Citrix Gateway

Using Operators and Operands in Policy Expressions

An operator is a symbol that identifies the operation—mathematical, Boolean, or relational, for example—that manipulates one or more objects, or operands. The first section in this topic defines the operators you can use and provides a definition. The second section lists the operators you can use with specific qualifiers, such as method, URL, and query.

Operators and Definitions

This section defines the operators that you can use when creating a policy expression and provides a description of the operator.

  • ==, !=, EQ, NEQ

    These operators test for exact matches. They are case-sensitive (‘‘cmd.exe’’ is NOT EQUAL to ‘‘cMd.exe’’). These operators are useful for creating permissions to allow particular strings that meet an exact syntax, but to exclude other strings.

  • GT

    This operator is used for numerical comparisons. It is used on the length of the URLs and query strings.

  • CONTAINS, NOTCONTAINS

    These operators perform checks against the specified qualifier to determine if the specified string is contained in the qualifier. These operators are not case-sensitive.

  • EXISTS, NOTEXISTS

    These operators check for the existence of a particular qualifier. For example, these operators can be applied to HTTP headers to determine if a particular HTTP header exists or if the URL Query exists.

  • CONTENTS

    This operator checks if the qualifier exists and if it has contents (that is, whether a header exists and has a value associated with it, no matter what the value).

Qualifiers, Operators, Operands, Actions, and Examples

This section shows the parameters you can use for operators and operands. Each item starts with the qualifier and then lists the associated operator and operand, describes the action that the expression carries out, and provides an example.

  • Method

    Operator: EQ, NEQ Operands: Required:

    • Standard HTTP methods
    • Supported methods
    • GET, HEAD, POST, PUT, DELETE OPTIONS, TRACE, CONNECT Actions: Verifies the incoming request method to the configured method. Example: Method EQ GET

URL

  • Operator: EQ, NEQ Operands: Required: URL (Format: /[prefix][*][.suffix]) Actions: Verifies the incoming URL with the configured URL. Example: URL EQ / foo*.asp URL EQ /foo* URL EQ /*.asp URL EQ /foo.asp

  • Operator: CONTAINS, NOTCONTAINS Operands: Required: Any string (in quotes) Actions: Verifies the incoming URL for the presence of the configured pattern. (Includes URL and URL query.) Example: URL CONTAINS ‘ZZZ’

  • URL LEN

    Operator: GT Operands: Required: Length (as an integer value) Actions: Compares the incoming URL length with the configured length. (Includes URL and URL query.) Example: URLLEN GT 60

  • URL QUERY

    Operator: CONTAINS, NOTCONTAINS Operands: Required: Any string (in quotes). Optional: Length and offset Actions: Verifies the incoming URL query for the presence of the configured pattern. Used similarly to CONTENTS. If no option is specified, the whole URL query after the pattern is used. If options are present, only the length of the query after the pattern is used. The offset is used to indicate from where to start the search for the pattern. Example: URLQUERY CONTAINS ‘ZZZ’

  • URL QUERY LEN

    Operator: GT Operands: Required: Length (as an integer value) Actions: Compares the incoming URL query length with the configured length. Example: URLQUERYLN GT 60

  • URL TOKENS

    Operator: EQ, NEQ Operands: Required: URL tokens (Supported URL tokens =, +, %, !, &, ?). Actions: Compares the incoming URL for the presence of configured tokens. A backward slash (\) must be entered in front of the question mark. Example: URLTOKENS EQ ‘% , +, &, \?’

  • VERSION

    Operator: EQ, NEQ Operands: Required: Standard HTTP versions. Valid HTTP version strings HTTP/1.0, HTTP/1.1 Actions: Compares the incoming request’s HTTP version with the configured HTTP version. Example: VERSION EQ HTTP/1.1

Header

  • Operator: EXISTS, NOTEXISTS Operands: None Actions: Examines the incoming request for the presence of the HTTP header. Example: Header Cookie EXISTS

  • Operator: CONTAINS, NOTCONTAINS Operands: Required: Any string (in quotes). Optional: Length and offset Actions: Verifies the incoming request for the presence of a configured pattern in the specific header. Used similarly to CONTENTS. If no option is specified, the whole HTTP header value after the pattern is used. If options are present, only the length of the header after the pattern is used. The offset is used to indicate from where to start the search for the pattern. Example: Header Cookie CONTAINS “\&sid”

  • Operator: CONTENTS Operands: Optional: Length and offset Actions: Uses the contents of the HTTP header. If no option is specified, the whole HTTP header value is used. If options are present, only the length of the header starting from the offset is used. Example: Header User-Agent CONTENTS

