ADC

Converting policy expressions using the NSPEPI tool

Note:

You can download the NSPEPI and preconfig check tool from the public GitHub. For more information, see Github NEPEPI page and GitHub preconfig page for detailed instructions to download the tools. We recommend customers to use tools available in GitHub for the most complete and up-to-date version.

Classic policy-based features and functionalities are deprecated from NetScaler 12.0 build 56.20 onwards. As an alternative, Citrix recommends you to use the Advanced policy infrastructure. As part of this effort, when you upgrade to Citrix ADC 12.1 build 56.20 or later, you must replace the Classic policy-based features and functionalities to its corresponding non-deprecated features and functionalities. Also, you must convert Classic policies and expressions to Advanced policies and expressions. Also, all new Citrix ADC features support only Advanced policy infrastructure.

The nspepi tool can perform the following:

  1. Convert Classic policy expressions to Advanced policy expressions.
  2. Convert certain Classic policies and their entity bindings to Advanced policies and bindings.
  3. Convert a few more deprecated features to their corresponding non-deprecated features.
  4. Convert classic filter commands to advanced filter commands.

Note:

After the nspepi tool successfully converts the ns.conf config file, the tool displays the converted file as a new file with a prefix, “new_”. If the converted config file has errors or warnings, you must manually fix them as part of the conversion process. Once converted, you must test the file in the test environment and then use it to replace the actual ns.conf config file. After testing, you must reboot the appliance for the newly converted or fixed ns.conf config file.

Features that only support Classic policies or expressions are deprecated and they can be replaced by the corresponding non-deprecated features.

Note:

Information pertaining to the older version of the nspepi tool is available in a PDF format. For more information, see Classic policy conversion using nspepi tool prior to 12.1-51.16 PDF.

Conversion warnings and error files

Before you use the tool for your conversion, there are few warnings to keep in mind:

  1. All warnings and errors are output to the console. There is a warning file created where the configuration files are stored.
  2. The warnings and error file has the same name as the input file but with a prefix “warn_” added to the file name. During expression conversion (when using -e), the warnings show up in the current directory with a name “warn_expr”.

Note:

This file is in a standard log file format, with date/time stamp and log level. Previous instances of the file are kept with suffixes like “.1”, “.2”, and so forth as the tool is run multiple times. At most 10 instances will be kept.

Converted file format

When converting a configuration file (using “-f”), the converted file is put into the same directory as where the input configuration file exists with the same name but a prefix “new_”.

Commands or features handled by the nspepi conversion tool

Following are the commands handled during the auto conversion process.

  • The following Classic policies and their expressions are converted to Advanced policies and expressions. The conversion includes entity bindings and global bindings.
  1. add appfw policy
  2. add cmp policy
  3. add cr policy
  4. add cs policy
  5. add tm sessionPolicy
  6. add filter action
  7. add filter policy
  8. filter policy binding to load balancing, content switching, cache redirection, and global.

Note:

However, for “add tm sessionPolicy”, you cannot bind to global override in Advanced policies.

  • The rule parameter configured in “add lb virtual server” is converted from Classic expression to Advanced expression.
  • The SPDY parameter configured in the “add ns httpProfile” or the “set ns httpProfile” command is changed to “-http2 ENABLED”.
  • Named expressions (“add policy expression” commands). Each Classic named policy expression is converted to its corresponding Advanced named expression with “nspepi_adv_” set as the prefix. In addition, usage of named expressions for the converted Classic expressions is changed to the corresponding Advanced named expressions. In addition, every named expression has two named expressions, where one is Classic and the other one is Advanced (as shown below).
  • Tunnel TrafficPolicy conversion is supported.
  • Handling builtin-in classic policy bindings in CMP, CR, and Tunnel.
  • Patclass feature is converted to Pat set feature.
  • “-pattern” parameter in the “add rewrite action” command is converted to use “-search” parameter.
  • SYS.EVAL_CLASSIC_EXPR is converted to the equivalent non-deprecated advanced expression. These expressions can be seen in any command where advanced expressions are allowed.
  • Q and S prefixes of advanced expressions are converted to equivalent non-deprecated advanced expressions. These expressions can be seen in any command where advanced expressions are allowed.

