ADC NITRO APIs

nsacl

Configuration for ACL entry resource.

Properties

(click to see Operations )

Name Data Type Permissions Description
aclname Read-write Name for the extended ACL rule. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.

Minimum length = 1
aclaction Read-write Action to perform on incoming IPv4 packets that match the extended ACL rule. Available settings function as follows
  • ALLOW - The Citrix ADC processes the packet.
  • BRIDGE - The Citrix ADC bridges the packet to the destination without processing it.
  • DENY - The Citrix ADC drops the packet. Possible values = BRIDGE, DENY, ALLOW
  • td Read-write Integer value that uniquely identifies the traffic domain in which you want to configure the entity. If you do not specify an ID, the entity becomes part of the default traffic domain, which has an ID of 0.

    Minimum value = 0

    Maximum value = 4094
    srcip Read-write IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
    srcipop Read-write Either the equals (=) or does not equal (!=) logical operator.

    Possible values = =, !=, EQ, NEQ
    srcipval Read-write IP address or range of IP addresses to match against the source IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example:10.102.29.30-10.102.29.189.
    srcipdataset Read-write Policy dataset which can have multiple IP ranges bound to it.
    srcport Read-write Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.
    srcportop Read-write Either the equals (=) or does not equal (!=) logical operator.

    Possible values = =, !=, EQ, NEQ
    srcportval Read-write Port number or range of port numbers to match against the source port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.

    Maximum length = 65535
    srcportdataset Read-write Policy dataset which can have multiple port ranges bound to it.
    destip Read-write IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
    destipop Read-write Either the equals (=) or does not equal (!=) logical operator.

    Possible values = =, !=, EQ, NEQ
    destipval Read-write IP address or range of IP addresses to match against the destination IP address of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 10.102.29.30-10.102.29.189.
    destipdataset Read-write Policy dataset which can have multiple IP ranges bound to it.
    destport Read-write Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.



    Note: The destination port can be specified only for TCP and UDP protocols.
    destportop Read-write Either the equals (=) or does not equal (!=) logical operator.

    Possible values = =, !=, EQ, NEQ
    destportval Read-write Port number or range of port numbers to match against the destination port number of an incoming IPv4 packet. In the command line interface, separate the range with a hyphen. For example: 40-90.



    Note: The destination port can be specified only for TCP and UDP protocols.

    Maximum length = 65535
    destportdataset Read-write Policy dataset which can have multiple port ranges bound to it.
    ttl Read-write Number of seconds, in multiples of four, after which the extended ACL rule expires. If you do not want the extended ACL rule to expire, do not specify a TTL value.

    Minimum value = 1

    Maximum value = 2147483647
    srcmac Read-write MAC address to match against the source MAC address of an incoming IPv4 packet.
    srcmacmask Read-write Used to define range of Source MAC address. It takes string of 0 and 1, 0s are for exact match and 1s for wildcard. For matching first 3 bytes of MAC address, srcMacMask value “000000111111”. .

    Default value: “000000000000”
    protocol Read-write Protocol to match against the protocol of an incoming IPv4 packet.

    Possible values = ICMP, IGMP, TCP, EGP, IGP, ARGUS, UDP, RDP, RSVP, EIGRP, L2TP, ISIS, GGP, IPoverIP, ST, CBT, BBN-RCC-M, NVP-II, PUP, EMCON, XNET, CHAOS, MUX, DCN-MEAS, HMP, PRM, XNS-IDP, TRUNK-1, TRUNK-2, LEAF-1, LEAF-2, IRTP, ISO-TP4, NETBLT, MFE-NSP, MERIT-INP, SEP, 3PC, IDPR, XTP, DDP, IDPR-CMTP, TP++, IL, IPv6, SDRP, IPv6-Route, IPv6-Frag, IDRP, GRE, MHRP, BNA, ESP, AH, I-NLSP, SWIPE, NARP, MOBILE, TLSP, SKIP, ICMPV6, IPv6-NoNx, IPv6-Opts, Any-Host-Internal-Protocol, CFTP, Any-Local-Network, SAT-EXPAK, KRYPTOLAN, RVD, IPPC, Any-Distributed-File-System, TFTP, VISA, IPCV, CPNX, CPHB, WSN, PVP, BR-SAT-MO, SUN-ND, WB-MON, WB-EXPAK, ISO-IP, VMTP, SECURE-VM, VINES, TTP, NSFNET-IG, DGP, TCF, OSPFIGP, Sprite-RP, LARP, MTP, AX.25, IPIP, MICP, SCC-SP, ETHERIP, Any-Private-Encryption-Scheme, GMTP, IFMP, PNNI, PIM, ARIS, SCPS, QNX, A/N, IPComp, SNP, Compaq-Pe, IPX-in-IP, VRRP, PGM, Any-0-Hop-Protocol, ENCAP, DDX, IATP, STP, SRP, UTI, SMP, SM, PTP, FIRE, CRTP, CRUDP, SSCOPMCE, IPLT, SPS, PIPE, SCTP, FC, RSVP-E2E-IGNORE, Mobility-Header, UDPLite
    protocolnumber Read-write Protocol to match against the protocol of an incoming IPv4 packet.

