABLED ) -certS <string>] [-certIssuer ( ENABLED | DISABLED ) -certI <string>] [-sessHeader (ENABLED|DISABLED) (-sessH <string>)] [-cipherHeader ( ENABLED | DISABLED ) -cipherH <string>] [-cipherRedirect (ENABLED | DISABLED) [-cipherURL <URL>]] [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL <URL>]] [-clientAuth ( ENABLED | DISABLED ) [-clientCert ( Mandatory | Optional )]] [-owa_support (ENABLED|DISABLED)] [-ssl_redirect ( ENABLED | DISABLED )] [-ssl2 (ENABLED|DISABLED)]. Possible values: ENABLED, DISABLED Default value: DISABLED

redirectPortRewriteUse this option to enable port rewrite while performing HTTPS redirect. Possible values: ENABLED, DISABLED Default value: DISABLED

nonFipsCiphersUse this option to enable or disable the use of non FIPS approved ciphers. Valid only for an SSL service bound with a FIPS key and certificate. Possible values: ENABLED, DISABLED Default value: DISABLED

ssl2Use this option enable or disable SSLv2 protocol support for the SSL service. Possible values: ENABLED, DISABLED Default value: DISABLED

ssl3Use this option to enable or disable SSLv3 protocol support for the SSL service. Possible values: ENABLED, DISABLED Default value: ENABLED

tls1Use this option to Enable or disable TLSv1 protocol support for the SSL service. Possible values: ENABLED, DISABLED Default value: ENABLED


set ssl service

serverAuthUse this option to enable or disable Server-Authentication support for the SSL service. Possible values: ENABLED, DISABLED Default value: DISABLED

Example1)set ssl service sslsvc -dh ENABLED -dhFile /nsconfig/ssl/dh1024.pem -dhCount 500 The above example sets the DH parameters for the SSL service 'sslsvc'. 2.set ssl service sslsvc -ssl2 DISABLED The above example disables the support for SSLv2 protocol for the SSL service 'sslsvc'.

Related Commandsshow ssl service


show ssl service

show ssl service

Synopsisshow ssl service <serviceName>

DescriptionUse this command to view the advanced SSL settings for an SSL service.

Arguments

serviceNameThe name of the SSL service for which the Advance SSL settings are to be displayed.

Output

dh

dhFile

dhCount

eRSA

eRSACount

sessReuse

sessTimeout

certHeader


show ssl service

certH

certSubject

certS

certIssuer

certI

sessHeader

sessH

cipherHeader

cipherH

cipherRedirect

cipherURL

sslv2Redirect

sslv2URL

clientAuth


show ssl service

clientCert

owa_support

ssl_redirect

redirectPortRewrite

nonFipsCiphers

ssl2

ssl3

tls1

serverAuth

cipherAliasName/cipherName/cipherGroupName

description

certkeyName

clearTextPort


show ssl service

ExampleAn example of output of show ssl service command is as shown below show ssl service sr3 Advanced SSL configuration for Back-end SSL Service sr3: DH: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: ENABLED Timeout: 300 seconds Session-ID Header: DISABLED Cert Header: DISABLED Cert DN Header: DISABLED Cert Issuer Header: DISABLED Cipher Header: DISABLED Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED Server Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED OWA Support: DISABLED SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 11 configured ciphers: 1) Cipher Name: SSL3-DES-CBC-SHA Description: SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 2) Cipher Name: TLS1-EXP1024-DES-CBC-SHA Description: TLSv1 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 Export 3) Cipher Name: SSL3-EXP-DES-CBC-SHA Description: SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 4) Cipher Name: SSL2-DES-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 5) Cipher Name: SSL3-EDH-DSS-DES-CBC-SHA Description: SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 6) Cipher Name: TLS1-EXP1024-DHE-DSS-DES-CBC-SHA Description: TLSv1 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 Export 7) Cipher Name: SSL3-EXP-EDH-DSS-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 Export 8) Cipher Name: SSL3-EDH-RSA-DES-CBC-SHA Description: SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 9) Cipher Name: SSL3-EXP-EDH-RSA-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 10)Cipher Name: SSL3-ADH-DES-CBC-SHA Description: SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 11)Cipher Name: SSL3-EXP-ADH-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 Export

Related Commandsset ssl service


set ssl vserver

set ssl vserver

Synopsisset ssl vserver <vServerName>@ [-clearTextPort <port>] [-dh ( ENABLED | DISABLED ) -dhFile <string>] [-dhCount <positive_integer>] [-eRSA ( ENABLED | DISABLED ) [-eRSACount <positive_integer>]] [-sessReuse ( ENABLED | DISABLED ) [-sessTimeout <positive_integer>]] [-certHeader ( ENABLED | DISABLED ) -certH <string>] [-certSubject ( ENABLED | DISABLED ) -certS <string>] [-certIssuer ( ENABLED | DISABLED ) -certI <string>] [-sessHeader ( ENABLED | DISABLED ) -sessH <string>] [-cipherHeader ( ENABLED | DISABLED ) -cipherH <string>] [-cipherRedirect ( ENABLED | DISABLED ) [-cipherURL <URL>]] [-sslv2Redirect ( ENABLED | DISABLED ) [-sslv2URL <URL>]] [-clientAuth ( ENABLED | DISABLED ) [-clientCert ( Mandatory | Optional )]] [-owa_support ( ENABLED | DISABLED )] [-ssl_redirect ( ENABLED | DISABLED )] [-redirectPortRewrite ( ENABLED | DISABLED )] [-nonFipsCiphers ( ENABLED | DISABLED )] [-ssl2 ( ENABLED | DISABLED )] [-ssl3 ( ENABLED | DISABLED )] [-tls1 ( ENABLED | DISABLED )]

DescriptionUse this command to set Advance SSL Configurations for an SSL virtual server.

Arguments

vServerNameThe name of the SSL virtual server.

clearTextPortThe port on the back-end web-servers where the clear-text data is sent by NetScaler system. Use this setting for the wildcard IP based SSL Acceleration configuration (*:443).


set ssl vserver

dhUse this option to enable or disable DH key exchange support for the specified SSL virtual server. Possible values: ENABLED, DISABLED Default value: DISABLED

dhFileThe file name and path for the DH parameter. The file format is PEM. Note: The '-dh' argument must be enabled if this argument is specified.

dhCountThe refresh count for the re-generation of DH public-key and private-key from the DH parameter. The value must be a positive integer, zero (0), or any number greater than or equal to 500. Zero means infinite usage (no refresh). Note: The '-dh' argument must be enabled if this argument is specified. Default value: 0

eRSAUse this option to enable or disable Ephemeral RSA key exchange support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED

eRSACountThe refresh count for the re-generation of RSA public-key and private-key pair. The value has to be a positive integer (0 (zero), or any number greater than or equal to 500). Zero means infinite usage (no refresh) Note: The '-eRSA' argument must be enabled if this argument is specified. Default value: 0

sessReuseUse this option to enable or disable session re-use support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED

sessTimeoutThe Session timeout value in seconds. The value has to be a positive integer. The '-sessReuse' argument must be enabled if this argument is specified. Default value: 120

certHeaderUse this option to enable or disable the insertion of the client certificate in the HTTP header when the request is sent to the web-server. The client certificate insertion is done only when the SSL virtual server is configured to perform Client-Authentication. Thus the '-clientAuth' argument must be enabled. Possible values: ENABLED, DISABLED Default value: DISABLED


set ssl vserver

certHThe tag name to be used while inserting the certificate in the HTTP header. The '-certHeader' argument must be enabled if this argument is specified.

certSubjectUse this option to enable or disable the insertion of the client Certificate's Subject Name in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED

certSThe tag name that is used when inserting the Certificate Subject Name in the HTTP header. The '-certSubject' argument must be enabled if this argument is specified.

certIssuerUse this option to enable or disable the insertion of the client Certificate's Issuer Name in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED

certIThe tag name that is used when inserting the Certificate Issuer Name in the HTTP header. The '-certIssuer' argument must be enabled if this argument is specified.

sessHeaderUse this option to enable or disable the insertion of Session-ID in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED

sessHThe tag name that is used when inserting the Session-ID in the HTTP header. The '-sessHeader' argument must be enabled if this argument is specified

cipherHeaderUse this option to enable or disable the insertion of Cipher negotiated with the client in the HTTP header of the request being sent to the web-server. Possible values: ENABLED, DISABLED Default value: DISABLED

cipherHThe tag name that is used when inserting the Cipher negotiated in the HTTP header. The '-cipherHeader' argument must be enabled if this argument is specified.


