- Creating Simple and Compound Expressions
- Adding Custom Expressions
- Using Operators and Operands in Policy Expressions
Using Operators and Operands in Policy Expressions
May 15, 2013
An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—that manipulates one or more objects, or operands. The first section in this topic defines the operators you can use and provides a definition. The second section lists the operators you can use with specific qualifiers, such as method, URL and query.
Operators and Definitions
This section defines the operators that you can use when creating a policy expression and provides a description of the operator.
- ==, !=, EQ, NEQ
-
These operators test for exact matches. They are case-sensitive (‘‘cmd.exe’’ is NOT EQUAL to ‘‘cMd.exe’’). These operators are useful for creating permissions to allow particular strings that meet an exact syntax, but to exclude other strings.
- GT
-
This operator is used for numerical comparisons; it is used on the length of the URLs and query strings.
- CONTAINS, NOTCONTAINS
-
These operators perform checks against the specified qualifier to determine if the specified string is contained in the qualifier. These operators are not case-sensitive.
- EXISTS, NOTEXISTS
-
These operators check for the existence of particular qualifier. For example, these operators can be applied to HTTP headers to determine if a particular HTTP header exists or if the URL Query exists.
- CONTENTS
-
This operator checks if the qualifier exists and if it has contents (that is, whether or not a header exists and has a value associated with it, no matter what the value).
Qualifiers, Operators, Operands, Actions, and Examples
This section shows the parameters you can use for operators and operands. Each item starts with the qualifier and then lists the associated operator and operand, describes the action that the expression will carry out, and provides an example.
- Method
- Operator: EQ, NEQ
- Operands:
Required:
- Standard HTTP methods
- Supported methods
- GET, HEAD, POST, PUT, DELETE OPTIONS, TRACE, CONNECT
- Actions: Verifies the incoming request method to the configured method.
- Example: Method EQ GET
URL
- Operator: EQ, NEQ
- Operands: Required: URL (Format: /[prefix][*][.suffix])
- Actions: Verifies the incoming URL with the configured URL.
- Example:
URL EQ / foo*.asp
URL EQ /foo*
URL EQ /*.asp
URL EQ /foo.asp
- Operator: CONTAINS, NOTCONTAINS
- Operands: Required: Any string (in quotes)
- Actions: Verifies the incoming URL for the presence of the configured pattern. (Includes URL and URL query.)
- Example: URL CONTAINS 'ZZZ'
- URL LEN
- Operator: GT
- Operands: Required: Length (as an integer value)
- Actions: Compares the incoming URL length with the configured length. (Includes URL and URL query.)
- Example: URLLEN GT 60
- URL QUERY
- Operator: CONTAINS, NOTCONTAINS
- Operands:
Required: Any string (in quotes).
Optional: Length and offset
- Actions:
Verifies the incoming URL query for the presence of the configured pattern.
Used similarly to CONTENTS.
If no option is specified, the whole URL query after the pattern is used.
If options are present, only the length of the query after the pattern is used.
The offset is used to indicate from where to start the search for the pattern.
- Example: URLQUERY CONTAINS 'ZZZ'
- URL QUERY LEN
- Operator: GT
- Operands: Required: Length (as an integer value)
- Actions: Compares the incoming URL query length with the configured length.
- Example: URLQUERYLN GT 60
- URL TOKENS
- Operator: EQ, NEQ
- Operands: Required: URL tokens (Supported URL tokens =, +, %, !, &, ?).
- Actions: Compares the incoming URL for the presence of configured tokens. A backward slash (\) must be entered in front of the question mark.
- Example: URLTOKENS EQ '% , +, &, \?'
- VERSION
- Operator: EQ, NEQ
- Operands: Required: Standard HTTP versions. Valid HTTP version strings HTTP/1.0, HTTP/1.1
- Actions: Compares the incoming request's HTTP version with the configured HTTP version.
- Example: VERSION EQ HTTP/1.1
Header
- Operator: EXISTS, NOTEXISTS
- Operands: None
- Actions: Examines the incoming request for the presence of the HTTP header.
- Example: Header Cookie EXISTS
- Operator: CONTAINS, NOTCONTAINS
- Operands:
Required: Any string (in quotes).
Optional: Length and offset
- Actions: Verifies the incoming request for the presence of a configured pattern in the specific header. Used similarly to CONTENTS. If no option is specified, the whole HTTP header value after the pattern is used. If options are present, only the length of the header after the pattern is used. The offset is used to indicate from where to start the search for the pattern.
- Example: Header Cookie CONTAINS "&sid"
- Operator: CONTENTS
- Operands: Optional: Length and offset
- Actions: Uses the contents of the HTTP header. If no option is specified, the whole HTTP header value is used. If options are present, only the length of the header starting from the offset is used.