For example:

add policy expression classic_expr ns_true
Converts to:
add policy expression classic_expr ns_true
add policy expression nspepi_adv_classic_expr TRUE
<!--NeedCopy-->
  • The policyType parameter configured in the “set cmp parameter” command is removed. By default, the policy type is “Advanced”.

Convert classic filter commands to advanced filter commands

The nspepi tool can convert commands based on classic filter actions such as add, bind and so forth to advanced filter commands.

However, the nepepi tool does not support the following filter commands.

  1. add filter action <action Name> FORWARD <service name>
  2. add filter action <action name> ADD prebody
  3. add filter action <action name> ADD postbody

Note:

  1. If there are existing rewrite or responder features in ns.conf and their policies are bound globally with the GOTO expression as END or USER_INVOCATION_RESULT and the bind type is REQ_X or RES_X then the tool converts bind filter commands partially and comments out. Warning is displayed to put manual effort.
  2. If there are existing rewrite or responder features and their policies are bound to virtual servers(for example, load balancing, content switching or cache redirect) of type HTTPS with GOTO - END or USER_INVOCATION_RESULT, the tool converts bind filter commands partially and then comments out. Warning is displayed to put manual effort.

Example

Following is a sample input:

add lb vserver v1 http 1.1.1.1 80 -persistenceType NONE -cltTimeout 9000
add cs vserver csv1 HTTP 1.1.1.2 80 -cltTimeout 180 -persistenceType NONE
add cr vserver crv1 HTTP 1.1.1.3 80 -cacheType FORWARD
add service svc1 1.1.1.4 http 80
add filter action fact_add add 'header:value'
add filter action fact_variable add 'H1:%%HTTP.TRANSID%%'
add filter action fact_prebody add prebody
add filter action fact_error_act1 ERRORCODE 200 "<HTML>Good URL</HTML>"
add filter action fact_forward_act1 FORWARD svc1
add filter policy fpol_add_res -rule ns_true -resAction fact_add
add filter policy fpol_error_res -rule ns_true -resAction fact_error_act1
add filter policy fpol_error_req -rule ns_true -reqAction fact_error_act1
add filter policy fpol_add_req -rule ns_true -reqAction fact_add
add filter policy fpol_variable_req -rule ns_true -reqAction fact_variable
add filter policy fpol_variable_res -rule ns_true -resAction fact_variable
add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody
add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody
add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1
bind lb vserver v1 -policyName fpol_add_res
bind lb vserver v1 -policyName fpol_add_req
bind lb vserver v1 -policyName fpol_error_res
bind lb vserver v1 -policyName fpol_error_req
bind lb vserver v1 -policyName fpol_variable_res
bind lb vserver v1 -policyName fpol_variable_req
bind lb vserver v1 -policyName fpol_forward_req
bind cs vserver csv1 -policyName fpol_add_req
bind cs vserver csv1 -policyName fpol_add_res
bind cs vserver csv1 -policyName fpol_error_res
bind cs vserver csv1 -policyName fpol_error_req
bind cr vserver crv1 -policyName fpol_add_req
bind cr vserver crv1 -policyName fpol_add_res
bind cr vserver crv1 -policyName fpol_error_res
bind cr vserver crv1 -policyName fpol_error_req
bind cr vserver crv1 -policyName fpol_forward_req
bind filter global fpol_add_req
bind filter global fpol_add_res
bind filter global fpol_error_req
bind filter global fpol_error_res
bind filter global fpol_variable_req
bind filter global fpol_variable_res
bind filter global fpol_variable_res -state DISABLED
bind filter global fpol_prebody_req
bind filter global fpol_forward_req
After conversion, warning/error messages will be displayed for manual effort.
Warning files:
cat warn_<input file name>:
2019-11-07 17:13:34,724: ERROR - Conversion of [add filter action fact_prebody add prebody] not supported in this tool.
2019-11-07 17:13:34,739: ERROR - Conversion of [add filter action fact_forward_act1 FORWARD svc1] not supported in this tool.
2019-11-07 17:13:38,042: ERROR - Conversion of [add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody] not supported in this tool.
2019-11-07 17:13:38,497: ERROR - Conversion of [add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody] not supported in this tool.
2019-11-07 17:13:39,035: ERROR - Conversion of [add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1] not supported in this tool.
2019-11-07 17:13:39,060: WARNING - Following bind command is commented out because state is disabled. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation. If command is required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config': bind filter global fpol_variable_res -state DISABLED