set ssl vserver

cipherRedirectUse this option to enable or disable the Cipher Redirect feature. Possible values: ENABLED, DISABLED Default value: DISABLED

cipherURLThe redirect URL to be used with the Cipher Redirect feature.

sslv2RedirectUse this option to enable or disable the SSLv2 Redirect feature. Possible values: ENABLED, DISABLED Default value: DISABLED

sslv2URLThe redirect URL to be used with SSLv2 Redirect feature.

clientAuthUse this option to enable or disable Client-Authentication support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: DISABLED

clientCertUse this option to set the rule for client authentication. If the clientCert if set to Mandatory, the NetScaler system will terminate the SSL handshake if the SSL client does not provide a valid certificate. If the setting is Optional, then NetScaler will allow SSL clients with no certificate or invalid certificates to access the secure resource. Note: Make sure proper access control policies are defined before changing the above setting to Optional. Possible values: Mandatory, Optional

owa_supportUse this option to enable or disable Outlook Web-Access support. If the NetScaler system is in front of an Outlook Web Access (OWA) server, a special header field, 'FRONT-END-HTTPS: ON', needs to be inserted in the HTTP requests going to the OWA server. Note: This parameter is required as the SSL requests (HTTPS) arrives at the back-end Exchange-2000 server on the configured HTTP port (80) instead of arriving at the front-end Exchange 2000 server. Possible values: ENABLED, DISABLED Default value: DISABLED

ssl_redirectUse this option to enable or disable HTTPS redirects for the SSL virtual server. This is required for proper working of the redirect messages from the web server. The redirect message from the server gives the new location for the moved object. This is contained in the HTTP header field: Location (for example, Location: http://www.moved.org/


set ssl vserver

here.html). For an SSL session, if the client browser receives this message, the browser will try to connect to the new location. This will break the secure SSL session, as the object has moved from a secure site (https://) to an unsecured one (http://). Browsers usually flash a warning message on the screen and prompt the user to either continue or disconnect. When the above feature is enabled, all such http:// redirect messages are automatically converted to https://. This does not break the client SSL session. Possible values: ENABLED, DISABLED Default value: DISABLED

redirectPortRewriteUse this option to enable port rewrite while performing HTTPS redirect. Possible values: ENABLED, DISABLED Default value: DISABLED

nonFipsCiphersUse this option to enable or disable the use of non FIPS approved ciphers. Valid only for a SSL vserver bound with a FIPS key and certificate. Possible values: ENABLED, DISABLED Default value: DISABLED

ssl2Use this option to enable or disable SSLv2 protocol support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: DISABLED

ssl3Use this option to enable or disable SSLv3 protocol support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED

tls1Use this option to enable or disable TLSv1 protocol support for the SSL virtual server. Possible values: ENABLED, DISABLED Default value: ENABLED

Example1)set ssl vserver sslvip -dh ENABLED -dhFile /siteA/dh1024.pem -dhCount 500 The above example set the DH parameters for the SSL virtual server 'sslvip'. 2)set ssl vserver sslvip -certHeader ENABLED -certH CLIENT_CERT The above example enables the Client certificate insertion for the SSL virtual server 'sslvip'. 3)set ssl vserver sslvip -ssl2 DISABLED The above example disables the support for SSLv2 protocol for the SSL virtual server 'sslvip'.

Related Commandsshow ssl vserver


show ssl vserver

show ssl vserver

Synopsisshow ssl vserver <vServerName>

DescriptionUse this command to display all the SSL specific configurations for a SSL virtual server. This includes information about the Advance SSL configurations, certificate bindings, and cipher-suite configurations.

Arguments

vServerNameThe name of the SSL virtual server for which the configuration details are displayed.

Output

clearTextPort

dh

dhFile

dhCount

eRSA

eRSACount

sessReuse


show ssl vserver

sessTimeout

certHeader

certH

certSubject

certS

certIssuer

certI

sessHeader

sessH

cipherHeader

cipherH

cipherRedirect

cipherURL

sslv2Redirect


show ssl vserver

sslv2URL

clientAuth

clientCert

owa_support

ssl_redirect

redirectPortRewrite

nonFipsCiphers

ssl2

ssl3

tls1

cipherAliasName/cipherName/cipherGroupName

description

service

certkeyName


show ssl vserver

serviceName

ExampleAn example of the output of the show vserver sslvip command is as follows: sh ssl vserver va1 Advanced SSL configuration for VServer va1: DH: DISABLED Ephemeral RSA: ENABLED Refresh Count: 0 Session Reuse: DISABLED Session-ID Header: DISABLED Cert Header: DISABLED Cert DN Header: DISABLED Cert Issuer Header: DISABLED Cipher Header: DISABLED Cipher Redirect: DISABLED SSLv2 Redirect: DISABLED ClearText Port: 0 Client Auth: DISABLED SSL Redirect: DISABLED Non FIPS Ciphers: DISABLED OWA Support: DISABLED SSLv2: DISABLED SSLv3: ENABLED TLSv1: ENABLED 1 bound certificate: 1) CertKey Name: buy Server Certificate 1 bound CA certificate: 1) CertKey Name: rtca CA Certificate 11 configured ciphers: 1) Cipher Name: SSL3-DES-CBC-SHA Description: SSLv3 Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 2) Cipher Name: TLS1-EXP1024-DES-CBC-SHA Description: TLSv1 Kx=RSA(1024) Au=RSA Enc=DES(56) Mac=SHA1 Export 3) Cipher Name: SSL3-EXP-DES-CBC-SHA Description: SSLv3 Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 4) Cipher Name: SSL2-DES-CBC-MD5 Description: SSLv2 Kx=RSA Au=RSA Enc=DES(56) Mac=MD5 5) Cipher Name: SSL3-EDH-DSS-DES-CBC-SHA Description: SSLv3 Kx=DH Au=DSS Enc=DES(56) Mac=SHA1 6) Cipher Name: TLS1-EXP1024-DHE-DSS-DES-CBC-SHA Description: TLSv1 Kx=DH(1024) Au=DSS Enc=DES(56) Mac=SHA1 Export 7) Cipher Name: SSL3-EXP-EDH-DSS-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=DSS Enc=DES(40) Mac=SHA1 Export 8) Cipher Name: SSL3-EDH-RSA-DES-CBC-SHA Description: SSLv3 Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 9) Cipher Name: SSL3-EXP-EDH-RSA-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 Export 10)Cipher Name: SSL3-ADH-DES-CBC-SHA Description: SSLv3 Kx=DH Au=None Enc=DES(56) Mac=SHA1 11)Cipher Name: SSL3-EXP-ADH-DES-CBC-SHA Description: SSLv3 Kx=DH(512) Au=None Enc=DES(40) Mac=SHA1 Export

Related Commandsbind ssl certkeybind ssl cipherset ssl vserver


create ssl wrapkey

create ssl wrapkey

Synopsiscreate ssl wrapkey <wrapKeyName> -password <string> -salt <string>

DescriptionUse this command to generate a wrap key.

Arguments

wrapKeyNameThe object name for the wrap key.

passwordThe password string for the wrap key.

saltThe salt string for the wrap key.

Examplecreate wrapkey wrap1 -password wrapkey123 -salt wrapsalt123

Related Commandsrm ssl wrapkeyshow ssl wrapkey


rm ssl wrapkey

rm ssl wrapkey

Synopsisrm ssl wrapkey <wrapKeyName> ...

DescriptionUse this command to remove the specified wrapkey(s) from the NetScaler system.

Arguments

wrapKeyNameThe name of the wrapkey(s) to be removed from the NetScaler system.

Examplerm wrapkey wrap1

Related Commandscreate ssl wrapkeyshow ssl wrapkey


show ssl wrapkey

show ssl wrapkey

Synopsisshow ssl wrapkey

DescriptionUse this command to display the wrap keys.

Output

wrapKeyName

ExampleAn example of output of 'show wrapkey' command is as shown below: sh wrapkey 1 WRAP key: 1)WRAP Key Name: wrap1

Related Commandscreate ssl wrapkeyrm ssl wrapkey


init ssl fipsSIMsource

init ssl fipsSIMsource

Synopsisinit ssl fipsSIMsource <certFile>

DescriptionUse this command to initialize the source FIPS system for participating in secure exchange of keys with another FIPS system. The command is used for secure transfer of FIPS keys from the primary NetScaler system to the secondary NetScaler system.

Arguments

certFileThe file name and path where the source FIPS system's certificate is to be stored. The default output path for the certificate file is /nsconfig/ssl/.

