Citrix Analytics for Security

Self-service search for Gateway

June 29, 2021

Contributed by:

M C

Use the self-service search feature to get insights into the user events received from the Citrix Gateway data source. When users access their network resources such as file servers, applications, websites through Citrix Gateway, events are generated for each user connection. Some examples of user events are such as authentication stage, authorization type, and VPN session code. Citrix Analytics for Security receives these events and displays them on the self-service search page. You can view the users and their access details.

For more information on the search functionalities, see Self-service search.

Select the Gateway data source

To view the Gateway events, select Gateway from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.

Note

Alternatively, you can access the Self-service search for Gateway page from the Security > Users > Access Summary dashboard. In successful login scenarios, you can access the data by the status code. For more information, see the Access Summary dashboard.

The facets are categorized based on the events received from your data source. Use the following facets to filter your events:

Authentication Stage- Search events based on different stages of client authentication such as primary, secondary, and tertiary.
Authentication Type- Search events based on the client authentication types such as Local, RADIUS, LDAP, TACACS, client certificate authentication including smart card authentication.
Device Agent- Search events based on the client devices such as iPhone, iPad, Windows Mobile.

Record Type- Search events based on the types of VPN records. Following VPN record types are available:

Record type	Description
VPN_AI	Filters user events related to authentication.
VPN_IF	Filters user events related to ICA file.
VPN_ST	Filters user events related to session logout.

Browser- Search events based on the browsers such as Internet Explorer, Chrome, Firefox, Safari.
OS- Search events based on the client operating systems such as Windows, Mac, Linux, Android, iOS.
Status Code- Search events based on the VPN status codes such as SSL redirect response failure, authorization failure, single sign-on failed.
Session State- Search events based on the VPN session states such as client state, authorization state, SSO state, application bandwidth update.
Session Mode- Search events based on the VPN session modes such as Full tunnel, ICA Proxy, Clientless.
SSO Authentication Method- Search events based on different methods of single sign-on authentication such as basic, digest, NTLM, Kerberos, AG basic, form-based SSO.
Logout Mode- Search events based on the VPN logout modes such as internal error logout, session time-out logout, user-initiated logout, administrator terminated session.

Specify search query to filter events

Place your cursor in the search box to view the list of dimensions for the Gateway events. Use the dimensions and the operators to specify your query and search for the required events.

For example, you want to view the events for a user “ns133” where the VPN status code is “successful login”.

Enter “user” in the search box to choose the related dimension.
Select User-Name and enter the value “ns133” using the equal operator.
Select the AND operator and then select the Status Code dimension. Enter the string “Successful login” for Status Code using the equal operator.

To identify the possible string values for Status Code, expand the Status Code filter list and use the filter name as the string in your search query.
Select the time period and click Search to view the events on the DATA table.

Supported values for your search query

Enter the following values for the dimensions to define your search query.

Access-Insight-Flags

Indicates the VPN session states. Enter one of the following flag values:

VPN session state	Flag value
Pre-authentication	2
Last or final state of nFactor (multi-factor) authentication	1
Post authentication	4

Note

This flag is applicable only for the preceding VPN session states for the authentication events. For all other events, the flag value is zero.

Applications-Byte-Consumption

For the Applications-Byte-Consumption dimension, enter the following value:

Value	Type	Description
Examples: `40`, `100`	Number	Data (in Bytes) consumed by the application that you are using.

Authentication-Servers-IP

For the Authentication-Servers-IP dimension, enter the following value:

Value	Type	Description
Example: `10.xxx.xx.xx`	String	IP address of the authentication server.

Authentication-Stage

For the Authentication-Stage dimension, enter the following value:

Value	Type	Description
`Primary`, `Secondary`, or `Tertiary`	String	Different stages of client authentication.

Authentication-Type

For the Authentication-Type dimension, enter the following value:

Value	Type	Description
`LDAP`,`SAML`, `Local`, `Radius`, `TACACS`, `SAMLIDP`, or `OTP`.	String	Authenticate your users through one of the available methods.

Backend-Server-Name

For the Backend-Server-Name dimension, enter the following value:

Value	Type	Description
Example: `10.xxx.xxx.xx`	String	IP address of the back end server.

Browser

For the Browser dimension, enter the following value:

Value	Type	Description
`PN Agent`, `Edge`, `Firefox`, `Chrome`, or `Safari`.	String	Browser used.

City

For the City dimension, enter the following value:

Value	Type	Description
Examples: `Boston`, `Beijing`	String	City from where the user has logged on.

Client-IP

For the Client-IP dimension, enter the following value:

Value	Type	Description
Example: `10.xxx.xxx.xx`	String	IP address of the user device.

Client-IP-Type

For the Client-IP-Type dimension, enter the following value:

Value	Type	Description
public, private	String	Indicates whether the user IP address is public or private.

Note

The values are case-sensitive. Enter the values in lower case.