    Minimum value = 1

    Maximum value = 255
    vlan Read-write ID of the VLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VLAN. If you do not specify a VLAN ID, the appliance applies the ACL rule to the incoming packets on all VLANs.

    Minimum value = 1

    Maximum value = 4094
    vxlan Read-write ID of the VXLAN. The Citrix ADC applies the ACL rule only to the incoming packets of the specified VXLAN. If you do not specify a VXLAN ID, the appliance applies the ACL rule to the incoming packets on all VXLANs.

    Minimum value = 1

    Maximum value = 16777215
    Interface Read-write ID of an interface. The Citrix ADC applies the ACL rule only to the incoming packets from the specified interface. If you do not specify any value, the appliance applies the ACL rule to the incoming packets of all interfaces.
    established Read-write Allow only incoming TCP packets that have the ACK or RST bit set, if the action set for the ACL rule is ALLOW and these packets match the other conditions in the ACL rule.
    icmptype Read-write ICMP Message type to match against the message type of an incoming ICMP packet. For example, to block DESTINATION UNREACHABLE messages, you must specify 3 as the ICMP type.



    Note: This parameter can be specified only for the ICMP protocol.

    Minimum value = 0

    Maximum value = 65536
    icmpcode Read-write Code of a particular ICMP message type to match against the ICMP code of an incoming ICMP packet. For example, to block DESTINATION HOST UNREACHABLE messages, specify 3 as the ICMP type and 1 as the ICMP code.



    If you set this parameter, you must set the ICMP Type parameter.

    Minimum value = 0

    Maximum value = 65536
    priority Read-write Priority for the extended ACL rule that determines the order in which it is evaluated relative to the other extended ACL rules. If you do not specify priorities while creating extended ACL rules, the ACL rules are evaluated in the order in which they are created.

    Minimum value = 1

    Maximum value = 100000
    state Read-write Enable or disable the extended ACL rule. After you apply the extended ACL rules, the Citrix ADC compares incoming packets against the enabled extended ACL rules.

    Default value: ENABLED

    Possible values = ENABLED, DISABLED
    logstate Read-write Enable or disable logging of events related to the extended ACL rule. The log messages are stored in the configured syslog or auditlog server.

    Default value: DISABLED

    Possible values = ENABLED, DISABLED
    ratelimit Read-write Maximum number of log messages to be generated per second. If you set this parameter, you must enable the Log State parameter.

    Default value: 100

    Minimum value = 1

    Maximum value = 10000
    type Read-write Type of the acl ,default will be CLASSIC. Available options as follows
  • CLASSIC - specifies the regular extended acls.
  • DFD - cluster specific acls,specifies hashmethod for steering of the packet in cluster . Default value: CLASSIC Possible values = CLASSIC, DFD
  • dfdhash Read-write Specifies the type hashmethod to be applied, to steer the packet to the FP of the packet.

    Possible values = SIP-SPORT-DIP-DPORT, SIP, DIP, SIP-DIP, SIP-SPORT, DIP-DPORT
    stateful Read-write If stateful option is enabled, transparent sessions are created for the traffic hitting this ACL and not hitting any other features like LB, INAT etc. .

    Default value: NO

    Possible values = YES, NO
    newname Read-write New name for the extended ACL rule. Must begin with an ASCII alphabetic or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters.

    Minimum length = 1
    hits Read-only The hits of this ACL.
    kernelstate Read-only The commit status of the ACL.

    Default value: NOTAPPLIED

    Possible values = APPLIED, NOTAPPLIED, RE-APPLY, SFAPPLIED, SFNOTAPPLIED, SFAPPLIED61, SFNOTAPPLIED61
    aclassociate <String[]> Read-only ACL linked.