Exampleinit fipsSIMsource /nsconfig/ssl/source.cert

Related Commandsenable ssl fipsSIMsource


init ssl fipsSIMtarget

init ssl fipsSIMtarget

Synopsisinit ssl fipsSIMtarget <certFile> <keyVector> <targetSecret>

DescriptionUse this command to initialize the target FIPS system for participating in secure exchange of keys with another FIPS system. The command is used for secure transfer of FIPS keys from the primary NetScaler system to the Secondary NetScaler system.

Arguments

certFileThe source FIPS system's certificate file name and path. The default input path for the certificate file is /nsconfig/ssl/.

keyVectorThe file name and path for storing the target FIPS system's key-vector. The default output path for the key-vector is /nsconfig/ssl/.

targetSecretThe file name and path for storing the target FIPS system's secret data. The default output path for the secret data is /nsconfig/ssl/.

Exampleinit fipsSIMtarget /nsconfig/ssl/source.cert /nsconfig/ssl/target.key /nsconfig/ssl/target.secret

Related Commandsenable ssl fipsSIMtarget


enable ssl fipsSIMtarget

enable ssl fipsSIMtarget

Synopsisenable ssl fipsSIMtarget <keyVector> <sourceSecret>

DescriptionUse this command to enable the target FIPS system to participate in secure exchange of keys with another FIPS system. The command is used for secure transfer of FIPS keys from the Primary NetScaler system to the Secondary NetScaler system.

Arguments

keyVectorThe file name and path for storing the target FIPS system's secret data. The default output path for the secret data is /nsconfig/ssl/.

sourceSecretThe file name and path for the source FIPS system's secret data. The default input path for the secret data is /nsconfig/ssl/.

Exampleenable fipsSIMtarget /nsconfig/ssl/target.key /nsconfig/ssl/source.secret

Related Commandsinit ssl fipsSIMtarget


enable ssl fipsSIMsource

enable ssl fipsSIMsource

Synopsisenable ssl fipsSIMsource <targetSecret> <sourceSecret>

DescriptionUse this command to enable the source FIPS system for participating in secure exchange of keys with another FIPS system. The command is used for secure transfer of FIPS keys from the Primary NetScaler system to the Secondary NetScaler system.

Arguments

targetSecretThe file name and path for the target FIPS system's secret data. The default input path for the secret data is /nsconfig/ssl/.

sourceSecretThe file name and path for storing the source FIPS system's secret data. The default output path for the secret data is /nsconfig/ssl/.

Exampleenable fipsSIMsource /nsconfig/ssl/target.secret /nsconfig/ssl/source.secret

Related Commandsinit ssl fipsSIMsource


System Commands

This chapter covers the system commands.


batch

batch

Synopsisbatch [-fileName <input_filename>] [-outfile <output_filename>] [-ntimes <positive_integer>]

DescriptionUse this command to read the contents of a file and execute each line as a separate CLI command. Each command in the file being read must be on a separate line. Lines starting with # are considered comments.

Arguments

fileNameThe name of the batch file.

outfileThe name of the file that the output of the executed batch file will be written to.

ntimesThe number of times the batch file is to be executed. Default value: 1

Examplebatch -f cmds.txt

Related Commands


ping

ping

Synopsisping [-c <count>] [-i <interval>] [-I <interface>] [-n] [-p <pattern>] [-q] [-s <size>] [-S <src_addr>] [-t <timeout>] <hostname>

DescriptionUse this command to invoke the UNIX ping command. The <hostName> option is used if the name is in /etc/hosts file directory or is otherwise known in DNS.

Arguments

cNumber of packets to send (default is infinite)

iWaiting time in seconds (default is 1 sec)

INetwork interface on which to ping, if you have multiple interfaces

nNumeric output only - no name resolution

pPattern to fill in packets. Can be up to 16 bytes, useful for diagnosing data-dependent problems.

qQuiet output - only summary is printed

sData size in bytes (default is 56)

SThe source IP address to be used in the outgoing query packets. If the IP addrESS Is not one of this machine's addresses, an error is returned and nothing is sent.


ping

tTimeout in seconds before ping exits

hostnameAddress of host to ping

Exampleping -p ff -I rl0 -c 4 10.102.4.107

Related Commandstraceroutegrepshellscp


traceroute

traceroute

Synopsistraceroute [-S] [-n] [-r] [-v] [-M <min_ttl] [-m <max_ttl>] [-P <protocol>][-p <portno>] [-q <nqueries>] [-s <src_addr>] [-t <tos>] [-w <wait>] <host> [<packetlen>]

DescriptionUse this command to invoke the UNIX traceroute command. Traceroute attempts to track the route that the packets follow to reach the destination host.

Arguments

SPrint a summary of how many probes were not answered for each hop.

nPrint hop addresses numerically rather than symbolically andnumerically.

rBypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly-attached network, an error is returned.

vVerbose output. Received ICMP packets other than TIME_EXCEEDED and UNREACHABLEs are listed.

MThe minimum ttl value used in outgoing probe packets. Default value: 1

mThe maximum TTL value used in outgoing probe packets. Default value: 64

PSend packets of specified IP protocol. The currently supported protocols are UDP and ICMP.


traceroute

pThe base port number used in probes. Default value: 33434

qThe number of queries per hop. Default value: 3

sThe source IP address to be used in the outgoing query packets. If the IP address is not one of this machine's addresses, an error is returned and nothing is sent.

tThe type-of-service in query packets. Default value: 0

wThe time (in seconds) to wait for a response to a query. Default value: 5

hostThe destination host ip address or name.

packetlenThe packet length (in bytes) of the query packets. Default value: 44

Exampletraceroute 10.102.4.107

Related Commandspinggrepshellscp


grep

grep

Synopsisgrep [-c] [-E] [-i] [-v] [-w] [-x] <pattern>

DescriptionUse grep to search files or output for lines containing a match to the given <pattern>. By default, grep prints the matching lines.

Arguments

cSuppress normal output; instead print a count of matching lines. With the -v option, count non-matching lines.

EInterpret <pattern> as an extended regular expression.

iIgnore case distinctions.

vInvert the sense of matching, to select non-matching lines.

wSelect only those lines containing matches that form whole words.

xSelect only those matches that exactly match the whole line.

patternThe pattern (regular expression or text string) being sought.

Exampleshow ns info | grep off -i

Related Commandsping


grep

tracerouteshellscp


shell

shell

Synopsisshell

DescriptionUse this command to exit to the FreeBSD command prompt, where FreeBSD commands may be entered. Press the <Control> + <D> keys or type exit to return to the NetScaler system CLI prompt.

Arguments

Example> shell # ps | grep nscli 485 p0 S 0:01.12 -nscli (nscli) 590 p0 S+ 0:00.00 grep nscli # ^D Done >

Related Commandspingtraceroutegrepscp


scp

scp

Synopsisscp [-r] [-C] [-q] <sourceString> <destString>

DescriptionUse this command to securely copy data from one computer to another via the ssh protocol.

Arguments

rRecursively copy subdirectories

CEnable compression

qQuiet output - disable progress meter

sourceStringThe source user, host and file path, specified as user@host:path/to/copy/from. User and host parts are optional.

destStringThe destination user, host and file path, specified as user@host:path/to/copy/to. User and host parts are optional.

Examplescp /nsconfig/ns.conf [email protected]:/nsconfig/

Related Commandspingtraceroutegrepshell


add system cmdPolicy

add system cmdPolicy

Synopsisadd system cmdPolicy <policyName> <action> <cmdSpec>

DescriptionUse this command to add a system command policy to the system.

Arguments

policyNameThe name for the new command policy.

actionThe action the cmdPolicy is to apply when the cmdSpec pattern matches a system user entered command. The valid actions are to ALLOW and DENY execution of the entered command. Possible values: ALLOW, DENY

cmdSpecThe matching rule that the command policy will utilize. This rule is a regular expression which the policy uses to pattern match against the command a system user executes.

Related Commandsrm system cmdPolicyset system cmdPolicyshow system cmdPolicy


rm system cmdPolicy

rm system cmdPolicy

Synopsisrm system cmdPolicy <policyName>

DescriptionUse this command to remove a system command policy.

Arguments

policyNameThe name of the command policy to be removed.

Related Commandsadd system cmdPolicyset system cmdPolicyshow system cmdPolicy


set system cmdPolicy

set system cmdPolicy

Synopsisset system cmdPolicy <policyName> <action> <cmdSpec>

DescriptionUse this command to modify an already configured command policy.