<!--NeedCopy-->

Following is a sample output. All converted commands are commented.

cat new_<input file name>
add rewrite action fact_add insert_http_header header "\"value\""
add filter action fact_prebody add prebody
add filter action fact_forward_act1 FORWARD svc1
add filter policy fpol_prebody_req -rule ns_true -reqAction fact_prebody
add filter policy fpol_prebody_res -rule ns_true -resAction fact_prebody
add filter policy fpol_forward_req -rule ns_true -reqAction fact_forward_act1
bind lb vserver v1 -policyName fpol_forward_req
bind cr vserver crv1 -policyName fpol_forward_req
#bind filter global fpol_variable_res -state DISABLED
bind filter global fpol_prebody_req
bind filter global fpol_forward_req
add rewrite action nspepi_adv_fact_variable insert_http_header H1 HTTP.RES.TXID
add rewrite action fact_variable insert_http_header H1 HTTP.REQ.TXID
add responder action fact_error_act1 respondwith "HTTP.REQ.VERSION.APPEND(\" 200 OK\\r
nConnection: close\\r
nContent-Length: 21\\r\\n\\r
n<HTML>Good URL</HTML>\")"
add rewrite action nspepi_adv_fact_error_act1 replace_http_res "HTTP.REQ.VERSION.APPEND(\" 200 OK\\r
nConnection: close\\r
nContent-Length: 21\\r\\n\\r
n<HTML>Good URL</HTML>\")"
add rewrite policy fpol_add_res TRUE fact_add
add rewrite policy fpol_error_res TRUE nspepi_adv_fact_error_act1
add responder policy fpol_error_req TRUE fact_error_act1
add rewrite policy fpol_add_req TRUE fact_add
add rewrite policy fpol_variable_req TRUE fact_variable
add rewrite policy fpol_variable_res TRUE nspepi_adv_fact_variable
set cmp parameter -policyType ADVANCED
bind rewrite global fpol_add_req 100 NEXT -type REQ_DEFAULT
bind rewrite global fpol_variable_req 200 NEXT -type REQ_DEFAULT
bind rewrite global fpol_add_res 100 NEXT -type RES_DEFAULT
bind rewrite global fpol_error_res 200 NEXT -type RES_DEFAULT
bind rewrite global fpol_variable_res 300 NEXT -type RES_DEFAULT
bind responder global fpol_error_req 100 END -type REQ_DEFAULT
bind lb vserver v1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_variable_res -type RESPONSE -priority 300 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_variable_req -type REQUEST -priority 200 -gotoPriorityExpression NEXT
bind lb vserver v1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END
bind cs vserver csv1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind cs vserver csv1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END
bind cr vserver crv1 -policyName fpol_add_req -type REQUEST -priority 100 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_add_res -type RESPONSE -priority 100 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_error_res -type RESPONSE -priority 200 -gotoPriorityExpression NEXT
bind cr vserver crv1 -policyName fpol_error_req -type REQUEST -priority 100 -gotoPriorityExpression END

<!--NeedCopy-->

Convert classic filter commands to advanced feature commands if existing rewrite or responder policy bindings have goto expression END or USE_INNVOCATION

In this conversion, if a rewrite policy bound to one or more virtual servers and if the server has END or USE_INVOCATION_RESULT, the tool comments out the commands.

