Citrix ADC / NetScaler Client IP or Subnet Black and Whitelist

Because all the commotion about the NetScaler vulrenability I decided to share my Client IP black and white list. This script will create a pattern set which you can fill with ip’s or subnets.

This pattern set is used in a policy expression which is used in a responder policy.

You can add direct ip’s in the format 192.168.2.57/32 or subnets in the format 192.168.2.57/28. The expression is only filtering form subnet /32 to /24. If you want more, just change the expression.

You can bind the responder policies against any vserver or global 😉 But don’t shut yourself out 😛

Note 1: The defaults are just for example and you need to fill in the public ip’s which you want to block/whitelist.
Note 2: Hackers use other ip’s or use VPN’s. So this is no 100% safe solution but just an extra step.
Note 3: I’m not responsible for any damage 😉

# IP/Subnet Blacklist
add policy patset PATSET_IP_Blacklist
bind policy patset PATSET_IP_Blacklist "192.168.2.0/24" -index 1
bind policy patset PATSET_IP_Blacklist "192.168.2.0/25" -index 2
bind policy patset PATSET_IP_Blacklist "192.168.2.57/32" -index 3
add policy expression POLEXP_IP_Blacklist "(CLIENT.IP.SRC + \"/32\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(31) + \"/31\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(30) + \"/30\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(29) + \"/29\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(28) + \"/28\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(27) + \"/27\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(26) + \"/26\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(25) + \"/25\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(24) + \"/24\").EQUALS_ANY(\"PATSET_IP_Blacklist\")"
add responder action RESPACT_Blocked respondwith "This IP address ("+ CLIENT.IP.SRC +") is blocked to connect to this service.\""
add responder policy RESPOL_IP_Blacklist POLEXP_IP_Blacklist RESPACT_Blocked

# IP/Subnet Whitelist
add policy patset PATSET_IP_Whitelist
bind policy patset PATSET_IP_Whitelist "192.168.2.0/24" -index 1
add policy expression POLEXP_IP_Whitelist "(CLIENT.IP.SRC + \"/32\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(31) + \"/31\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(30) + \"/30\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(29) + \"/29\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(28) + \"/28\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(27) + \"/27\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(26) + \"/26\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(25) + \"/25\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(24) + \"/24\").EQUALS_ANY(\"PATSET_IP_Whitelist\")"
add responder action RESPACT_Blocked respondwith "This IP address ("+ CLIENT.IP.SRC +") is blocked to connect to this service.\""
add responder policy RESPOL_IP_Whitelist POLEXP_IP_Whitelist.NOT RESPACT_Blocked

# IP/Subnet Blacklist

add policy patset PATSET_IP_Blacklist

bind policy patset PATSET_IP_Blacklist "192.168.2.0/24" -index 1

bind policy patset PATSET_IP_Blacklist "192.168.2.0/25" -index 2

bind policy patset PATSET_IP_Blacklist "192.168.2.57/32" -index 3

add policy expression POLEXP_IP_Blacklist "(CLIENT.IP.SRC + \"/32\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(31) + \"/31\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(30) + \"/30\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(29) + \"/29\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(28) + \"/28\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(27) + \"/27\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(26) + \"/26\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(25) + \"/25\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(24) + \"/24\").EQUALS_ANY(\"PATSET_IP_Blacklist\")"

add responder action RESPACT_Blocked respondwith "This IP address ("+ CLIENT.IP.SRC +") is blocked to connect to this service.\""

add responder policy RESPOL_IP_Blacklist POLEXP_IP_Blacklist RESPACT_Blocked

# IP/Subnet Whitelist

add policy patset PATSET_IP_Whitelist

bind policy patset PATSET_IP_Whitelist "192.168.2.0/24" -index 1

add policy expression POLEXP_IP_Whitelist "(CLIENT.IP.SRC + \"/32\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(31) + \"/31\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(30) + \"/30\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(29) + \"/29\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(28) + \"/28\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(27) + \"/27\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(26) + \"/26\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(25) + \"/25\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(24) + \"/24\").EQUALS_ANY(\"PATSET_IP_Whitelist\")"

add responder action RESPACT_Blocked respondwith "This IP address ("+ CLIENT.IP.SRC +") is blocked to connect to this service.\""

add responder policy RESPOL_IP_Whitelist POLEXP_IP_Whitelist.NOT RESPACT_Blocked

7 Comments

PSun · October 27, 2020 at 00:01

Jeroen – thank you for these great instructions for configuring a white/blacklist responder policy on the Netscaler. I recently moved my ADCs to AWS and had a hard time figuring out how to restrict access to an AG. Your instructions worked like a charm! Set up a whitelist and added all my allowed subnets. Voila! Thanks again for taking time to write this up and helping the community. Cheers!

Jeroen Tielen · November 12, 2020 at 16:16

Your welcome Penny Sun.

Rogier · January 26, 2021 at 14:51

Jeroen,

i get stuck with the .NOT expression in the add responder policy, it keeps telling me expression systax error, how to get the “NOT” condition in the policy, i’ve tryed also the .! or ( xxx.!) but it does not seem te work
NS12.1.60.17
thanks

Rogier Winter · January 26, 2021 at 17:09

Hello Jeroen,

I’ve found out my problem : that when you use the gui, you’ve have to use the expression:
(via CLI it parses the string/format)

Thanks

(CLIENT.IP.SRC + “/32”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(31) + “/31”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(30) + “/30”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(29) + “/29”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(28) + “/28”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(27) + “/27”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(26) + “/26”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(25) + “/25”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(24) + “/24”).EQUALS_ANY(“PATSET_IP_Whitelist”)

Jeroen Tielen · January 31, 2021 at 19:43

Ho Rogier sorry for the late reply. But yes use the CLI 😉

Steve · February 16, 2023 at 22:23

Great Post. Wondering if something similar can be done for the Gateway in Citrix DaaS? Specifically, I need an expression to blacklist all external access to a delivery group and allow from internal subnets. I know it’s a little off topic but could use a hand. Thanks in advance!

Sibgat · March 22, 2023 at 07:21

Yeah, you can bind same responder policy to Citrix gateway virtual server.

Like this: