Access Control Lists
An access control list (ACL) is a set of conditions that you can apply to a network appliance to filter IP traffic and secure your appliance from unauthorized access.
You can configure an ACL on your Citrix NetScaler SDX Management Service GUI to limit and control access to the appliance.
ACLs on SDX appliances are supported from release 12.0 57.19 onwards.
This topic includes the following sections:
- Usage Guidelines
- How to Configure ACLs
- Additional Actions for ACL Rules
Keep the following points in mind while creating ACLs on your appliance:
- When you upgrade the SDX appliance to release 12.0 57.19, the ACL feature is disabled by default.
- SDX administrators can control only inbound packets through ACL on the SDX appliance.
- If you use Citrix Application Delivery Management to manage your SDX appliance, you must create appropriate ACL rules to allow communication between MAS and SDX Management Service.
- For any other configurations on the SDX appliance such as provisioning or deleting VPXs, adding/deleting external servers, SNMP management, and so on, do not require any changes in the existing ACL configuration. Communication with these entities are taken care of by the Management Service.
How to Configure an ACL
Configuring an ACL involves the following steps:
- Enable the ACL feature
- Create an ACL rule
- Enable the ACL rule
You can create ACL rules without enabling the ACL feature. However, if the feature is not enabled, you cannot enable an ACL rule after you’ve created it.
To enable the ACL feature
1. To enable the ACL feature, log on to the SDX Management Service GUI and navigate to Configuration > System > ACL.
2. By using the toggle button, turn on the ACL feature.
To create an ACL rule
1. On the ACL page, click Create Rule.
2. The Create Rule window opens. Add the details listed in the following table.
|Name||Add a name.|
|Protocol||Select a protocol from the menu. By default, TCP is selected. You can select ANY to allow all protocols.|
|Source IP Address/Subnet||Specify the source IP address or source subnet to which the rule applies. Select ANY if the rule needs to be applied to all incoming traffic.|
|Destination IP||The SDX Management Service IP address is autopopulated as the destination IP. This field cannot be edited.|
|Destination port||Specify the destination port to which the rule applies. Select ANY if the rule applies to all destination ports.|
|Action||Select the action for rule, which is Allow or Deny.|
|Priority||Assign priority to specify the order in which the rule is to be evaluated. Priority numbers determine the order in which ACL rules are matched against an incoming packet. A lower priority number has a higher priority. For example, priority number 1 has a higher priority than priority number 2. If none of the rules match with the incoming packet, then the packet is blocked.|
3. Click OK to create the rule.
Figure: An example of an ACL rule
After the rule is created, it is in disabled state. To make the rule effective, you must enable the rule.
To enable a rule, the ACL feature should be enabled. If the feature is disabled, and you attempt to enable an ACL rule, a message “ACL is not running” appears.
To enable an ACL rule
1. Hover your mouse over the rule that you want to enable and click the circle with three dots.
2. From the menu, select Enable.
3. Alternatively, select the radio button for that rule and click the Enable tab.
4. At the prompt, click Yes to confirm.
Additional Actions for ACL Rules
You can apply the following actions to ACL rules:
1. Disable an ACL rule
2. Edit an ACL rule
3. Delete an ACL rule
4. Renumber the priority of ACL rules
To disable an ACL rule
1. Hover the mouse over the rule that you want to disable and select the circle with three dots.
2. Click Disable from the list.
3. Alternatively, select the radio button for that rule and click the Disable tab.
4. Click Yes to confirm.
When you disable a rule, the rule no longer applies to incoming traffic; however, the rule configuration remains under ACL settings.
To edit an ACL rule
1. Hover the mouse over the rule that you want to edit and select the circle with three dots.
2. Click Edit Rule from the list. The Modify Rule window opens.
3. Alternatively, select the radio button for that rule and click the Edit Rule tab. The Modify Rule window opens
4. Make the edits and click OK.
You can edit a rule in both enabled and disabled state. If you edit a rule that is already enabled, the edits get applied immediately. For a rule in disabled state, the edits get applied when you enable the rule.
To delete an ACL rule
1. Ensure that the rule is in disabled state.
2. Hover the mouse over the rule that you want to delete and select the circle with three dots. Click Delete Rule from the list.
3. Alternatively, select the radio button for that rule and click the Delete Rule tab.
4. Click Yes to confirm.
You cannot delete a rule in enabled state.
To renumber priorities of ACL rules
1. Hover the mouse over the rule that you want to renumber the priorities for and select the circle with three dots. Click Renumber Priority(s) from the list.
2. Alternatively, select the radio button for that rule and click the Select Action tab.
3. Select Renumber Priority(s).
4. The SDX Management Service automatically assigns new priority numbers, which are multiples of 10, to all the existing rules.
5. Edit the rules to assign priority numbers according to your requirement. See the “To edit an ACL rule” section for more information about how to edit a rule.
Figure. An example of existing priority numbers
Figure. An example of priority numbers in multiples of 10, after priorities are renumbered
If ACL rules are improperly set up, all user accounts can be denied access. If you inadvertently lose all network access to the SDX Management Service because of improper ACL setup, follow these steps to gain access.
1. Log on to the Citrix Hypervisor management IP address by using SSH and your “root” account.
2. Log on to the console of the Management Service VM by using nsroot privileges.
3. Run the command “pfctl –d”.
4. Log on to the Management Service through GUI and reconfigure the ACL accordingly.