Product Documentation

Using Operators and Operands in Policy Expressions

May 15, 2013

An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—that manipulates one or more objects, or operands. The first section in this topic defines the operators you can use and provides a definition. The second section lists the operators you can use with specific qualifiers, such as method, URL and query.

Operators and Definitions

This section defines the operators that you can use when creating a policy expression and provides a description of the operator.

==, !=, EQ, NEQ

These operators test for exact matches. They are case-sensitive (‘‘cmd.exe’’ is NOT EQUAL to ‘‘cMd.exe’’). These operators are useful for creating permissions to allow particular strings that meet an exact syntax, but to exclude other strings.

GT

This operator is used for numerical comparisons; it is used on the length of the URLs and query strings.

CONTAINS, NOTCONTAINS

These operators perform checks against the specified qualifier to determine if the specified string is contained in the qualifier. These operators are not case-sensitive.

EXISTS, NOTEXISTS

These operators check for the existence of particular qualifier. For example, these operators can be applied to HTTP headers to determine if a particular HTTP header exists or if the URL Query exists.

CONTENTS

This operator checks if the qualifier exists and if it has contents (that is, whether or not a header exists and has a value associated with it, no matter what the value).

Qualifiers, Operators, Operands, Actions, and Examples

This section shows the parameters you can use for operators and operands. Each item starts with the qualifier and then lists the associated operator and operand, describes the action that the expression will carry out, and provides an example.

Method
Operator: EQ, NEQ
Operands: Required:
  • Standard HTTP methods
  • Supported methods
  • GET, HEAD, POST, PUT, DELETE OPTIONS, TRACE, CONNECT
Actions: Verifies the incoming request method to the configured method.
Example: Method EQ GET

URL

Operator: EQ, NEQ
Operands: Required: URL (Format: /[prefix][*][.suffix])
Actions: Verifies the incoming URL with the configured URL.
Example:

URL EQ / foo*.asp

URL EQ /foo*

URL EQ /*.asp

URL EQ /foo.asp

Operator: CONTAINS, NOTCONTAINS
Operands: Required: Any string (in quotes)
Actions: Verifies the incoming URL for the presence of the configured pattern. (Includes URL and URL query.)
Example: URL CONTAINS 'ZZZ'
URL LEN
Operator: GT
Operands: Required: Length (as an integer value)
Actions: Compares the incoming URL length with the configured length. (Includes URL and URL query.)
Example: URLLEN GT 60
URL QUERY
Operator: CONTAINS, NOTCONTAINS
Operands: Required: Any string (in quotes).

Optional: Length and offset

Actions:

Verifies the incoming URL query for the presence of the configured pattern.

Used similarly to CONTENTS.

If no option is specified, the whole URL query after the pattern is used.

If options are present, only the length of the query after the pattern is used.

The offset is used to indicate from where to start the search for the pattern.

Example: URLQUERY CONTAINS 'ZZZ'
URL QUERY LEN
Operator: GT
Operands: Required: Length (as an integer value)
Actions: Compares the incoming URL query length with the configured length.
Example: URLQUERYLN GT 60
URL TOKENS
Operator: EQ, NEQ
Operands: Required: URL tokens (Supported URL tokens =, +, %, !, &, ?).
Actions: Compares the incoming URL for the presence of configured tokens. A backward slash (\) must be entered in front of the question mark.
Example: URLTOKENS EQ '% , +, &, \?'
VERSION
Operator: EQ, NEQ
Operands: Required: Standard HTTP versions. Valid HTTP version strings HTTP/1.0, HTTP/1.1
Actions: Compares the incoming request's HTTP version with the configured HTTP version.
Example: VERSION EQ HTTP/1.1

Header

Operator: EXISTS, NOTEXISTS
Operands: None
Actions: Examines the incoming request for the presence of the HTTP header.
Example: Header Cookie EXISTS
Operator: CONTAINS, NOTCONTAINS
Operands: Required: Any string (in quotes).