Arguments

policyNameThe name of the command policy to be modified.

actionThe new command policy action to be used by the policy. Possible values: ALLOW, DENY

cmdSpecThe new pattern matching regular expression that the policy is to use.

Related Commandsadd system cmdPolicyrm system cmdPolicyshow system cmdPolicy


show system cmdPolicy

show system cmdPolicy

Synopsisshow system cmdPolicy [<policyName>]

DescriptionUse this command to display configured command policies.

Arguments

policyNameThe name of a specific command policy to display. When this option is omitted, a listing of the configured command policies is shown.

Output

actionSpecifies the policy action.

cmdSpecSpecifies the policy.

Related Commandsadd system cmdPolicyrm system cmdPolicyset system cmdPolicy


add system user

add system user

Synopsisadd system user <userName> {<password>}

DescriptionUse this command to add a new system user to the system.

Arguments

userNameThe name for the new system user.

passwordThe new system user's password.

Related Commandsset system userrm system usershow system user


set system user

set system user

Synopsisset system user <userName> {<password>}

DescriptionUse this to set a system user's password.

Arguments

userNameThe name of system user to be modified.

passwordThe new password for the system user.

Related Commandsadd system userrm system usershow system user


rm system user

rm system user

Synopsisrm system user <userName>

DescriptionUse this command to remove a system user.

Arguments

userNameThe name of the system user to be removed.

Related Commandsadd system userset system usershow system user


show system user

show system user

Synopsisshow system user [<userName>]

DescriptionUse this command to display configured system users.

Arguments

userNameThe name of a system user to display details for. If this argument is omitted, a listing of the configured system users is shown.

Output

groupNameSpecifies the system group.

policyNameThe command policy name.

priorityThe priority of the command policy.

Related Commandsadd system userset system userrm system user


bind system user

bind system user

Synopsisbind system user <userName> <policyName> <priority>

DescriptionUse this command to bind attributes to a system user.

Arguments

userNameThe name of the system user being modified.

policyNameThe name of the command policy being bound to the system user.

priorityThe priority the command policy is to be bound with.

Related Commandsunbind system user


unbind system user

unbind system user

Synopsisunbind system user <userName> <policyName>

DescriptionUse this command to unbind attributes of a system user.

Arguments

userNameThe name of the system user being modified.

policyNameThe name of the command policy to be unbound.

Related Commandsbind system user


add system group

add system group

Synopsisadd system group <groupName>

DescriptionUse this command to add a new system group.

Arguments

groupNameThe new system group's name.

Related Commandsrm system groupshow system group


rm system group

rm system group

Synopsisrm system group <groupName>

DescriptionUse this comand to remove a system group.

Arguments

groupNameThe name of the system group to be removed.

Related Commandsadd system groupshow system group


show system group

show system group

Synopsisshow system group [<groupName>]

DescriptionDisplays the configured system groups.

Arguments

groupNameThe name of the system group to display details of. If this argument is omitted, a list of all the configured system groups is displayed.

Output

userNameSpecifies the system user.

policyNameSpecifies the command policy name.

prioritySpecify the priority of the command policy.

Related Commandsadd system grouprm system group


bind system group

bind system group

Synopsisbind system group <groupName> [-userName <string>] [-policyName <string> <priority>]

DescriptionUse this command to bind entities to a system group.

Arguments

groupNameThe name of the system group to be modified.

userNameThe name of a system user to be bound to the group.

policyNameThe name fo the command policy to be bound to the group.

Related Commandsunbind system group


unbind system group

unbind system group

Synopsisunbind system group <groupName> [-userName <string>] [-policyName <string>]

DescriptionUse this command to unbind entities from a system group.

Arguments

groupNameThe system group to be modified.

userNameThe name of a system user to be unbound from the group.

policyNameThe command policy to be be unbound from the group.

Related Commandsbind system group


bind system global

bind system global

Synopsisbind system global [<policyName> [-priority <positive_integer>]]

DescriptionUse this command to bind entities to system global.

Arguments

policyNameThe name of the policy to be bound to system global.

Related Commandsunbind system globalshow system global


unbind system global

unbind system global

Synopsisunbind system global [<policyName>]

DescriptionUse this command to unbind entities from system global.

Arguments

policyNameThe name of the command policy to be unnbound.

Related Commandsbind system globalshow system global


show system global

show system global

Synopsisshow system global

DescriptionUse this command to display system global bindings.

Arguments

Output

policyNameSpecifies the command policy name.

prioritySpecify the priority of the command policy.

Related Commandsbind system globalunbind system global


Tunnel Commands

This chapter covers the tunnel commands.


add tunnel trafficpolicy

add tunnel trafficpolicy

Synopsisadd tunnel trafficpolicy <name> <rule> <action>

DescriptionUse this command to create a tunnel trafficpolicy.

Arguments

nameThe name of the new tunnel trafficpolicy.

ruleThe expression specifying the condition under which this policy is applied.

actionThe name of the action to be performed. The string value may be one of the following built-in compression actions: COMPRESS: Enables default compression (DEFLATE). NOCOMPRESS: Disables compression. GZIP: Enables GZIP compression. DEFLATE: Enables DEFLATE compression.

ExampleExample 1: add tunnel trafficpolicy cmp_all_destport "REQ.TCP.DESTPORT == 0-65535" GZIP After creating above tunnel policy, it can be activated by binding it globally: bind tunnel global cmp_all_destport The policy is evaluated for all traffic flowing through the ssl-vpn tunnel, and compresses traffic for all TCP application ports. Example 2: The following tunnel policy disables compression for all access from a specific subnet: add tunnel trafficpolicy local_sub_nocmp "SOURCEIP == 10.1.1.0 -netmask 255.255.255.0" NOCOMPRESS bind tunnel global local_sub_nocmp

Related Commandsrm tunnel trafficpolicyshow tunnel trafficpolicyset tunnel trafficpolicy


rm tunnel trafficpolicy

rm tunnel trafficpolicy

Synopsisrm tunnel trafficpolicy <name>

DescriptionUse this command to remove a tunnel traffic policy.

Arguments

nameThe name of the tunnel traffic policy.

Examplerm tunnel trafficpolicy tunnel_policy_name The "show tunnel trafficpolicy" command shows all tunnel policies that are currently defined.

Related Commandsadd tunnel trafficpolicyshow tunnel trafficpolicyset tunnel trafficpolicy


show tunnel trafficpolicy


Synopsisshow tunnel trafficpolicy [<name>]

DescriptionUse this to command show all tunnel policies that are currently defined.

Arguments

nameThe name of the tunnel traffic policy.

Output

name

rule

action

hits

txbytes

rxbytes

Example> show tunnel trafficpolicy 2 Tunnel policies: 1) Name: local_sub_nocmp Rule: SOURCEIP == 10.1.1.0 -netmask 255.255.255.0 Action: NOCOMPRESS Hits: 3 2) Name: cmp_all Rule: REQ.TCP.DESTPORT == 0-65535 Action: GZIP Hits: 57125



Bytes In:...796160 Bytes Out:... 197730 Bandwidth saving...75.16% Ratio 4.03:1 Done

Related Commandsadd tunnel trafficpolicyrm tunnel trafficpolicyset tunnel trafficpolicy


set tunnel trafficpolicy

set tunnel trafficpolicy

Synopsisset tunnel trafficpolicy <name> [-rule <expression>] [-action <string>]

DescriptionUse this command to modify the rule and/or action of an existing tunnel traffic policy, created using the "add tunnel trafficpolicy" command.

Arguments


ruleThe new rule to be used in the policy.

actionThe new action to be applied by the policy.

Exampleadd tunnel trafficpolicy cmp_all_destport "REQ.TCP.DESTPORT == 0-65535" GZIP set tunnel trafficpolicy cmp_all_destport -action NOCOMPRESS Above 'set' command changes action for policy cmp_all_destport from GZIP to NOCOMPRESS

Related Commandsadd tunnel trafficpolicyrm tunnel trafficpolicyshow tunnel trafficpolicy


bind tunnel global

bind tunnel global

Synopsisbind tunnel global (<policyName> [-priority <positive_integer>]) [-state ( ENABLED | DISABLED )]

DescriptionUse this command to activate the tunnel traffic policy globally. The tunnel policies are created using the "add tunnel trafficpolicy" command. The command "show tunnel trafficpolicy" shows all the existing tunnel policies and the command "show tunnel global" shows all the globally active tunnel policies. Note that the ssl-vpn license is required for tunnel compression feature to work.