    Possible values = NAT, FORWARDINGSESSION, NAT64, LSN
    aclchildcount Read-only Number of childs for this ACL.
    __count Read-only count parameter

    Operations

    (click to see Properties )

    • ADD
    • DELETE
    • UPDATE
    • UNSET
    • ENABLE
    • DISABLE
    • RENAME
    • GET (ALL)
    • GET
    • COUNT

    Some options that you can use for each operations:

    • Getting warnings in response: NITRO allows you to get warnings in an operation by specifying the 'warning' query parameter as 'yes'. For example, to get warnings while connecting to the NetScaler appliance, the URL is as follows:

      http:// <netscaler-ip-address> /nitro/v1/config/login?warning=yes

      If any, the warnings are displayed in the response payload with the HTTP code '209 X-NITRO-WARNING'.

    • Authenticated access for individual NITRO operations: NITRO allows you to logon to the NetScaler appliance to perform individual operations. You can use this option instead of creating a NITRO session (using the login object) and then using that session to perform all operations,

      To do this, you must specify the username and password in the request header of the NITRO request as follows:

      X-NITRO-USER: <username>

      X-NITRO-PASS: <password>

      Note: In such cases, make sure that the request header DOES not include the following:

      Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    *Note: * Mandatory parameters are marked in red and placeholder content is marked in green

    add

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl HTTP Method: POST

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Content-Type:application/json

    Request Payload:

    {"nsacl":{ <b>"aclname":<String_value>, </b><b>"aclaction":<String_value>, </b>"td":<Double_value>, "srcip":<Boolean_value>, "srcipop":<String_value>, "srcipval":<String_value>, "srcipdataset":<String_value>, "srcport":<Boolean_value>, "srcportop":<String_value>, "srcportval":<String_value>, "srcportdataset":<String_value>, "destip":<Boolean_value>, "destipop":<String_value>, "destipval":<String_value>, "destipdataset":<String_value>, "destport":<Boolean_value>, "destportop":<String_value>, "destportval":<String_value>, "destportdataset":<String_value>, "ttl":<Double_value>, "srcmac":<String_value>, "srcmacmask":<String_value>, "protocol":<String_value>, "protocolnumber":<Double_value>, "vlan":<Double_value>, "vxlan":<Double_value>, "Interface":<String_value>, "established":<Boolean_value>, "icmptype":<Double_value>, "icmpcode":<Double_value>, "priority":<Double_value>, "state":<String_value>, "logstate":<String_value>, "ratelimit":<Double_value>, "type":<String_value>, "dfdhash":<String_value>, "stateful":<String_value> }}

    Response: HTTP Status Code on Success: 201 Created

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    delete

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl/ aclname_value<String> HTTP Method: DELETE

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    update

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl HTTP Method: PUT

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Content-Type:application/json

    Request Payload:

    {"nsacl":{ <b>"aclname":<String_value>, </b>"aclaction":<String_value>, "srcip":<Boolean_value>, "srcipop":<String_value>, "srcipval":<String_value>, "srcport":<Boolean_value>, "srcportop":<String_value>, "srcportval":<String_value>, "destip":<Boolean_value>, "destipop":<String_value>, "destipval":<String_value>, "destport":<Boolean_value>, "destportop":<String_value>, "destportval":<String_value>, "srcmac":<String_value>, "srcmacmask":<String_value>, "protocol":<String_value>, "protocolnumber":<Double_value>, "icmptype":<Double_value>, "icmpcode":<Double_value>, "vlan":<Double_value>, "vxlan":<Double_value>, "Interface":<String_value>, "priority":<Double_value>, "logstate":<String_value>, "ratelimit":<Double_value>, "established":<Boolean_value>, "dfdhash":<String_value>, "stateful":<String_value> }}

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    unset

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl? action=unset HTTP Method: POST

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Content-Type:application/json

    Request Payload:

    {"nsacl":{ <b>"aclname":<String_value>, </b>"srcip":true, "srcport":true, "destip":true, "destport":true, "srcmac":true, "srcmacmask":true, "protocol":true, "icmptype":true, "icmpcode":true, "vlan":true, "vxlan":true, "Interface":true, "logstate":true, "ratelimit":true, "established":true, "stateful":true, "dfdhash":true }}

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    enable

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl? action=enable HTTP Method: POST

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Content-Type:application/json

    Request Payload:

    {"nsacl":{ <b>"aclname":<String_value> </b>}}

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    disable

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl? action=disable HTTP Method: POST

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Content-Type:application/json

    Request Payload:

    {"nsacl":{ <b>"aclname":<String_value> </b>}}

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    rename

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl? action=rename HTTP Method: POST

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Content-Type:application/json

    Request Payload:

    {"nsacl":{ <b>"aclname":<String_value>, </b><b>"newname":<String_value> </b>}}

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    get (all)

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl Query-parameters: args http:// <netscaler-ip-address> /nitro/v1/config/nsacl? args=aclname: <String_value> ,type: <String_value>

    Use this query-parameter to get nsacl resources based on additional properties.

    attrs http:// <netscaler-ip-address> /nitro/v1/config/nsacl? attrs=property-name1,property-name2

    Use this query parameter to specify the resource details that you want to retrieve.

    filter http:// <netscaler-ip-address> /nitro/v1/config/nsacl? filter=property-name1:property-val1,property-name2:property-val2

    Use this query-parameter to get the filtered set of nsacl resources configured on NetScaler.Filtering can be done on any of the properties of the resource.

    view http:// <netscaler-ip-address> /nitro/v1/config/nsacl? view=summary

    Use this query-parameter to get the summary output of nsacl resources configured on NetScaler.

