An
operator
is a symbol that identifies the operation—mathematical, Boolean, or relational,
for example—that manipulates one or more objects, or
operands. The first section in this topic defines the
operators you can use and provides a definition. The second section lists the
operators you can use with specific qualifiers, such as method, URL and query.
Operators and
Definitions
This section
defines the operators that you can use when creating a policy expression and
provides a description of the operator.
- ==, !=, EQ,
NEQ
-
These
operators test for exact matches. They are case-sensitive (‘‘cmd.exe’’ is NOT
EQUAL to ‘‘cMd.exe’’). These operators are useful for creating permissions to
allow particular strings that meet an exact syntax, but to exclude other
strings.
- GT
-
This
operator is used for numerical comparisons; it is used on the length of the
URLs and query strings.
- CONTAINS,
NOTCONTAINS
-
These
operators perform checks against the specified qualifier to determine if the
specified string is contained in the qualifier. These operators are not
case-sensitive.
- EXISTS,
NOTEXISTS
-
These
operators check for the existence of particular qualifier. For example, these
operators can be applied to HTTP headers to determine if a particular HTTP
header exists or if the URL Query exists.
- CONTENTS
-
This
operator checks if the qualifier exists and if it has contents (that is,
whether or not a header exists and has a value associated with it, no matter
what the value).
Qualifiers,
Operators, Operands, Actions, and Examples
This section shows
the parameters you can use for operators and operands. Each item starts with
the qualifier and then lists the associated operator and operand, describes the
action that the expression will carry out, and provides an example.
- Method
- Operator: EQ,
NEQ
- Operands:
Required:
- Standard HTTP methods
- Supported methods
- GET, HEAD, POST, PUT,
DELETE OPTIONS, TRACE, CONNECT
- Actions:
Verifies the incoming request method to the configured method.
- Example: Method
EQ GET
URL
-
- Operator:
EQ, NEQ
- Operands:
Required: URL (Format: /[prefix][*][.suffix])
- Actions:
Verifies the incoming URL with the configured URL.
- Example:
URL EQ /
foo*.asp
URL EQ /foo*
URL EQ
/*.asp
URL EQ
/foo.asp
-
- Operator:
CONTAINS, NOTCONTAINS
- Operands:
Required: Any string (in quotes)
- Actions:
Verifies the incoming URL for the presence of the configured pattern. (Includes
URL and URL query.)
- Example: URL
CONTAINS 'ZZZ'
- URL LEN
- Operator: GT
- Operands:
Required: Length (as an integer value)
- Actions:
Compares the incoming URL length with the configured length. (Includes URL and
URL query.)
- Example: URLLEN
GT 60
- URL QUERY
- Operator:
CONTAINS, NOTCONTAINS
- Operands:
Required: Any string (in quotes).
Optional:
Length and offset
- Actions:
Verifies the
incoming URL query for the presence of the configured pattern.
Used
similarly to CONTENTS.
If no option
is specified, the whole URL query after the pattern is used.
If options
are present, only the length of the query after the pattern is used.
The offset
is used to indicate from where to start the search for the pattern.
- Example:
URLQUERY CONTAINS 'ZZZ'
- URL QUERY LEN
- Operator: GT
- Operands:
Required: Length (as an integer value)
- Actions:
Compares the incoming URL query length with the configured length.
- Example:
URLQUERYLN GT 60
- URL TOKENS
- Operator: EQ,
NEQ
- Operands:
Required: URL tokens (Supported URL tokens =, +, %, !, &, ?).
- Actions:
Compares the incoming URL for the presence of configured tokens. A backward
slash (\) must be entered in front of the question mark.
- Example:
URLTOKENS EQ '% , +, &, \?'
- VERSION
- Operator: EQ,
NEQ
- Operands:
Required: Standard HTTP versions. Valid HTTP version strings HTTP/1.0, HTTP/1.1
- Actions:
Compares the incoming request's HTTP version with the configured HTTP version.
- Example:
VERSION EQ HTTP/1.1
Header
-
- Operator:
EXISTS, NOTEXISTS
- Operands:
None
- Actions:
Examines the incoming request for the presence of the HTTP header.
- Example:
Header Cookie EXISTS
-
- Operator:
CONTAINS, NOTCONTAINS
- Operands:
Required: Any string (in quotes).
Optional:
Length and offset
- Actions:
Verifies the incoming request for the presence of a configured pattern in the
specific header. Used similarly to CONTENTS. If no option is specified, the
whole HTTP header value after the pattern is used. If options are present, only
the length of the header after the pattern is used. The offset is used to
indicate from where to start the search for the pattern.
- Example:
Header Cookie CONTAINS "&sid"
-
- Operator:
CONTENTS
- Operands:
Optional: Length and offset
- Actions: Uses
the contents of the HTTP header. If no option is specified, the whole HTTP
header value is used. If options are present, only the length of the header
starting from the offset is used.