Example

Following is a sample input command:

COPY
add filter policy fpol1 -rule ns_true -resAction reset
add filter policy fpol2 -rule ns_true -reqAction reset
add rewrite policy pol1 true NOREWRITE
add rewrite policylabel pl http_res
bind rewrite policylabel pl pol1 1
bind rewrite global NOPOLICY 1 USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel pl
add responder policy pol2 true NOOP
add responder policylabel pl -policylabeltype HTTP
bind responder policylabel pl pol2 1
bind responder global NOPOLICY 1 USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel pl
bind lb vserver v1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind cs vserver csv1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind lb vserver v1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cs vserver csv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cr vserver crv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind lb vserver v1_http -policyName fpol1
bind cs vserver csv1_http -policyName fpol1
bind lb vserver v2_http -policyName fpol2
bind cs vserver csv2_http -policyName fpol2
bind cr vserver crv2_http -policyName fpol2
bind filter global fpol1 -priority 100
bind filter global fpol2 -priority 100
<!--NeedCopy-->

Following is a sample output command:

COPY
add rewrite policy pol1 true NOREWRITE
add rewrite policylabel pl http_res
bind rewrite policylabel pl pol1 1
add responder policy pol2 true NOOP
add responder policylabel pl -policylabeltype HTTP
bind responder policylabel pl pol2 1
add rewrite policy fpol1 TRUE RESET
add responder policy fpol2 TRUE RESET
#bind lb vserver v1_http -policyName fpol1 -type RESPONSE
#bind cs vserver csv1_http -policyName fpol1 -type RESPONSE
#bind rewrite global fpol1 100 -type RES_DEFAULT
#bind lb vserver v2_http -policyName fpol2 -type REQUEST
#bind cs vserver csv2_http -policyName fpol2 -type REQUEST
#bind cr vserver crv2_http -policyName fpol2 -type REQUEST
#bind responder global fpol2 100 -type REQ_DEFAULT
bind rewrite global NOPOLICY 1 USE_INVOCATION_RESULT -type RES_DEFAULT -invoke policylabel pl
bind responder global NOPOLICY 1 USE_INVOCATION_RESULT -type REQ_DEFAULT -invoke policylabel pl
bind lb vserver v1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind lb vserver v1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cs vserver csv1_tcp -policyName pol1 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type RESPONSE
bind cs vserver csv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST
bind cr vserver crv1_tcp -policyName pol2 -priority 100 -gotoPriorityExpression USE_INVOCATION_RESULT -type REQUEST-

<!--NeedCopy-->

Commands or features not handled by the nspepi conversion tool

Following are some commands that are not handled as part of the auto conversion process.

  • Some bindings cannot be converted if there are certain interleaving of priorities between global and non-global bind points, between users and groups, and also among bindings to different entities. These have the affected configuration commented out and an error produced. Such configurations must be converted manually.
  • Both Classic and Advanced policies can be bound to cmp global. There are many cases where the functionality changes once Classic policies are converted to Advanced policies. We have converted commands that can be solved by commenting out some policies. Still there are some commands that cannot be converted. In such cases an error will be produced and conversion has to be done manually.
  • Not all uses of Classic built-in named expressions are converted to equivalent Advanced named expressions.
  • Client security expressions are not handled.
  • The “-precedence” option for content switching and cache redirection virtual servers is not handled.
  • Sure Connect (SC)
  • Priority Queuing (PQ)
  • HTTP Denial of Service (HDOS)
  • HTML Injection
  • Authentication
  • Authorization
  • VPN
  • Syslog
  • Nslog
  • File based Classic expressions are not handled.

Note:

For some features like Patclass/filter, the command syntax is changed. If there are cmd policies, then cmd policies might need to be changed depending on customer requirement.

Known Issues

The following errors can be produced by the nspepi tool:

  • If there is an issue when converting an expression.
  • If a named policy expression uses the -clientSecurityMessage parameter because this parameter is not supported in the Advanced policy expression.

Note:

All classic policy bindings with -state option disabled are commented out. The -state option is not available for Advanced policy bindings.