Optional: Length and offset

Actions: Verifies the incoming request for the presence of a configured pattern in the specific header. Used similarly to CONTENTS. If no option is specified, the whole HTTP header value after the pattern is used. If options are present, only the length of the header after the pattern is used. The offset is used to indicate from where to start the search for the pattern.
Example: Header Cookie CONTAINS "&sid"
Operator: CONTENTS
Operands: Optional: Length and offset
Actions: Uses the contents of the HTTP header. If no option is specified, the whole HTTP header value is used. If options are present, only the length of the header starting from the offset is used.
Example: Header User-Agent CONTENTS
SOURCEIP
Operator: EQ, NEQ
Operands: Required: IP address

Optional: Subnet mask

Actions: Verifies the source IP address in the incoming request against the configured IP address. If the optional subnet mask is specified, the incoming request is verified against the configured IP address and subnet mask.
Example: Sourceip EQ 192.168.100.0 -netmask 255.255.255.0
DESTIP
Operator: EQ, NEQ
Operands: Required: IP address

Optional: Subnet mask

Actions: Verifies the destination IP address in the incoming request against the configured IP address. If the optional subnet mask is specified, the incoming request is verified against the configured IP address and subnet mask.
Example: Sourceip EQ 192.168.100.0 -netmask 255.255.255.0
SOURCEPORT
Operator: EQ, NEQ
Operands: Required: Port number

Optional: Port range

Actions: Verifies the source port number in the incoming request against the configured port number.
Example: SOURCEPORT EQ 10-20
DESTPORT
Operator: EQ, NEQ
Operands: Required: Port number

Optional: Port range

Actions: Verifies the destination port number in the incoming request against the configured port number.
Example: DESTPORT NEQ 80
CLIENT.SSL.VERSION
Operator: EQ, NEQ
Operands: Required: SSL version
Actions: Checks the version of the SSL or TLS version used in the secure connection.
Example: CLIENT.SSL.VERSION EQ SSLV3
CLIENT.CIPHER.TYPE
Operator: EQ, NEQ
Operands: Required: Client cipher type
Actions: Checks for the type of the cipher being used (export or non-export).
Example: CLIENT.CIPHER.TYPE EQ EXPORT
CLIENT.CIPHER.BITS
Operator: EQ, NEQ, GE, LE, GT, LT
Operands: Required: Client cipher bits
Actions: Checks for the key strength of the cipher being used.
Example: CLIENT.CIPHER.BITS GE 40
CLIENT.CERT
Operator: EXISTS, NOTEXISTS
Operands: none
Actions: Checks whether or not the client sent a valid certificate during the SSL handshake.
Example: CLIENT.CERT EXISTS
CLIENT.CERT.VERSION
Operator: EQ, NEQ, GE, LE, GT, LT
Operands: Client certificate version
Actions: Checks the version of the client certificate.
Example: CLIENT.CERT.VERSION EQ 2
CLIENT.CERT.SERIALNUMBER
Operator: EQ, NEQ
Operands: Required: Client certificate serial number
Actions: Checks the serial number of the client certificate. The serial number is treated as a string.
Example: CLIENT.CERT.SER IALNUMBER EQ 2343323
CLIENT.CERT.SIGALGO
Operator: EQ, NEQ
Operands: Required: Client certificate signature algorithm.
Actions: Checks the signature algorithm used in the client certificate.
Example: CLIENT.CERT.SIGALGO EQ md5WithRSAEncryption
CLIENT.CERT.SUBJECT
Operator: CONTAINS, NOTCONTAINS
Operands: Required: Client certificate subject

Optional: Length, offset

Actions: Checks the subject field of the client certificate.
Example: CLIENT.CERT.SUBJECT CONTAINS CN= Access_Gateway
CLIENT.CERT.ISSUER
Operator: CONTAINS, NOTCONTAINS
Operands: Required: Client certificate issuer

Optional: Length, offset

Actions: Checks the issuer field of the client certificate.
Example: CLIENT.CERT.ISSUER CONTAINS O=VeriSign
CLIENT.CERT.VALIDFROM
Operator: EQ, NEQ, GE, LE, GT, LT
Operands: Required: Date
Actions: Checks the date from which the client certificate is valid.

Valid date formats are:

Tue, 05 Nov 1994 08:12:31 GMT

Tuesday, 05-Nov-94 08:12:31 GMT

Tue Nov 14 08:12:31 1994

Example: CLIENT.CERT.VALIDFROM GE 'Tue Nov 14 08:12:31 1994'
CLIENT.CERT.VALIDTO
Operator: EQ, NEQ, GE, LE, GT, LT
Operands: Required: Date
Actions: Checks the date until which the client certificate is valid.

Valid date formats are:

Tue, 05 Nov 1994 08:12:31 GMT

Tuesday, 05-Nov-94 08:12:31 GMT

Tue Nov 14 08:12:31 1994

Example: CLIENT.CERT.VALIDTO GE 'Tue Nov 14 08:12:31 1994'