Citrix ADC

Blocking Traffic on Internal Ports

By default, a Citrix ADC appliance does not block some type of internal traffic even using ACL rules.

The following table lists the internal traffic types that a Citrix ADC appliance does not block even using ACL rules:

Citrix ADC Setup Protocol Destination Port Destination IP address
All TCP 3008–3011 NSIP or SNIP
All TCP 179 NSIP or SNIP
All UDP 520 NSIP or SNIP
High availability UDP 3003 NSIP
High availability TCP 4001 NSIP
High availability TCP 22 NSIP
Cluster UDP 7000 NSIP

This feature of not blocking the above mentioned types of traffic is specified by the default setting of the global Layer-3 Implicit ACL Allow (implicitACLAllow) parameter.

You can disable this parameter if you want to block the above mentioned traffic types using the ACL rules. An appliance in a high availability setup makes an exception for its partner (primary or secondary) node. It does not block traffic from that node.

To disable or enable this parameter by using the CLI:

At the command prompt, type:

  • set l3param -implicitACLAllow [ENABLED DISABLED]
  • sh l3param

Note: The parameter implicitACLAllow is enabled by default.

Example:

> set l3param -implicitACLAllow DISABLED
Done
Blocking Traffic on Internal Ports