  • SOURCEIP

    Operator: EQ, NEQ Operands: Required: IP address Optional: Subnet mask Actions: Verifies the source IP address in the incoming request against the configured IP address. If the optional subnet mask is specified, the incoming request is verified against the configured IP address and subnet mask. Example: Sourceip EQ 192.168.100.0 -netmask 255.255.255.0

  • DESTIP

    Operator: EQ, NEQ Operands: Required: IP address Optional: Subnet mask Actions: Verifies the destination IP address in the incoming request against the configured IP address. If the optional subnet mask is specified, the incoming request is verified against the configured IP address and subnet mask. Example: Sourceip EQ 192.168.100.0 -netmask 255.255.255.0

  • SOURCEPORT

    Operator: EQ, NEQ Operands: Required: Port number Optional: Port range Actions: Verifies the source port number in the incoming request against the configured port number. Example: SOURCEPORT EQ 10–20

  • DESTPORT

    Operator: EQ, NEQ Operands: Required: Port number Optional: Port range Actions: Verifies the destination port number in the incoming request against the configured port number. Example: DESTPORT NEQ 80

  • CLIENT.SSL.VERSION

    Operator: EQ, NEQ Operands: Required: SSL version Actions: Checks the version of the SSL or TLS version used in the secure connection. Example: CLIENT.SSL.VERSION EQ SSLV3

  • CLIENT.CIPHER.TYPE

    Operator: EQ, NEQ Operands: Required: Client cipher type Actions: Checks for the type of the cipher being used (export or non-export). Example: CLIENT.CIPHER.TYPE EQ EXPORT

  • CLIENT.CIPHER.BITS

    Operator: EQ, NEQ, GE, LE, GT, LT Operands: Required: Client cipher bits Actions: Checks for the key strength of the cipher being used. Example: CLIENT.CIPHER.BITS GE 40

  • CLIENT.CERT

    Operator: EXISTS, NOTEXISTS Operands: none Actions: Checks whether the client sent a valid certificate during the SSL handshake. Example: CLIENT.CERT EXISTS

  • CLIENT.CERT.VERSION

    Operator: EQ, NEQ, GE, LE, GT, LT Operands: Client certificate version Actions: Checks the version of the client certificate. Example: CLIENT.CERT.VERSION EQ 2

  • CLIENT.CERT.SERIALNUMBER

    Operator: EQ, NEQ Operands: Required: Client certificate serial number Actions: Checks the serial number of the client certificate. The serial number is treated as a string. Example: CLIENT.CERT.SER IALNUMBER EQ 2343323

  • CLIENT.CERT.SIGALGO

    Operator: EQ, NEQ Operands: Required: Client certificate signature algorithm. Actions: Checks the signature algorithm used in the client certificate. Example: CLIENT.CERT.SIGALGO EQ md5WithRSAEncryption

  • CLIENT.CERT.SUBJECT

    Operator: CONTAINS, NOTCONTAINS Operands: Required: Client certificate subject Optional: Length, offset Actions: Checks the subject field of the client certificate. Example: CLIENT.CERT.SUBJECT CONTAINS CN= Access_Gateway

  • CLIENT.CERT.ISSUER

    Operator: CONTAINS, NOTCONTAINS Operands: Required: Client certificate issuer Optional: Length, offset Actions: Checks the issuer field of the client certificate. Example: CLIENT.CERT.ISSUER CONTAINS O=Verisign

  • CLIENT.CERT.VALIDFROM

    Operator: EQ, NEQ, GE, LE, GT, LT Operands: Required: Date Actions: Checks the date from which the client certificate is valid. Valid date formats are: Tue, 05 Nov 1994 08:12:31 GMT Tuesday, 05-Nov-94 08:12:31 GMT Tue Nov 14 08:12:31 1994 Example: CLIENT.CERT.VALIDFROM GE ‘Tue Nov 14 08:12:31 1994’

  • CLIENT.CERT.VALIDTO

    Operator: EQ, NEQ, GE, LE, GT, LT Operands: Required: Date Actions: Checks the date until which the client certificate is valid. Valid date formats are: Tue, 05 Nov 1994 08:12:31 GMT Tuesday, 05-Nov-94 08:12:31 GMT Tue Nov 14 08:12:31 1994 Example: CLIENT.CERT.VALIDTO GE ‘Tue Nov 14 08:12:31 1994’

Using Operators and Operands in Policy Expressions