NetScaler ingrains many features which are policy driven. Policies use a logical expression, called a rule. They define how a feature evaluates the request or response data.  It also applies one or more actions determined by the outcome of the policy evaluation. Many features use these expressions in the actions or profiles thus expressions have broader visibility in the system.

From beginning in NetScaler appliance, “Classic” policies were introduced which served most of the use cases well. But with gradual advancements in deployment use cases and more complex nature of parsing, NetScaler introduced “Advanced” policies.

Classic policies evaluate basic characteristics of traffic and other data. With time as the content processing advanced, a need for better policies came in, which supports a logical processing structure, a greater number of functions, and data types.

Advance policies use a powerful expression language, which is built on a class-object model. They are built over an entirely different architecture as compared to classic policies.

The model takes complex operations and breaks them down into several layers of logical building-blocks. These logical building-blocks are nothing but expression language objects covering all the protocol layers which are in sync with the protocol flow and behavior.

For instance, consider an advanced expression as mentioned below.

HTTP.REQ.URL.SUFFIX.CONTAINS(“jpg”)

This expression when evaluated for an incoming request. It looks into the HTTP request data.  Rather than parsing the whole request packet or URL, it looks into the suffix of the URL and matches against “.jpg” string. Thus it saves multiple cycles on processing and parsing and is much more effective in definition.

Advanced infrastructure offer several options that enhance your ability to configure the behaviour of various NetScaler features. It enables you to analyse data granularly and allows more operations in the policy rule.

Why do we need to convert classic into advanced policies?

Consider a scenario in which you have migrated to a newer release of the NetScaler software. You have configured classic policies for features that now use advanced policies as well. Given the benefits of advanced infrastructure you would certainly want to utilize advanced policies. Then go on… but there is a challenge of converting your classic policies and expressions to advanced mode. You may have 100s of policies and expressions to work on, not an easy job!!

This is where NetScaler provides the built-in utility with 9.3 release which lets you convert your classic policies and expressions into advanced mode. What a relief J!

The classic policies can be very smoothly converted to advanced policies using “nspepi” tool shipped with 9.3 release.

The conversion will be supported for the features which support both classic as well advanced expressions. The following NetScaler features support both classic and advanced expressions:

  • AppFirewall policies
  • Authorization policies
  • Named expressions
  • Compression polices
  • CSW policies
  • Cache policies
  • LB Vserver rule based tokens

How do we do the conversion?

  • You can use the “nspepi” tool to convert a single classic expression to the advanced expression syntax

Example:

root@ns# nspepi -e “REQ.HTTP.URL == /*.htm”

“HTTP.REQ.URL.REGEX_MATCH(re#/(.*)\.htm#)”

  • You can use this tool to convert all the classic expressions in a NetScaler configuration file

Example:

root@ns# nspepi -f ns.conf

OUTPUT: New configuration file created:

new_ns.conf

OUTPUT: New warning file created: warn_ns.conf

WARNINGS: Total number of warnings due to bind

commands: 18

WARNINGS: Line numbers which has bind command

issues: 305, 306, 706, 707, 708, 709, 710, 711,

712, 713,714, 715, 767, 768, 774, 775, 776, 777

Conversion Warning you should keep in mind before using this tool:

  • The commands that exceed 1499 character limit must be manually updated.
  • Multiple classic policies can be bound to a given bind point with priority 0 or with equal priority. But, the advanced policies don’t support a priority value 0 or policies with same priority at a given bind point. These commands need to be updated manually with the correct priority values.
  • The line numbers which threw warnings at the time of conversions are listed at the end of output in a warning line. Along with this there is a warning file created where the configuration files are stored

With the specified nspepi commands and warnings, you are good to go, to convert your way to advanced policy infrastructure!