Citrix ADC / NetScaler Client IP or Subnet Black and Whitelist

Because all the commotion about the NetScaler vulrenability I decided to share my Client IP black and white list. This script will create a pattern set which you can fill with ip’s or subnets.

This pattern set is used in a policy expression which is used in a responder policy.

You can add direct ip’s in the format or subnets in the format The expression is only filtering form subnet /32 to /24. If you want more, just change the expression.

You can bind the responder policies against any vserver or global 😉 But don’t shut yourself out 😛

Note 1: The defaults are just for example and you need to fill in the public ip’s which you want to block/whitelist.
Note 2: Hackers use other ip’s or use VPN’s. So this is no 100% safe solution but just an extra step.
Note 3: I’m not responsible for any damage 😉

# IP/Subnet Blacklist
add policy patset PATSET_IP_Blacklist
bind policy patset PATSET_IP_Blacklist "" -index 1
bind policy patset PATSET_IP_Blacklist "" -index 2
bind policy patset PATSET_IP_Blacklist "" -index 3
add policy expression POLEXP_IP_Blacklist "(CLIENT.IP.SRC + \"/32\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(31) + \"/31\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(30) + \"/30\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(29) + \"/29\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(28) + \"/28\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(27) + \"/27\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(26) + \"/26\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(25) + \"/25\").EQUALS_ANY(\"PATSET_IP_Blacklist\") || (CLIENT.IP.SRC.SUBNET(24) + \"/24\").EQUALS_ANY(\"PATSET_IP_Blacklist\")"
add responder action RESPACT_Blocked respondwith "This IP address ("+ CLIENT.IP.SRC +") is blocked to connect to this service.\""
add responder policy RESPOL_IP_Blacklist POLEXP_IP_Blacklist RESPACT_Blocked

# IP/Subnet Whitelist
add policy patset PATSET_IP_Whitelist
bind policy patset PATSET_IP_Whitelist "" -index 1
add policy expression POLEXP_IP_Whitelist "(CLIENT.IP.SRC + \"/32\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(31) + \"/31\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(30) + \"/30\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(29) + \"/29\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(28) + \"/28\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(27) + \"/27\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(26) + \"/26\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(25) + \"/25\").EQUALS_ANY(\"PATSET_IP_Whitelist\") || (CLIENT.IP.SRC.SUBNET(24) + \"/24\").EQUALS_ANY(\"PATSET_IP_Whitelist\")"
add responder action RESPACT_Blocked respondwith "This IP address ("+ CLIENT.IP.SRC +") is blocked to connect to this service.\""
add responder policy RESPOL_IP_Whitelist POLEXP_IP_Whitelist.NOT RESPACT_Blocked



Bookmark the permalink.


  1. Jeroen – thank you for these great instructions for configuring a white/blacklist responder policy on the Netscaler. I recently moved my ADCs to AWS and had a hard time figuring out how to restrict access to an AG. Your instructions worked like a charm! Set up a whitelist and added all my allowed subnets. Voila! Thanks again for taking time to write this up and helping the community. Cheers!

  2. Jeroen,

    i get stuck with the .NOT expression in the add responder policy, it keeps telling me expression systax error, how to get the “NOT” condition in the policy, i’ve tryed also the .! or ( xxx.!) but it does not seem te work

  3. Hello Jeroen,

    I’ve found out my problem : that when you use the gui, you’ve have to use the expression:
    (via CLI it parses the string/format)


    (CLIENT.IP.SRC + “/32”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(31) + “/31”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(30) + “/30”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(29) + “/29”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(28) + “/28”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(27) + “/27”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(26) + “/26”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(25) + “/25”).EQUALS_ANY(“PATSET_IP_Whitelist”) || (CLIENT.IP.SRC.SUBNET(24) + “/24”).EQUALS_ANY(“PATSET_IP_Whitelist”)

  4. Great Post. Wondering if something similar can be done for the Gateway in Citrix DaaS? Specifically, I need an expression to blacklist all external access to a delivery group and allow from internal subnets. I know it’s a little off topic but could use a hand. Thanks in advance!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.