Product Documentation

Access Control Lists

Feb 27, 2018

An access control list (ACL) is a set of conditions that you can apply to a network appliance to filter IP traffic and secure your appliance from unauthorized access.

You can configure an ACL on your SDX Management Service GUI to limit and control access to the appliance.

Note

ACLs on NetScaler SDX appliances are supported from release 12.0 57.19 onwards.

This topic includes the following sections:

  • Usage Guidelines
  • How to Configure ACLs
  • Additional Actions for ACL Rules
  • Troubleshooting

Usage Guidelines

Keep the following points in mind while creating ACLs on your appliance:

  • When you upgrade the NetScaler SDX appliance to release 12.0 57.19, the ACL feature is disabled by default.
  • SDX administrators can control only inbound packets through ACL on the SDX appliance.
  • If you use NetScaler Management and Analytics System (MAS) to manage your SDX appliance, you must create appropriate ACL rules to allow communication between MAS and SDX Management Service.
  • For any other configurations on the SDX appliance such as provisioning or deleting VPXs, adding/deleting external servers, SNMP management, and so on, do not require any changes in the existing ACL configuration. Communication with these entities are taken care of by the Management Service.

How to Configure an ACL

Configuring an ACL involves the following steps:

  • Enable the ACL feature
  • Create an ACL rule
  • Enable the ACL rule

Note

You can create ACL rules without enabling the ACL feature. However, if the feature is not enabled, you cannot enable an ACL rule after you’ve created it.

To enable the ACL feature

1. To enable the ACL feature, log on to the SDX Management Service GUI and navigate to Configuration > System > ACL

2. By using the toggle button, turn on the ACL feature.

localized image

To create an ACL rule

1. On the ACL page, click Create Rule.

2. The Create Rule window opens. Add the details listed in the following table.

Property Description

Name

Add a name.

Protocol

Select a protocol from the menu. By default, TCP is selected. You can select ANY to allow all protocols. 

Source IP Address/Subnet

Specify the source IP address or source subnet to which the rule applies. Select ANY if the rule needs to be applied to all incoming traffic. 

Destination IP

The SDX Management Service IP address is autopopulated as the destination IP. This field cannot be edited.

Destination port

Specify the destination port to which the rule applies. Select ANY if the rule applies to all destination ports.

Action

Select the action for rule, which is Allow or Deny.

Priority

Assign priority to specify the order in which the rule is to be evaluated. 

Priority numbers determine the order in which ACL rules are matched against an incoming packet. A lower priority number has a higher priority. For example, priority number 1 has a higher priority than priority number 2. If none of the rules match with the incoming packet, then the packet is blocked.

 

3. Click OK to create the rule.

Figure: An example of an ACL rule

localized image

After the rule is created, it is in disabled state. To make the rule effective, you must enable the rule. 

Note

To enable a rule, the ACL feature should be enabled. If the feature is disabled, and you attempt to enable an ACL rule, a message "ACL is not running" appears. 

To enable an ACL rule

1. Hover your mouse over the rule that you want to enable and click the circle with three dots. 

2. From the menu, select Enable.

3. Alternatively, select the radio button for that rule and click the Enable tab.

4. At the prompt, click Yes to confirm.

Additional Actions for ACL Rules

You can apply the following actions to ACL rules:

1. Disable an ACL rule

2. Edit an ACL rule

3. Delete an ACL rule

4. Renumber the priority of ACL rules

To disable an ACL rule

1. Hover the mouse over the rule that you want to disable and select the circle with three dots.

2. Click Disable from the list.

3. Alternatively, select the radio button for that rule and click the Disable tab.

4. Click Yes to confirm.

Note

When you disable a rule, the rule no longer applies to incoming traffic; however, the rule configuration remains under ACL settings.

To edit an ACL rule

1. Hover the mouse over the rule that you want to edit and select the circle with three dots.

2. Click Edit Rule from the list. The Modify Rule window opens.

3. Alternatively, select the radio button for that rule and click the Edit Rule tab. The Modify Rule window opens

4. Make the edits and click OK.

Note

You can edit a rule in both enabled and disabled state. If you edit a rule that is already enabled, the edits get applied immediately. For a rule in disabled state, the edits get applied when you enable the rule.

To delete an ACL rule

1. Ensure that the rule is in disabled state. 

2. Hover the mouse over the rule that you want to delete and select the circle with three dots. Click Delete Rule from the list.

3. Alternatively, select the radio button for that rule and click the Delete Rule tab. 

4. Click Yes to confirm.

Note

You cannot delete a rule in enabled state.

To renumber priorities of ACL rules

1. Hover the mouse over the rule that you want to renumber the priorities for and select the circle with three dots. Click Renumber Priority(s) from the list.

2. Alternatively, select the radio button for that rule and click the Select Action tab. 

3. Select Renumber Priority(s).

4. The SDX Management Service automatically assigns new priority numbers, which are multiples of 10, to all the existing rules.

5. Edit the rules to assign priority numbers according to your requirement. See the "To edit an ACL rule" section for more information about how to edit a rule.

Figure. An example of existing priority numbers

localized image

Figure. An example of priority numbers in multiples of 10, after priorities are renumbered

localized image

Troubleshooting

If ACL rules are improperly set up, all user accounts can be denied access. If you inadvertently lose all network access to the SDX Management Service because of improper ACL setup, follow these steps to gain access.

1. Log on to the XenServer management IP address by using SSH and your “root” account.

2. Log on to the console of the Management Service VM by using nsroot privileges.

3. Run the command "pfctl –d".

4. Log on to the Management Service through GUI and reconfigure the ACL accordingly.