    Note: By default, the retrieved results are displayed in detail view (?view=detail).

    pagination http:// <netscaler-ip-address> /nitro/v1/config/nsacl? pagesize=#no;pageno=#no

    Use this query-parameter to get the nsacl resources in chunks.

    HTTP Method: GET

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Accept:application/json

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    Response Header:

    Content-Type:application/json

    Response Payload:

    { "nsacl": [ { aclname:<String_value>,type:<String_value>"td":<Double_value>, "aclaction":<String_value>, "srcmac":<String_value>, "srcmacmask":<String_value>, "protocol":<String_value>, "protocolnumber":<Double_value>, "srcportval":<String_value>, "srcportdataset":<String_value>, "srcportop":<String_value>, "destportval":<String_value>, "destportdataset":<String_value>, "destportop":<String_value>, "srcipval":<String_value>, "srcipdataset":<String_value>, "srcipop":<String_value>, "destipval":<String_value>, "destipop":<String_value>, "destipdataset":<String_value>, "vlan":<Double_value>, "vxlan":<Double_value>, "state":<String_value>, "ttl":<Double_value>, "icmptype":<Double_value>, "icmpcode":<Double_value>, "Interface":<String_value>, "hits":<Double_value>, "established":<Boolean_value>, "priority":<Double_value>, "kernelstate":<String_value>, "logstate":<String_value>, "ratelimit":<Double_value>, "aclassociate":<String[]_value>, "dfdhash":<String_value>, "stateful":<String_value>, "aclchildcount":<Double_value> }]}

    get

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl/ aclname_value<String> Query-parameters: attrs http:// <netscaler-ip-address> /nitro/v1/config/nsacl/ aclname_value<String> ? attrs=property-name1,property-name2

    Use this query parameter to specify the resource details that you want to retrieve.

    view http:// <netscaler-ip-address> /nitro/v1/config/nsacl/ aclname_value<String> ? view=summary

    Use this query-parameter to get the summary output of nsacl resources configured on NetScaler.

    Note: By default, the retrieved results are displayed in detail view (?view=detail).

    HTTP Method: GET

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Accept:application/json

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    Response Header:

    Content-Type:application/json

    Response Payload:

    { "nsacl": [ { aclname:<String_value>,type:<String_value>"td":<Double_value>, "aclaction":<String_value>, "srcmac":<String_value>, "srcmacmask":<String_value>, "protocol":<String_value>, "protocolnumber":<Double_value>, "srcportval":<String_value>, "srcportdataset":<String_value>, "srcportop":<String_value>, "destportval":<String_value>, "destportdataset":<String_value>, "destportop":<String_value>, "srcipval":<String_value>, "srcipdataset":<String_value>, "srcipop":<String_value>, "destipval":<String_value>, "destipop":<String_value>, "destipdataset":<String_value>, "vlan":<Double_value>, "vxlan":<Double_value>, "state":<String_value>, "ttl":<Double_value>, "icmptype":<Double_value>, "icmpcode":<Double_value>, "Interface":<String_value>, "hits":<Double_value>, "established":<Boolean_value>, "priority":<Double_value>, "kernelstate":<String_value>, "logstate":<String_value>, "ratelimit":<Double_value>, "aclassociate":<String[]_value>, "dfdhash":<String_value>, "stateful":<String_value>, "aclchildcount":<Double_value> }]}

    count

    URL: http:// <netscaler-ip-address> /nitro/v1/config/nsacl? count=yes HTTP Method: GET

    Request Headers:

    Cookie:NITRO_AUTH_TOKEN= <tokenvalue>

    Accept:application/json

    Response: HTTP Status Code on Success: 200 OK

    HTTP Status Code on Failure: 4xx <string> (for general HTTP errors) or 5xx <string> (for NetScaler-specific errors). The response payload provides details of the error

    Response Header:

    Content-Type:application/json

    Response Payload:

    { "nsacl": [ { "__count": "#no"} ] }
    nsacl