ADC

Preconfiguration check tool

Note:

You can download the latest version of NSPEPI and preconfiguration check tool from public GitHub. For information on how to download the tools, see GitHub NEPEPI and GitHub preconfiguration. We recommend you to use the latest version of the tool for the most complete and up-to-date version.

The preconfiguration check tool is available from NetScaler release 12.1. You can use this tool to check if any invalid, removed, or deprecated functionality is still used in any feature configuration. The tool validates if the configuration file contains parameters or commands that are removed or deprecated from NetScaler release 13.1. The tool validates only the configuration files that are from a saved configuration, for example ns.conf.

If the validation result shows usage of removed or invalid commands, then you must first modify the configuration to the NetScaler recommended alternative before upgrading your appliance.

The tool also checks for classic policy expressions in feature configurations that no longer support classic expressions. You can use the nspepi tool to convert the classic configuration to the advanced configuration. After the successful run, the tool generates two files, one for the invalid commands and one for the deprecated parameters or commands. The file with invalid commands has the same name as the input file but with the prefix “issues_”. The file with the deprecated commands, has the “deprecated_” prefix.

The tool validates the following:

  1. Classic policy expressions in Content Switching, Cache Redirection, AppFW, SSL, and CMP features.
  2. Filter feature (also known as Content Filtering) - actions, policies, and binding.
  3. SPDY in HTTP profile, sure connect (SC), priority queuing (PQ), HTTP Denial of Service (DoS), and HTML Injection features.
  4. Classic expressions in load balancing persistence rules.
  5. “Pattern” and “bypassSafetyCheck” parameters in Rewrite actions.
  6. “patclass” configuration entity.
  7. “HTTP.REQ.BODY” with no argument in Advanced expressions.
  8. Q and S prefixes in Advanced expressions.
  9. “PolicyType” parameter for the cmp parameter setting.
  10. Deprecated commands and parameters.

Run preconfiguration check tool in UNIX Shell

At the command prompt, type:

check_invalid_config <config_file> -buildVersion <build version>
<!--NeedCopy-->

In the command syntax,

  • <config file> refers to the NetScaler configuration file. The file must be from a saved configuration such as ns.conf.
  • <build version> refers to the build for which you want to know the deprecated and removed commands. If the build version is not specified, then by default, the tool detects the deprecated and removed commands for NetScaler release 13.1.

Example:

root@ns# check_invalid_config /nsconfig/ns.conf 13.1

Run the preconfiguration check tool by using the GUI

You can run the preconfiguration check tool as part of the upgrade process using the GUI. To run the tool, perform the following steps:

  1. In a web browser, type the IP address of the NetScaler and login using the user name and password.
  2. Navigate to System > Upgrade.
  3. On the System Upgrade page, select the Enable NSPEPI Tool checkbox.
  4. Click Upgrade.

Sample output with invalid commands

The following is a sample output of the configuration file having invalid commands:

root@ns# check_invalid_config sample_conf_1.conf

The following configuration lines will get errors in 13.1 and both they and dependent configuration will be removed from the configuration:
add cmp policy cmp_pol -rule ns_true -resAction GZIP
add cs policy cs_pol_2 -rule ns_true
add cs policy cs_pol_3 -domain www.abc.com
add cs policy cs_pol_4 -url "/abc"
add rewrite action act_1 replace_all "http.req.body(1000)" http.req.url -pattern abcd
add rewrite action act_123 replace_all http.req.url "\"aaaa\"" -pattern abcd
add responder action ract respondwith "Q.URL + Q.HEADER(\"abcd\")"
add appfw policy aff_pol_1 "http.req.body.length.gt(10)" APPFW_BYPASS
add appfw policy aff_pol ns_true APPFW_BYPASS

The nspepi upgrade tool can be useful in converting your configuration - see the documentation at https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/converting-policy-expressions-nspepi-tool.html.