Client-Port

For the Client-Port dimension, enter the following value:

Value	Type	Description
Example: `45334`	Number	Port number of the user device.

Country

For the Country dimension, enter the following value:

Value	Type	Description
Examples: `United States`, `India`	String	Country from where the user has logged on.

Note

Enclose the value within “” if the value contains spaces. Example: Country = “Unites States”.

Event-Type

For the Event-Type dimension, enter the following value:

Value	Type	Description
Authentication, ICA file, Session logout	String	Type of user events.

Gateway-FQDN

For the Gateway-FQDN dimension, enter the following value:

Value	Type	Description
Example: `Gateway-test`	String	Domain name of your Citrix Gateway.

Gateway-IP

For the Gateway-IP dimension, enter the following value:

Value	Type	Description
Example: `10.xxx.xxx.xx`	String	IP address of your Citrix Gateway.

Gateway-Port

For the Gateway-Port dimension, enter the following value:

Value	Type	Description
Example: `443`	String	Port number of your Citrix Gateway.

Logout-Mode

For the Logout-Mode dimension, enter the following value:

Value	Type	Description
`"Internal error"`, `"Inactive time out"`, `"User initiated logout"`, or `"Administrator killed session"`.	String	Reason for timeout or termination of VPN session.

Note

Enclose the value within “” if the value contains spaces. Example: Logout-Mode = "Internal error".

NetScaler-IP

For the NetScaler-IP dimension, enter the following value:

Value	Type	Description
Example: `10.xxx.xx.xx`	String	IP address of your Citrix ADC appliance.

OS

For the OS dimension, enter the following value:

Value	Type	Description
Examples: `MAC_OS`, `WINDOWS`	String	Operating system of the user device.

Record Type

For the Record Type dimension, enter the following value:

Value	Type	Description
`VPN_AI`	String	Indicates user events related to authentication.
`VPN_IF`	String	Indicates user events related to ICA file.
`VPN_ST`	String	Indicates user events related to session logout.

SSO-Authentication-Method

For the SSO-Authentication-Method dimension, enter the following value:

Value	Type	Description
`NSAUTH_BEARER`, `NSAUTH_FORM`, `NSAUTH_CITRIXAGBASIC`, `NSAUTH_NEGOTIATE`, `NSAUTH_NTLM`, or `NSAUTH_BASIC`.	String	Different methods of single sign-on authentication.

Server-IP

For the Server-IP dimension, enter the following value:

Value	Type	Description
Example: `10.xx.xxx.xx`	String	IP address of the back end server.

Server-Port

For the Server-Port dimension, enter the following value:

Value	Type	Description
Example: `47054`	Number	Port number of the back end server.

Session-State

For the Session-State dimension, enter the following value:

Value	Type	Description
`"Set Client State"`, `"Authorization State"`, `"SSO State"`, and `"Application Bandwidth Update"`	String	The VPN session state.

Note

Enclose the value within “” if the value contains spaces. Example: Session-State = "Set Client State".

Status-Code

For the Status-Code dimension, enter the following value:

Value	Type	Description
`"Successful login"`, `"Invalid credentials passed"`, `"Post auth failed and connection quarantined"`, `"Login not permitted"`, `"Maximum login failures reached"`	String	The VPN status code.

Note

Enclose the value within “” if the value contains spaces. Example: Session-Code = "Successful login".

User-Agent

For the User-Agent dimension, enter the following value:

Value	Type	Description
`IPHONE`, `IPAD`, or `WINPHONE`	String	The agent or the device used to access the VPN.

VPN-Session-ID

For the VPN-Session-ID dimension, enter the following value:

Value	Type	Description
`c2c290c61dfe4e07247bde1e22142a12`	String	Session ID assigned by the server for a user’s VPN session.

VPN-Session-Mode

For the VPN-Session-Mode dimension, enter the following value:

Value	Type	Description
`"Full Tunnel"`, `"ICA Proxy"`, or `Clientless`	String	Different modes of a user’s VPN session.

Note

Enclose the value within “” if the value contains spaces. Example: Session-Code = "Full Tunnel".

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

Self-service search for Gateway

June 29, 2021

Contributed by:

M C

June 29, 2021

Contributed by:

M C

Self-service search for Gateway

Select the Gateway data source

Use the facets to filter events

Specify search query to filter events

Supported values for your search query

Access-Insight-Flags

Applications-Byte-Consumption

Authentication-Servers-IP

Authentication-Stage

Authentication-Type

Backend-Server-Name

Browser

City

Client-IP

Client-IP-Type

Client-Port

Country

Event-Type

Gateway-FQDN

Gateway-IP

Gateway-Port

Logout-Mode

NetScaler-IP

OS

Record Type

SSO-Authentication-Method

Server-IP

Server-Port

Session-State

Status-Code

User-Agent

VPN-Session-ID

VPN-Session-Mode

In this article