Citrix ADC

Blocking Traffic on Internal Ports

The Citrix ADC appliance does not block traffic that matches an ACL rule if the traffic is destined to the appliance’s NSIP address, or one of its SNIP addresses, and a port in the 3008-3011 range.

This behavior is now specified by the default setting of the new Implicit ACL Allow (implicitACLAllow) parameter (of the L3 param command). You can disable this parameter if you want to block traffic to ports in the 3008-3011 range. An appliance in a high availability configuration makes an exception for its partner (primary or secondary) node. It does not block traffic from that node.

To disable or enable this parameter by using the CLI:

At the command prompt, type:

  • set l3param -implicitACLAllow [ENABLED DISABLED]
  • sh l3param

Note: The parameter implicitACLAllow is enabled by default.


> set l3param -implicitACLAllow DISABLED
Blocking Traffic on Internal Ports