Arguments

policyNameThe name of the tunnel traffic policy to be bound.

stateThe current state of the binding. Possible values: ENABLED, DISABLED Default value: ENABLED

Exampleadd tunnel trafficpolicy cmp_all_destport "REQ.TCP.DESTPORT == 0-65535" GZIP After creating above tunnel policy, it can be activated by binding it globally: bind tunnel global cmp_all_destport After binding cmp_all_destport compression policy globally, the policy gets activated and the Netscaler will compress all TCP traffic accessed through ssl-vpn tunnel. Globally active tunnel policies can be seen using command: > show tunnel global 1 Globally Active Tunnel Policies: 1) Policy Name: cmp_all_destport Priority: 0 Done

Related Commandsunbind tunnel globalshow tunnel global


unbind tunnel global

unbind tunnel global

Synopsisunbind tunnel global <policyName>

DescriptionUse this command to deactivate an active tunnel traffic policy. Use command "show tunnel global" to see all the globally active tunnel policies.

Arguments

policyNameThe name of the tunnel traffic policy.

ExampleGlobally active tunnel policies can be seen using command: > show tunnel global 1 Globally Active Tunnel Policies: 1) Policy Name: cmp_all_destport Priority: 0 Done The globally active tunnel traffic policy can be deactivated on the NetScaler system by issuing the command: unbind tunnel global cmp_all_destport

Related Commandsbind tunnel globalshow tunnel global


show tunnel global

show tunnel global

Synopsisshow tunnel global

DescriptionUse this command to display globally active tunnel policies.

Arguments

Output

policyName

priority

stateThe current state of the binding.

Example> sh tunnel global 1) Policy Name: cmp_all_destport Priority: 0 2) Policy Name: local_sub_nocmp Priority: 500 Done

Related Commandsbind tunnel globalunbind tunnel global


show tunnel global


SSLVPN Commands

This chapter covers the SSL VPN commands.


stat vpn

stat vpn

Synopsisstat vpn [-detail] [-fullValues] [-ntimes <positive_integer>] [-logFile <input_filename>]

DescriptionThis command displays VPN statistics

Counters

Login-page requests received (iHtHit)Total number of login-page request received by SSLVPN server.

Login-page delivery failures (iHtFail)Number of times login-page has not been delivered by SSLVPN server.

Client-configuration requests (cfgHit)Total number of SSLVPN-client configuration request received by SSLVPN-server. In response to this SSLVPN-server returns information to configure SSLVPN-client.

DNS queries received (dnsHit)Total number of DNS query(s) received by SSLVPN server.

WINS queries received (winsHit)Total number of WINS query(s) received by SSLVPN server.

Number of SSLVPN tunnels (csHit)Total number of SSLVPN tunnels created between SSLVPN client and server.

Backend non-HTTP server probes (csNoHttp)Number of probes from NetScaler to backend non-HTTP servers. The backend servers are those servers which has been accessed by VPN client. This is an application debug counter.

Backend HTTP server probes (csHttp)Number of probes from NetScaler to backend HTTP server. The backend servers are those servers which has been accessed by VPN client. This is an application debug counter.


stat vpn

Backend server probe successes (csConSuc)Number of successful probes to backend servers (both HTTP and non-HTTP). This is an application debug counter.

File-system requests received (totFsHit)Total number of file-system request received by SSLVPN server.

IIP disabled and MIP disabled (IIPdMIPd)Both IIP and MIP is disabled.

IIP failed and MIP disabled (IIPfMIPd)Number of times IIP assignment failed and MIP is disabled.

IIP disabled and MIP used (IIPdMIPu)Number of times MIP is used as IIP is disabled.

IIP failed and MIP used (IIPfMIPu)Number of times MIP is used as IIP assignment failed.

Related Commands


show vpn stats

show vpn stats

Synopsisshow vpn stats - alias for 'stat vpn'

Descriptionshow vpn stats is an alias for stat vpn

Related Commandsstat vpn


add vpn vserver

add vpn vserver

Synopsisadd vpn vserver <vServerName> <serviceType> (<IPAddress> [-range <positive_integer>]) <port> [-state ( ENABLED | DISABLED )]

DescriptionUse this command to add a VPN virtual server.

Arguments

vServerNameThe name for the new vpn vserver.

serviceTypeThe vpn vserver's protocol type. The default protocol is SSL. Possible values: SSL Default value: SSL

IPAddressThe IP address for the vpn vserver.

portThe port on which the vserver listens.

stateThe intital vserver server state. Possible values: ENABLED, DISABLED Default value: ENABLED

authenticationThis option toggles on or off the application of authentication to incoming users to the VPN. Possible values: ON, OFF Default value: ON

ExampleThe following example creates a VPN vserver named myvpnvip which supports SSL portocol and with AAA functionality enabled: vserver myvpnvip SSL 65.219.17.34 443 -aaa ON


add vpn vserver

Related Commandsshow vpn vserverset vpn vserver


show vpn vserver

show vpn vserver

Synopsisshow vpn vserver [<name>]

DescriptionUse this command to display all of the configured VPN virtual servers.

Arguments

nameThe name of the VPN vserver to display.

Output

IPAddress

value

port

range

serviceType

type

state

status


show vpn vserver

cacheType

redirect

precedence

redirectURL

authentication

domain

rule

policyName

serviceName

weight

cacheVserver

backupVServerName

priority

cltTimeout


show vpn vserver

soMethod

soPersistence


soThreshold



intranetip

netmask

useMIP

map

Related Commandsadd vpn vserverset vpn vserver


set vpn vserver

set vpn vserver

Synopsisset vpn vserver <vServerName> [-authentication ( ON | OFF )]

DescriptionUse this command to change the parameters of a VPN virtual server.

Arguments

vServerNameThe name of the vserver to be modified.

authenticationThis option toggles authentication off or on. Possible values: ON, OFF

Related Commandsadd vpn vservershow vpn vserver


rm vpn vserver

rm vpn vserver

Synopsisrm vpn vserver <name>@ ...


Arguments



Related Commandsenable vpn vserverdisable vpn vserver


enable vpn vserver

enable vpn vserver

Synopsisenable vpn vserver <name>@


Arguments



Related Commandsrm vpn vserverdisable vpn vserver


disable vpn vserver

disable vpn vserver

Synopsisdisable vpn vserver <name>@


Arguments



Related Commandsrm vpn vserverenable vpn vserver


bind vpn vserver

bind vpn vserver

Synopsisbind vpn vserver <vServerName> [-policy <string> [-priority <positive_integer>]] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]

DescriptionUse this command to bind attributes to a vserver.

Arguments

vServerNameThe vserver that this command shall bind parameters to.

policyThe name of the policy to be bound to the vserver.

intranetApplicationThe name of the intranet application to be bound to the vserver.

urlNameThe name of the vpn url to be bound.

intranetipThe network id for the range of intranet IP addresses or individual intranet ip to be bound to the vserver.

Related Commandsunbind vpn vserver


unbind vpn vserver

unbind vpn vserver

Synopsisunbind vpn vserver <vServerName> [-policy <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]

DescriptionUse this command to unbind attributes from a vserver.

Arguments

vServerNameThe name of the vserver from which an attribute is to be unbound.

policyThe name of the policy to be unbound.

intranetApplicationThe intranet application to be unbound.

urlNameThe vpn url to be unbound.

intranetipThe network id for the range of intranet IP addresses or the individually bound intranet IP address to be unbound.

Related Commandsbind vpn vserver


add vpn intranetapplication


Synopsisadd vpn intranetapplication <intranetApplication> <protocol> ((<destIP> [-netmask <netmask>]) | <IPRange> | <hostname>) [-destPort <port[-port]>] [-interception ( PROXY | TRANSPARENT )] [-srcip <ip_addr>] [-srcport <port>]

DescriptionUse this command to add an intranet application.

Arguments

intranetApplicationThe name for the new vpn intranet application.

protocolThe protocol of the intranet application. The supported protocols are TCP and UDP. Possible values: TCP, UDP, ANY

destIPThe destination IP address for the application. This address is the real application server IP address.

destPortThe destination port. (range)

interceptionSpecifies the interception type. Possible values: PROXY, TRANSPARENT

srcipThe source IP address. This is the address on the client's computer that the application will be accessed at. If not optionally specified, the default is 127.0.0.1.

srcportThe source port.



Related Commandsshow vpn intranetapplicationrm vpn intranetapplication


show vpn intranetapplication


Synopsisshow vpn intranetapplication

DescriptionUse this command to display the configured vpn intranet applications.