Running the nspepi tool

The following is a command line example for running the nspepi tool. This tool is run from the command line of the shell (you need to type the “shell” command to the NetScaler”CLI” to get to that). Either “-f” or”-e” must be specified to perform a conversion. Use of “-d” is intended for Citrix personnel to analyze for support purposes.

usage: nspepi [-h] (-e <classic policy expression> | -f <path to ns config file>)[-d] [-v] [-V

Convert classic policy expressions to advanced policy expressions and deprecated commands to non-deprecated
commands.

optional arguments:
-h, --help show this help message and exit
-e <classic policy expression>, --expression <classic policy expression>
convert classic policy expression to advanced policy
expression (maximum length of 8191 allowed)
-f <path to ns config file>, --infile <path to ns config file>
convert netscaler config file
-d, --debug log debug output
-v, --verbose show verbose output
-V, --version show program's version number and exit
<!--NeedCopy-->

Usage Examples:

  1. nspepi -e "req.tcp.destport == 80"
  2. nspepi -f ns.conf

Following are few examples of running the nspepi tool by using the CLI

Example output for –e parameter:

root@ns# nspepi -e "req.http.header foo == \"bar\""
"HTTP.REQ.HEADER(\"foo\").EQ(\"bar\")"
<!--NeedCopy-->

Example output for -f parameter:

root@ns# cat sample.conf
add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
add cr policy cr_pol1 -rule ns_true
bind cr vserver cr_vs -policyName cr_pol1
<!--NeedCopy-->

Running nspepi with -f parameter:

nspepi -f sample.conf
<!--NeedCopy-->

Converted config is available in a new file new_sample.conf. Check the warn_sample.conf file for any warnings or errors that might have been generated.

Example output of -f parameter along with -v parameter

nspepi -f sample.conf -v
INFO - add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
INFO - add cr policy cr_pol1 -rule TRUE -action ORIGIN
INFO - bind cr vserver cr_vs -policyName cr_pol1 -priority 100 -gotoPriorityExpression END -type REQUEST
<!--NeedCopy-->

Converted config is available in a new file new_sample.conf. Check the warn_sample.conf file for any warnings or errors that might have been generated.

Converted Config file:

root@ns# cat new_sample.conf
add cr vserver cr_vs HTTP -cacheType TRANSPARENT -cltTimeout 180 -originUSIP OFF
add cr policy cr_pol1 -rule TRUE -action ORIGIN
set cmp parameter -policyType ADVANCED
bind cr vserver cr_vs -policyName cr_pol1 -priority 100 -gotoPriorityExpression END -type REQUEST

<!--NeedCopy-->

Example output of a sample configuration with no errors or warnings:

nspepi -f sample_2.conf
<!--NeedCopy-->

Converted config is available in a new file new_sample_2.conf. Check the warn_sample_2.conf file for any warnings or errors that might have been generated.

Example output of a sample configuration with warnings:

root@ns# cat sample_2.conf
add policy expression security_expr "req.tcp.destport == 80" -clientSecurityMessage "Not allowed"
set cmp parameter -policyType CLASSIC
add cmp policy cmp_pol1 -rule ns_true -resAction COMPRESS
add cmp policy cmp_pol2 -rule ns_true -resAction COMPRESS
add cmp policy cmp_pol3 -rule TRUE -resAction COMPRESS
bind cmp global cmp_pol1
bind cmp global cmp_pol2 -state DISABLED
bind cmp global cmp_pol3 -priority 1 -gotoPriorityExpression END -type RES_DEFAULT
bind lb vserver lb_vs -policyName cmp_pol2
root@ns#
<!--NeedCopy-->

Example of running nspepi with -f parameter:

root@ns# nspepi -f sample_2.conf
ERROR - Error in converting expression security_expr : conversion of clientSecurityMessage based expression is not supported.
WARNING - Following bind command is commented out because state is disabled. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation. If command is required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config': bind cmp global cmp_pol2 -state DISABLED
Warning - Bindings of advanced CMP policies to cmp global are commented out, because initial global cmp parameter is classic but advanced policies are bound. Now global cmp parameter policy type is set to advanced. If commands are required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config'. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation.
root@ns#
<!--NeedCopy-->