- Example: Header User-Agent CONTENTS
- SOURCEIP
- Operator: EQ, NEQ
- Operands:
Required: IP address
Optional: Subnet mask
- Actions: Verifies the source IP address in the incoming request against the configured IP address. If the optional subnet mask is specified, the incoming request is verified against the configured IP address and subnet mask.
- Example: Sourceip EQ 192.168.100.0 -netmask 255.255.255.0
- DESTIP
- Operator: EQ, NEQ
- Operands:
Required: IP address
Optional: Subnet mask
- Actions: Verifies the destination IP address in the incoming request against the configured IP address. If the optional subnet mask is specified, the incoming request is verified against the configured IP address and subnet mask.
- Example: Sourceip EQ 192.168.100.0 -netmask 255.255.255.0
- SOURCEPORT
- Operator: EQ, NEQ
- Operands:
Required: Port number
Optional: Port range
- Actions: Verifies the source port number in the incoming request against the configured port number.
- Example: SOURCEPORT EQ 10-20
- DESTPORT
- Operator: EQ, NEQ
- Operands:
Required: Port number
Optional: Port range
- Actions: Verifies the destination port number in the incoming request against the configured port number.
- Example: DESTPORT NEQ 80
- CLIENT.SSL.VERSION
- Operator: EQ, NEQ
- Operands: Required: SSL version
- Actions: Checks the version of the SSL or TLS version used in the secure connection.
- Example: CLIENT.SSL.VERSION EQ SSLV3
- CLIENT.CIPHER.TYPE
- Operator: EQ, NEQ
- Operands: Required: Client cipher type
- Actions: Checks for the type of the cipher being used (export or non-export).
- Example: CLIENT.CIPHER.TYPE EQ EXPORT
- CLIENT.CIPHER.BITS
- Operator: EQ, NEQ, GE, LE, GT, LT
- Operands: Required: Client cipher bits
- Actions: Checks for the key strength of the cipher being used.
- Example: CLIENT.CIPHER.BITS GE 40
- CLIENT.CERT
- Operator: EXISTS, NOTEXISTS
- Operands: none
- Actions: Checks whether or not the client sent a valid certificate during the SSL handshake.
- Example: CLIENT.CERT EXISTS
- CLIENT.CERT.VERSION
- Operator: EQ, NEQ, GE, LE, GT, LT
- Operands: Client certificate version
- Actions: Checks the version of the client certificate.
- Example: CLIENT.CERT.VERSION EQ 2
- CLIENT.CERT.SERIALNUMBER
- Operator: EQ, NEQ
- Operands: Required: Client certificate serial number
- Actions: Checks the serial number of the client certificate. The serial number is treated as a string.
- Example: CLIENT.CERT.SER IALNUMBER EQ 2343323
- CLIENT.CERT.SIGALGO
- Operator: EQ, NEQ
- Operands: Required: Client certificate signature algorithm.
- Actions: Checks the signature algorithm used in the client certificate.
- Example: CLIENT.CERT.SIGALGO EQ md5WithRSAEncryption
- CLIENT.CERT.SUBJECT
- Operator: CONTAINS, NOTCONTAINS
- Operands:
Required: Client certificate subject
Optional: Length, offset
- Actions: Checks the subject field of the client certificate.
- Example: CLIENT.CERT.SUBJECT CONTAINS CN= Access_Gateway
- CLIENT.CERT.ISSUER
- Operator: CONTAINS, NOTCONTAINS
- Operands:
Required: Client certificate issuer
Optional: Length, offset
- Actions: Checks the issuer field of the client certificate.
- Example: CLIENT.CERT.ISSUER CONTAINS O=VeriSign
- CLIENT.CERT.VALIDFROM
- Operator: EQ, NEQ, GE, LE, GT, LT
- Operands: Required: Date
- Actions:
Checks the date from which the client certificate is valid.
Valid date formats are:
Tue, 05 Nov 1994 08:12:31 GMT
Tuesday, 05-Nov-94 08:12:31 GMT
Tue Nov 14 08:12:31 1994
- Example: CLIENT.CERT.VALIDFROM GE 'Tue Nov 14 08:12:31 1994'
- CLIENT.CERT.VALIDTO
- Operator: EQ, NEQ, GE, LE, GT, LT
- Operands: Required: Date
- Actions:
Checks the date until which the client certificate is valid.
Valid date formats are:
Tue, 05 Nov 1994 08:12:31 GMT
Tuesday, 05-Nov-94 08:12:31 GMT
Tue Nov 14 08:12:31 1994
- Example: CLIENT.CERT.VALIDTO GE 'Tue Nov 14 08:12:31 1994'