NOTE: the nspepi tool doesn't convert the following configurations:
        1. SureConnect commands
        2. PriorityQueuing commands
        3. HTTP Denial of Service Protection commands
        4. Classic SSL commands
        5. HTMLInjection commands.

NOTE: No deprecated commands detected in the configuration.

<!--NeedCopy-->

If you get the preceding errors, you can use the nspepi upgrade tool to convert the configuration or manually convert the configuration. For more information, see nspepi tool.

Note:

You can run the nspepi tool only on NetScaler version 12.1, 13.0 and later versions.

Sample output with invalid and deprecated commands

The following is a sample output of the configuration file having both invalid and deprecated commands:

root@ns# check_invalid_config sample_conf_2.conf

The following configuration lines will get errors in 13.1 and both they and dependent configuration will be removed from the configuration:
add cmp policy cmp_pol -rule ns_true -resAction GZIP
add cs policy cs_pol_2 -rule ns_true
add cs policy cs_pol_3 -domain www.abc.com
add cs policy cs_pol_4 -url "/abc"
add rewrite action act_1 replace_all "http.req.body(1000)" http.req.url -pattern abcd
add rewrite action act_123 replace_all http.req.url "\"aaaa\"" -pattern abcd
add responder action ract respondwith "Q.URL + Q.HEADER(\"abcd\")"
add appfw policy aff_pol_1 "http.req.body.length.gt(10)" APPFW_BYPASS
add appfw policy aff_pol ns_true APPFW_BYPASS

The nspepi upgrade tool can be useful in converting your configuration - see the documentation at https://docs.citrix.com/en-us/citrix-adc/current-release/appexpert/policies-and-expressions/introduction-to-policies-and-exp/converting-policy-expressions-nspepi-tool.html.

NOTE: the nspepi tool doesn't convert the following configurations:
        1. SureConnect commands
        2. PriorityQueuing commands
        3. HTTP Denial of Service Protection commands
        4. Classic SSL commands
        5. HTMLInjection commands.

NOTE: some deprecated commands have also been detected in the config file, please check ./deprecated_sample_conf_2.conf file for the deprecated commands.
<!--NeedCopy-->

Sample output with no invalid commands but with deprecated commands

The following is a sample output of the configuration having deprecated commands but no invalid commands:

root@ns# check_invalid_config sample_conf_3.conf

The following configuration lines have been deprecated in 13.1 and will be removed in future releases:
[add authentication localPolicy lpol ns_true] command has been deprecated, please use the advanced authentication policy command
[add authentication certPolicy auth_pol_1 ns_true auth_act] command has been deprecated, please use the advanced authentication policy command
[add authentication negotiatePolicy auth_pol_2 ns_true auth_act] command has been deprecated, please use the advanced authentication policy command
[add authentication tacacsPolicy auth_pol_3 ns_true auth_act] command has been deprecated, please use the advanced authentication policy command
[add authentication samlPolicy auth_pol_4 ns_true auth_act] command has been deprecated, please use the advanced authentication policy command
[add authentication radiusPolicy auth_pol_5 ns_true auth_act] command has been deprecated, please use the advanced authentication policy command
[add authentication ldapPolicy auth_pol_6 ns_true auth_act] command has been deprecated, please use the advanced authentication policy command
[add authentication webAuthPolicy auth_pol_1 -rule ns_true -action auth_act] command has been deprecated, please use the advanced authentication policy command
[add authentication dfaPolicy auth_pol_1 -rule ns_true -action auth_act] command has been deprecated, please use the advanced authentication policy command

For the complete deprecated commands, please see the output of ./deprecated_sample_conf_3.conf file.

No invalid config detected with the configuration.

<!--NeedCopy-->

Sample output without validation errors and warnings

The following is a sample output of the configuration file having no invalid, removed, or deprecated commands:

root@ns# check_invalid_config /var/tmp/new_ns.conf  
No invalid or deprecated config detected with the configuration.
<!--NeedCopy-->