Arguments

Output

intranetApplicationThe name of the intranet vpn application to be shown.

protocol

destIP

netmaskSpecifies the destination netmask.

IPAddressThe destination IP address for the application. This address is the real application server IP address.

hostnameName based interception. Names should be valid dns or wins names and will be resolved during interception on the sslvpn.

destPortSpecifies the destination port.

interceptionSpecifies the interception type.



srcipSpecifies the source IP.

srcportSpecifies the source port.

Related Commandsadd vpn intranetapplicationrm vpn intranetapplication


rm vpn intranetapplication

rm vpn intranetapplication

Synopsisrm vpn intranetapplication <intranetApplication>

DescriptionUse this command remove a configured intranet application.

Arguments

intranetApplicationThe name of the vpn intranet application to remove.

Related Commandsadd vpn intranetapplicationshow vpn intranetapplication


bind vpn global

bind vpn global

Synopsisbind vpn global [-policyName <string> [-priority <positive_integer>]] [-intranetdomain <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]

DescriptionUse this command to bind vpn entities to vpn global.

Arguments

policyNameThe name of the policy to be bound to vpn global.

intranetdomainA conflicting intranet domain name.

intranetApplicationThe vpn intranet application to be bound.

urlNameThe vpn url to be bound.

intranetipThe intranet ip or range to be bound to VPN global.

Related Commandsunbind vpn globalshow vpn global


unbind vpn global

unbind vpn global

Synopsisunbind vpn global [-policyName <string>] [-intranetdomain <string>] [-intranetApplication <string>] [-urlName <string>] [-intranetip <ip_addr> <netmask>]

DescriptionUse this command to unbind entities from vpn global.

Arguments

policyNameThe name of the policy to be unbound.

intranetdomainA conflicting intranet domain name to be unbound.

intranetApplicationThe name of a vpn intranet application to be unbound.

urlNameThe name of a vpn url to be unbound from vpn global.

intranetipThe intranet ip address or range to be unbound.

Related Commandsbind vpn globalshow vpn global


show vpn global

show vpn global

Synopsisshow vpn global

DescriptionUse this command to display the vpn global bindings.

Arguments

Output

policyNameSpecifies the name of the policy to be displayed.

prioritySpecifies the priority of the policy.

intranetdomainSpecifies the conflicting intranet domain name.



intranetipSpecifies the intranet ip address or range.

netmaskSpecifies the intranet ip address or range's netmask.

Related Commandsbind vpn globalunbind vpn global


add vpn trafficpolicy

add vpn trafficpolicy

Synopsisadd vpn trafficpolicy <name> <rule> <action>

DescriptionUse this command to add a traffic policy. A traffic policy conditionally sets VPN traffic characteristics at run time.

Arguments

nameThe name for the new vpn traffic policy.

ruleThe rule to be used by the vpn traffic policy.

actionThe action to be applied by the policy if it's rule is matched.

Related Commandsrm vpn trafficpolicyshow vpn trafficpolicyset vpn trafficpolicy


rm vpn trafficpolicy

rm vpn trafficpolicy

Synopsisrm vpn trafficpolicy <name>

DescriptionUse this coomand to remove a vpn traffic policy.

Arguments

nameThe name of the vpn traffic policy to be removed.

Related Commandsadd vpn trafficpolicyshow vpn trafficpolicyset vpn trafficpolicy


show vpn trafficpolicy

show vpn trafficpolicy

Synopsisshow vpn trafficpolicy

DescriptionUse this commmand to display vpn traffic policies.

Arguments

Output

name

rule

action

Related Commandsadd vpn trafficpolicyrm vpn trafficpolicyset vpn trafficpolicy


set vpn trafficpolicy

set vpn trafficpolicy

Synopsisset vpn trafficpolicy <name> [-rule <expression>] [-action <string>]

DescriptionUse this command to change the properties of an existing traffic policy.

Arguments


ruleThe new rule to be used in the policy.

actionThe new action to be applied by the policy.

Related Commandsadd vpn trafficpolicyrm vpn trafficpolicyshow vpn trafficpolicy


add vpn trafficaction

add vpn trafficaction

Synopsisadd vpn trafficaction <name> <qual> [-apptimeout <mins>] [-sso ( ON | OFF )]

DescriptionUse this command to create a vpn traffic action. A vpn traffic action defines the characteristics of run time VPN traffic.

Arguments

nameThe name for the action.

qualThe protocol to be set with the action. HTTP and TCP are the allowed protocols. Possible values: http, tcp

apptimeoutThe inactivity timeout after which the system closes a connection.

ssoswitch to turn on the SSO engine. Possible values: ON, OFF

Related Commandsrm vpn trafficactionshow vpn trafficaction


rm vpn trafficaction

rm vpn trafficaction

Synopsisrm vpn trafficaction <name>

DescriptionUse this command to remove a previously created traffic action.

Arguments


Related Commandsadd vpn trafficactionshow vpn trafficaction


show vpn trafficaction

show vpn trafficaction

Synopsisshow vpn trafficaction

DescriptionUse this command to display the configured vpn traffic action(s).

Arguments

Output

name

qual

apptimeout

sso

Related Commandsadd vpn trafficactionrm vpn trafficaction


add vpn url

add vpn url

Synopsisadd vpn url <urlName> <linkName> <actualURL>

DescriptionUse this command to add vpn urls. A vpn url provides a link to intranet resources on the vpn portal page.

Arguments

urlNameThe name for the new vpn url.

linkNameThe display name for the vpn url. This is the name that will display in the bookmark links in the vpn portal page.

actualURLThe actual URL that the vpn url points to.

Exampleadd vpn url ggl search www.google.com.

Related Commandsrm vpn urlshow vpn url


rm vpn url

rm vpn url

Synopsisrm vpn url <urlName>

DescriptionUse this command to remove vpn urls.

Arguments

urlNameThe name of the vpn url to be removed.

Examplerm vpn url ggl

Related Commandsadd vpn urlshow vpn url


show vpn url

show vpn url

Synopsisshow vpn url

DescriptionUse this command to display the configured vpn urls.

Arguments

Output

Related Commandsadd vpn urlrm vpn url


add vpn sessionpolicy

add vpn sessionpolicy

Synopsisadd vpn sessionpolicy <name> <rule> <action>

DescriptionUse this command to add a vpn session policy, which conditionally sets characteristics of a vpn session upon session establishment.

Arguments

nameThe name for the new vpn session policy.

ruleThe rule to be evaluated in the policy.

actionThe action to be performed when the rule is matched.

Related Commandsrm vpn sessionpolicyshow vpn sessionpolicyset vpn sessionpolicy


rm vpn sessionpolicy

rm vpn sessionpolicy

Synopsisrm vpn sessionpolicy <name>

DescriptionUse this command to remove a previously created vpn session policy.

Arguments

nameThe name of the policy to be removed.

Related Commandsadd vpn sessionpolicyshow vpn sessionpolicyset vpn sessionpolicy


show vpn sessionpolicy

show vpn sessionpolicy

Synopsisshow vpn sessionpolicy

DescriptionUse this command to display the configured vpn session policies.

Arguments

Output

name

rule

action

Related Commandsadd vpn sessionpolicyrm vpn sessionpolicyset vpn sessionpolicy


set vpn sessionpolicy

set vpn sessionpolicy

Synopsisset vpn sessionpolicy <name> [-rule <expression>] [-action <string>]

DescriptionUse this command to modify the rule or action of a vpn session policy.

Arguments

nameThe name of the vpn session policy to be modified.


actionThe new vpn session action the policy is to use.

Related Commandsadd vpn sessionpolicyrm vpn sessionpolicyshow vpn sessionpolicy


add vpn sessionaction


Synopsisadd vpn sessionaction <name> [-httpPort <port> ...] [-winsIP <ip_addr>] [-dnsVserverName <string>] [-sessTimeout <mins>] [-clientSecurity <string> [-clientSecurityGroup <string>]] [-splitTunnel <splitTunnel>] [-spoofIIP ( ON | OFF )] [-killConnections ( ON | OFF )] [-transparentInterception ( ON | OFF )] [-windowsClientType ( AGENT | PLUGIN )] [-defaultAuthorizationAction ( ALLOW | DENY )] [-authorizationGroup <string>] [-clientIdleTimeout <mins>] [-proxy <proxy>] [-allProtocolProxy <string> | -httpProxy <string> | -ftpProxy <string> | -socksProxy <string> | -gopherProxy <string> | -sslProxy <string>] [-proxyException <string>] [-clientCleanupPrompt ( ON | OFF )] [-forceCleanup <forceCleanup> ...] [-clientOptions <clientOptions> ...] [-clientConfiguration <clientConfiguration> ...] [-sso ( ON | OFF )] [-useMIP ( NS | OFF )] [-useIIP <useIIP>] [-clientDebug <clientDebug>] [-loginScript <input_filename>] [-logoutScript <input_filename>] [-homePage <URL>] [-iipDnsSuffix <string>] [-forcedTimeout <mins>] [-forcedTimeoutWarning <mins>]

DescriptionUse this command to create a session action, which defines the properties of a vpn session.