Converted file:

root@ns# cat new_sample_2.conf  
add policy expression security_expr "req.tcp.destport == 80" -clientSecurityMessage "Not allowed"
set cmp parameter -policyType ADVANCED
add cmp policy cmp_pol1 -rule TRUE -resAction COMPRESS
add cmp policy cmp_pol2 -rule TRUE -resAction COMPRESS
add cmp policy cmp_pol3 -rule TRUE -resAction COMPRESS
#bind cmp global cmp_pol2 -state DISABLED
#bind cmp global cmp_pol3 -priority 1 -gotoPriorityExpression END -type RES_DEFAULT
bind cmp global cmp_pol1 -priority 100 -gotoPriorityExpression END -type RES_DEFAULT
bind lb vserver lb_vs -policyName cmp_pol2 -priority 100 -gotoPriorityExpression END -type RESPONSE
root@ns#
<!--NeedCopy-->

Warning file:

root@ns# cat warn_sample_2.conf
2019-02-28 06:20:10,590: ERROR - Error in converting expression security_expr : conversion of clientSecurityMessage based expression is not supported.
2019-02-28 06:20:12,187: WARNING - Following bind command is commented out because state is disabled. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation. If command is required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config': bind cmp global cmp_pol2 -state DISABLED
2019-02-28 06:20:12,191: WARNING - Bindings of advanced CMP policies to cmp global are commented out, because initial global cmp parameter is classic but advanced policies are bound. Now global cmp parameter policy type is set to advanced. If commands are required please take a backup because comments will not be saved in ns.conf after triggering 'save ns config'. Advanced expressions only have a fixed ordering of the types of bindings without interleaving, except that global bindings are allowed before all other bindings and after all bindings. If you have global bindings in the middle of non-global bindings or any other interleaving then you will need to reorder all your bindings for that feature and direction. Refer to nspepi documentation.
root@ns#
<!--NeedCopy-->

Binding Priorities

Advanced policies do not allow arbitrary interleaving by priority between global and non-global and between different binding types. If you rely on such interleaving of Classic policy priorities, you need to adjust the priorities to conform to the Advanced policy rules and to get the behavior you desire. Priorities in Advanced policies are local to a bind point. A bind point is a unique combination of protocol, feature, direction, and entity (entities are specific virtual servers, users, groups, services, and either global override or global default). Policy priorities are not followed across bind points.

For a given protocol, feature, and direction the order of evaluation of Advanced policies is given below:

  • Global override.
  • (Current) authentication, authorization, and auditing user.
  • Authentication, authorization, and auditing groups (that the user is a member of) in order of weight - ordering is undefined if two or more groups have the same weight.
  • LB virtual server that either the request was received on or that Content Switching selected.
  • Content switching virtual server, cache redirection virtual server that the request was received on.
  • Service selected by load balancing.
  • Global default.

For authorization policy evaluation, the order is:

  • Systems override.
  • Load balancing virtual server that either the request was received on or that CS selected.
  • Content switching virtual server that the request was received on.
  • System default.

Within each bind point, the policies are evaluated in order of priority from lowest numbered to highest numbered. Policies are only evaluated for the protocol used and the direction that the message was received from.

Classic policy bindings that require manual reprioritization

Here are some types of Classic policy bindings that require manual reprioritization to accomplish your needs. All these are for a given feature and the direction.

  • Classic priorities that increase in priority number opposite to the direction of the above entity type lists. For example a content switching virtual server binding lower than a load balancing virtual server binding.
  • Classic priorities that interleave authentication, authorization, and auditing groups. One part of one group is before some other group and yet another part is after part of that other group.
  • Classic priorities that increase in number other than the order of weights of authentication, authorization, and auditing groups.
  • Classic global priorities that are less than some non-global priority and the same global priorities are greater than some other non-global priority (in other words, any segment of priorities that are a non-global, followed by one or more globals, followed by a non-global).