- Example:
Header User-Agent CONTENTS
- SOURCEIP
- Operator: EQ,
NEQ
- Operands:
Required: IP address
Optional:
Subnet mask
- Actions:
Verifies the source IP address in the incoming request against the configured
IP address. If the optional subnet mask is specified, the incoming request is
verified against the configured IP address and subnet mask.
- Example:
Sourceip EQ 192.168.100.0 -netmask 255.255.255.0
- DESTIP
- Operator: EQ,
NEQ
- Operands:
Required: IP address
Optional:
Subnet mask
- Actions:
Verifies the destination IP address in the incoming request against the
configured IP address. If the optional subnet mask is specified, the incoming
request is verified against the configured IP address and subnet mask.
- Example:
Sourceip EQ 192.168.100.0 -netmask 255.255.255.0
- SOURCEPORT
- Operator: EQ,
NEQ
- Operands:
Required: Port number
Optional:
Port range
- Actions:
Verifies the source port number in the incoming request against the configured
port number.
- Example:
SOURCEPORT EQ 10-20
- DESTPORT
- Operator: EQ,
NEQ
- Operands:
Required: Port number
Optional:
Port range
- Actions:
Verifies the destination port number in the incoming
request against the configured port number.
- Example:
DESTPORT NEQ 80
-
CLIENT.SSL.VERSION
- Operator: EQ,
NEQ
- Operands:
Required: SSL version
- Actions:
Checks the version of the SSL or TLS version used in the secure connection.
- Example:
CLIENT.SSL.VERSION EQ SSLV3
-
CLIENT.CIPHER.TYPE
- Operator: EQ,
NEQ
- Operands:
Required: Client cipher type
- Actions:
Checks for the type of the cipher being used (export or non-export).
- Example:
CLIENT.CIPHER.TYPE EQ EXPORT
-
CLIENT.CIPHER.BITS
- Operator: EQ,
NEQ, GE, LE, GT, LT
- Operands:
Required: Client cipher bits
- Actions:
Checks for the key strength of the cipher being used.
- Example:
CLIENT.CIPHER.BITS GE 40
-
CLIENT.CERT
- Operator:
EXISTS, NOTEXISTS
- Operands:
none
- Actions:
Checks whether or not the client sent a valid certificate during the SSL
handshake.
- Example:
CLIENT.CERT EXISTS
-
CLIENT.CERT.VERSION
- Operator: EQ,
NEQ, GE, LE, GT, LT
- Operands:
Client certificate version
- Actions:
Checks the version of the client certificate.
- Example:
CLIENT.CERT.VERSION EQ 2
-
CLIENT.CERT.SERIALNUMBER
- Operator: EQ,
NEQ
- Operands:
Required: Client certificate serial number
- Actions:
Checks the serial number of the client certificate. The serial number is
treated as a string.
- Example:
CLIENT.CERT.SER IALNUMBER EQ 2343323
-
CLIENT.CERT.SIGALGO
- Operator: EQ,
NEQ
- Operands:
Required: Client certificate signature algorithm.
- Actions:
Checks the signature algorithm used in the client certificate.
- Example:
CLIENT.CERT.SIGALGO EQ md5WithRSAEncryption
-
CLIENT.CERT.SUBJECT
- Operator:
CONTAINS, NOTCONTAINS
- Operands:
Required: Client certificate subject
Optional:
Length, offset
- Actions:
Checks the subject field of the client certificate.
- Example:
CLIENT.CERT.SUBJECT CONTAINS CN= Access_Gateway
-
CLIENT.CERT.ISSUER
- Operator:
CONTAINS, NOTCONTAINS
- Operands:
Required: Client certificate issuer
Optional:
Length, offset
- Actions:
Checks the issuer field of the client certificate.
- Example:
CLIENT.CERT.ISSUER CONTAINS O=VeriSign
-
CLIENT.CERT.VALIDFROM
- Operator: EQ,
NEQ, GE, LE, GT, LT
- Operands:
Required: Date
- Actions:
Checks the date from which the client certificate is valid.
Valid date
formats are:
Tue, 05
Nov 1994 08:12:31 GMT
Tuesday,
05-Nov-94 08:12:31 GMT
Tue Nov 14
08:12:31 1994
- Example:
CLIENT.CERT.VALIDFROM GE 'Tue Nov 14 08:12:31 1994'
-
CLIENT.CERT.VALIDTO
- Operator: EQ,
NEQ, GE, LE, GT, LT
- Operands:
Required: Date
- Actions:
Checks the date until which the client certificate is valid.
Valid date
formats are:
Tue, 05
Nov 1994 08:12:31 GMT
Tuesday,
05-Nov-94 08:12:31 GMT
Tue Nov 14
08:12:31 1994
- Example:
CLIENT.CERT.VALIDTO GE 'Tue Nov 14 08:12:31 1994'