Arguments

nameThe name for the new vpn session action.

httpPortThe http port number.



winsIPThe WINS server ip address to be set.

dnsVserverNameThe name of the DNS vserver to be configured by the session action.

sessTimeoutThe session timeout to be set by the action.

clientSecurityThe client security check string to be applied.

splitTunnelThe split tunnel state. Possible values: ON, OFF, REVERSE

spoofIIPControls the Spoofing of Intranet IP to the Windows Applications by Windows VPN client when the end-user is connected to SSL VPN in '-splittunnel OFF' mode. Possible values: ON, OFF

killConnectionsDetermines whether Windows VPN client should kill all pre-existing connections (i.e. the connections existing before the end user logged in to SSL VPN) and prevent new incoming connections on the Windows Client system when the end-user is connected to SSL VPN in '-splittunnel OFF' mode. Possible values: ON, OFF

transparentInterceptionThe transparent interception state. Possible values: ON, OFF

windowsClientTypeChoose between two types of Windows Client a) Application Agent - which always runs in the task bar as a standalone application and also has a supporting service which runs permanently when installed b) Activex Control - ActiveX control run by Microsoft's Internet Explorer. Possible values: AGENT, PLUGIN

defaultAuthorizationActionThis toggles the default authorization action to either ALLOW or DENY. Possible values: ALLOW, DENY



authorizationGroupThe authorization group to be applied to the session.

clientIdleTimeoutDefines the client idle timeout value. Measured in minutes, the client idle timeout default is 20 minutes and meters a client session's keyboard and mouse inactivity.

proxyEnables or disables use of a proxy configuration in the session. Possible values: BROWSER, NS, OFF

allProtocolProxySets the address to use for all proxies.

httpProxySets the HTTP proxy IP address.

ftpProxyDefines the FTP proxy IP address.

socksProxySpecifies the SOCKS proxy IP address.

gopherProxySets the Gopher proxy IP address.

sslProxySets the HTTPS proxy IP address.

proxyExceptionProxy Exception string that will be configured in the Browser for bypassing the previously configured proxies. Allowed only if proxy type is Browser.

clientCleanupPromptToggles the prompt for client clean up on a client intitiated session close. Possible values: ON, OFF

forceCleanupThe client side items for force cleanup on session close. Options are: none, all, cookie, addressbar, plugin, filesystemapplication, addressbar, application, clientcertificate,



applicationdata, and autocomplete. You may specify all or none alone or any combination of the client side items.

clientOptionsDisplay only configured buttons(and/or menu options in the docked client) in the Windows VPN client. Options: none none of the Windows Client's buttons/menu options (except logout) are displayed. all all of the Windows Client's buttons/menu options are displayed. One or more of the following services only the "Services" button/menu option is displayed. filetransfer only the "File Transfer" button/menu option is displayed. configuration only the "Configuration" button/menu option is displayed.

clientConfigurationDisplay only configured tabs in the Windows VPN client. Options: none none of the Windows Client's tabs(except About) are displayed. all all of the Windows Client's tabs (except "Resptime") are displayed. One or more of the following general only the "General" tab is displayed. tunnel only the "Tunnel" tab is displayed. trace only the "Trace" tab is displayed. compression only the "Compression" tab is displayed. resptime only the "Resptime" tab is displayed.

ssoEnables or disables the use of SSO for the session. Possible values: ON, OFF

useMIPEnables or disables the use of MIP for the session Possible values: NS, OFF

useIIPControls how the intranet IP module is configured for usage. Options: SPILLOVER specifies that iip is ON and when we can't assign an intranet IP to an entity, which has other instances active, we spill over to using Mapped IP. NOSPILLOVER specifies that iip is ON and when we can't assign intranet IP to an entity, which has other instances active, then we initiate transfer login. OFFnspecifies that intranet IP module won't be activated for this entity. Possible values: NOSPILLOVER, SPILLOVER, OFF

clientDebugSets the trace level on the Windows VPN Client. Options: debugn Detailed debug messages are collected are written into the specified file. stats Application audit level error messages and debug statistic counters are written into the specified file. events Application audit level error messages are written into the specified file. off Only critical



events are logged into the Windows Application Log. Possible values: debug, stats, events, OFF

loginScriptLogin script path.

logoutScriptLogout script path.

homePageSets the client home page. Setting this parameter overrides serving the default portal page to SSL VPN users with the URL specified here.

iipDnsSuffixConfigure the IntranetIP DNS suffix. When a user logs into SSL-VPN, an A record is added to the DNS cache, after appending the configured IntranetIP DNS suffix to the username.

forcedTimeoutMaximum number of minutes a session is allowed to persist.

forcedTimeoutWarningNumber of minutes to warn a user before their session is removed by a forced time out.

Related Commandsrm vpn sessionactionshow vpn sessionaction


rm vpn sessionaction

rm vpn sessionaction

Synopsisrm vpn sessionaction <name>

DescriptionUse this command to delete a previously created session action.

Arguments

nameThe vpn session action to be removed.

Related Commandsadd vpn sessionactionshow vpn sessionaction


show vpn sessionaction


Synopsisshow vpn sessionaction

DescriptionUse this command to display vpn session action details.

Arguments

Output

name

httpPort

winsIP

dnsVserverName

sessTimeout

clientSecurity

clientSecurityGroup

splitTunnel

spoofIIP



killConnections

transparentInterception

windowsClientType

defaultAuthorizationAction

authorizationGroup

clientIdleTimeout

clientidletimeoutwarning

proxy

allProtocolProxy

httpProxy

ftpProxy

socksProxy

gopherProxy

sslProxy



proxyException

clientCleanupPrompt

forceCleanup

clientOptions

clientConfiguration

sso

useMIPEnables or disables the use of MIP for the session

useIIPControls how the intranet IP module is configured for usage. Options: SPILLOVER specifies that iip is ON and when we can't assign an intranet IP to an entity, which has other instances active, we spill over to using Mapped IP. NOSPILLOVER specifies that iip is ON and when we can't assign intranet IP to an entity, which has other instances active, then we initiate transfer login. OFFnspecifies that intranet IP module won't be activated for this entity.

clientDebug



homePage



iipDnsSuffix

forcedTimeout

forcedTimeoutWarning

Related Commandsadd vpn sessionactionrm vpn sessionaction


set vpn parameter

set vpn parameter

Synopsisset vpn parameter [-httpPort <port> ...] [-winsIP <ip_addr>] [-dnsVserverName <string>] [-sessTimeout <mins>] [-clientSecurity <string> [-clientSecurityGroup <string>]] [-splitTunnel <splitTunnel>] [-spoofIIP ( ON | OFF )] [-killConnections ( ON | OFF )] [-transparentInterception ( ON | OFF )] [-windowsClientType ( AGENT | PLUGIN )] [-defaultAuthorizationAction ( ALLOW | DENY )] [-authorizationGroup <string>] [-clientIdleTimeout <mins>] [-proxy <proxy>] [-allProtocolProxy <string> | -httpProxy <string> | -ftpProxy <string> | -socksProxy <string> | -gopherProxy <string> | -sslProxy <string>] [-proxyException <string>] [-clientCleanupPrompt ( ON | OFF )] [-forceCleanup <forceCleanup> ...] [-clientOptions <clientOptions> ...] [-clientConfiguration <clientConfiguration> ...] [-sso ( ON | OFF )] [-useMIP ( NS | OFF )] [-useIIP <useIIP>] [-clientDebug <clientDebug>] [-loginScript <input_filename>] [-logoutScript <input_filename>] [-homePage <URL>] [-iipDnsSuffix <string>] [-forcedTimeout <mins>] [-forcedTimeoutWarning <mins>]

DescriptionUse this command to set global parameters for the SSL VPN feature.

Arguments

httpPortThe SSL VPN HTTP port.

winsIPThe WINS server IP address to be used for WINS host resolution by the VPN.


set vpn parameter

dnsVserverNameThe configured DNS vserver to be used for DNS host resolution by the VPN.

sessTimeoutThe session idle timeout value in minutes. This idle timeout meters the overall network inactivity for a session and has a default of 30. Default value: 30

clientSecurityThe client security check string to be applied to client sessions.

splitTunnelSets the split tunnel state. Possible values: ON, OFF, REVERSE Default value: OFF

spoofIIPControls the Spoofing of Intranet IP to the Windows Applications by Windows VPN client when the end-user is connected to SSL VPN in '-splittunnel OFF' mode. Possible values: ON, OFF Default value: ON

killConnectionsDetermines whether Windows VPN client should kill all pre-existing connections (i.e. the connections existing before the end user logged in to SSL VPN) and prevent new incoming connections on the Windows Client system when the end-user is connected to SSL VPN in '-splittunnel OFF' mode. Possible values: ON, OFF Default value: ON

transparentInterceptionSets the transparent interception state. Possible values: ON, OFF Default value: ON

windowsClientTypeChoose between two types of Windows Client a) Application Agent - which always runs in the task bar as a standalone application and also has a supporting service which runs permanently when installed b) Activex Control - ActiveX control run by Microsoft's Internet Explorer. Possible values: AGENT, PLUGIN Default value: AGENT

defaultAuthorizationActionToggles the default authorization action to either ALLOW or DENY. Possible values: ALLOW, DENY Default value: ALLOW

authorizationGroupThe authorization group to be applied to client sessions.


set vpn parameter

clientIdleTimeoutThe client idle time out interval which meters the client session's mouse and keyboard inactivity. The value is specified in minutes and has a default setting of 20 minutes.

proxyEnables or disables use of a proxy configuration. Possible values: BROWSER, NS, OFF

allProtocolProxyThe address to use for all proxies.

httpProxySets the HTTP proxy IP address.

ftpProxyDefines the FTP proxy IP address.

socksProxySpecifies the SOCKS proxy IP address.

gopherProxySets the Gopher proxy IP address.

sslProxySets the HTTPS proxy IP address.

proxyExceptionProxy Exception string that will be configured in the Browser for bypassing the previously configured proxies. Allowed only if proxy type is Browser.

clientCleanupPromptSets the state for prompting for client clean up on session close. Possible values: ON, OFF Default value: ON

forceCleanupThe client side items for force cleanup on session close. Options are: none, all, cookie, addressbar, plugin, filesystemapplication, addressbar, application, clientcertificate, applicationdata, and autocomplete. You may specify all or none alone or any combination of the client side items.


set vpn parameter

clientOptionsDisplay only configured buttons(and/or menu options in the docked client) in the Windows VPN client. Possible options none none of the Windows Client's buttons/menu options (except logout) are displayed. all all of the Windows Client's buttons/menu options are displayed. One or more of the following services only the "Services" button/menu option is displayed. filetransfer only the "File Transfer" button/menu option is displayed. configuration only the "Configuration" button/menu option is displayed.

clientConfigurationDisplay only configured tabs in the Windows VPN client. Options: none none of the Windows Client's tabs(except About) are displayed. all all of the Windows Client's tabs (except "Resptime") are displayed. One or more of the following general only the "General" tab is displayed. tunnel only the "Tunnel" tab is displayed. trace only the "Trace" tab is displayed. compression only the "Compression" tab is displayed. resptime only the "Resptime" tab is displayed.

ssoEnables or disables the use of SSO. Possible values: ON, OFF Default value: OFF

useMIPEnables or disables the use of MIP for the session Possible values: NS, OFF Default value: NS

useIIPControls how the intranet IP module is configured for usage. Options: SPILLOVER specifies that iip is ON and when we can't assign an intranet IP to an entity, which has other instances active, we spill over to using Mapped IP. NOSPILLOVER specifies that iip is ON and when we can't assign intranet IP to an entity, which has other instances active, then we initiate transfer login. OFFnspecifies that intranet IP module won't be activated for this entity. Possible values: NOSPILLOVER, SPILLOVER, OFF Default value: NOSPILLOVER

clientDebugSets the trace level on the Windows VPN Client. Options: debugn Detailed debug messages are collected are written into the specified file. stats Application audit level error messages and debug statistic counters are written into the specified file. events Application audit level error messages are written into the specified file. off Only critical events are logged into the Windows Application Log. Possible values: debug, stats, events, OFF Default value: OFF


set vpn parameter



homePageSets the client home page. Setting this parameter overrides the serving of the default portal page with the URL specified here.

iipDnsSuffixConfigure the IntranetIP DNS suffix. When a user logs into SSL-VPN, an A record is added to the DNS cache, after appending the configured IntranetIP DNS suffix to the username.

forcedTimeoutMaximum number of minutes a session is allowed to persist.

forcedTimeoutWarningNumber of minutes to warn a user before their session is removed by a forced time out.

Exampleset vpn parameter -httpport 80 90 -winsIP 192.168.0.220 -dnsVserverName mydns -sessTimeout 240

Related Commandsunset vpn parametershow vpn parameter


unset vpn parameter

unset vpn parameter

Synopsisunset vpn parameter [-httpPort] [-winsIP] [-dnsVserverName] [-sessTimeout] [-clientSecurity] [-clientSecurityGroup] [-authorizationGroup] [-clientIdleTimeout] [-allProtocolProxy | -httpProxy | -ftpProxy | -socksProxy | -gopherProxy | -sslProxy] [-proxyException] [-forceCleanup] [-clientOptions] [-clientConfiguration] [-loginScript] [-logoutScript] [-homePage] [-iipDnsSuffix] [-forcedTimeout] [-forcedTimeoutWarning]

DescriptionUse this command to unset parameters for the SSL VPN feature.

Arguments

httpPortClears any HTTP port entries excluding port 80.

winsIPUnsets the configured WINS server IP address.

dnsVserverNameUnsets the configured DNS vserver .

sessTimeoutClears the YPN session timeout setting.

clientSecurityUnsets the configured client security check.

clientSecurityGroupUnsets the configured client security group.

authorizationGroupUnsets the configured authorization group.


unset vpn parameter

clientIdleTimeoutClears the client idle time out.

allProtocolProxyRemoves the all proxy IP address.

httpProxyRemoves the HTTP proxy IP address.

ftpProxyRemoves the FTP proxy IP address.

socksProxyRemoves the SOCKS proxy IP address.

gopherProxyRemoves the Gopher proxy IP address.

sslProxyRemoves the HTTPS proxy IP address.

proxyExceptionRemoves the Proxy Exception configuration.

forceCleanupRemoves all the configured force clean up options.

clientOptionsRemoves Windows VPN client button and/or menu options configuration.

clientConfigurationRemoves Windows VPN client tab options configuration.

loginScriptRemoves the login script patameter.

logoutScriptRemoves the logout script patameter.

homePageRemoves the configured client home page parameter.


unset vpn parameter

iipDnsSuffixRemoves the configured IntranetIP DNS suffix.

forcedTimeoutRemoves the configured Forced Timeout

forcedTimeoutWarningRemoves the configured Forced Timeout Warning

Related Commandsset vpn parametershow vpn parameter


show vpn parameter

show vpn parameter

Synopsisshow vpn parameter

DescriptionUse this command to display the configured vpn parameters.

Arguments

Output

name

httpPort

winsIP

dnsVserverName

sessTimeout

clientSecurity

clientSecurityGroup

splitTunnel

spoofIIP


show vpn parameter

killConnections

transparentInterception

windowsClientType

defaultAuthorizationAction

authorizationGroup

clientIdleTimeout

clientidletimeoutwarning

proxy

allProtocolProxy

httpProxy

ftpProxy

socksProxy

gopherProxy

sslProxy


show vpn parameter

proxyException

clientCleanupPrompt

forceCleanup

clientOptions

clientConfiguration

ssoswitch to turn on the SSO engine.

useMIPEnables or disables the use of MIP for the session

useIIPControls how the intranet IP module is configured for usage. Options: SPILLOVER specifies that iip is ON and when we can't assign an intranet IP to an entity, which has other instances active, we spill over to using Mapped IP. NOSPILLOVER specifies that iip is ON and when we can't assign intranet IP to an entity, which has other instances active, then we initiate transfer login. OFFnspecifies that intranet IP module won't be activated for this entity.

clientDebug



homePage


show vpn parameter

iipDnsSuffix

forcedTimeout

forcedTimeoutWarning

Related Commandsset vpn parameterunset vpn parameter


show vpn parameter


citrix netscaler application switch

Documents