The All Violations page displays the application security violation details based on the Network, WAF, and Bot categories. To view the security violations in Citrix ADM, ensure:
You have a premium license for the Citrix ADC instance (for WAF and BOT violations).
You have applied license on the load balancing or content switching virtual servers (for WAF and BOT). For more information, see Manage licensing on virtual servers.
You enable more settings. For more information, see the procedure available at Setting up.
Citrix ADM enables you to view the following violations. Under Violation Details, you can click each violation tab to view the violation details.
|HTTP Slow Loris||Unusually High Upload Transactions||Excessive Client Connections|
|DNS Slow Loris||Unusually High Download Transactions||Account Takeover|
|HTTP Slow Post||Excessive Unique IPs||Unusually High Upload Volume|
|NXDomain Flood Attack||Excessive Unique IPs Per Geo||Unusually High Request Rate|
|HTTP desync attack||Cookie Hijack||Unusually High Download Volume|
|Bleichenbacher Attack||Infer Content Type XML||Website Scanners|
|Segment smack Attack||Buffer Overflow||Account Takeover for Citrix Gateway|
|SYN Flood Attack||Content Type||API Abuse|
|Small Window Attack||Cookie Consistency||Content Scapers|
|CSRF Form Tagging||Keystroke and mouse dynamics based bot detection|
|Form Field Consistency||Screenshot Creator|
|Field Formats||Search Engine|
|Maximum Uploads||Service Agent|
|Referrer Header||Site Monitor|
|Safe Commerce||Speed Tester|
|HTML SQL Inject||Uncategorized|
|Start URL||Virus Scanner|
|Cross-site scripting||Vulnerability Scanner|
|XML DoS||DeviceFP Wait Exceeded|
|XML Format||Invalid DeviceFP|
|XML WSI||Invalid Captcha Response|
|XML SSL||Captcha Attempts Exceeded|
|XML Attachment||Valid Captcha Response|
|XML SOAP Fault||Captcha Client Muted|
|XML Validation||Captcha Wait Time Exceeded|
|Others||Request Size Limit Exceeded|
|IP Reputation||Rate Limit Exceeded|
|HTTP DOS||Block list (IP, subnet, policy expression)|
|TCP Small Window||Allow list (IP, subnet, policy expression)|
|Signature Violation||Zero Pixel Request|
|File Upload Type||Source IP|
|JSON cross-site scripting||Host|
|JSON SQL||Geo Location|
To view the Account Takeover, Website Scanners, and Content Scrapers violations, you must configure the settings in Citrix ADM. See the prerequisite mentioned in the violation details page.
Security violations dashboard
In the security violations dashboard, you can view:
Total violations occurred across all ADC instances and applications. The total violations are displayed based on the selected time duration.
Total violations under each category.
Total ADCs affected, total applications affected, and top violations based on the total occurrences and the affected applications.
For each violation, Citrix ADM monitors the behavior for a specific time duration and detects violations for unusual behaviors. Click each tab to view the violation details. You can view details such as:
The total occurrences, last occurred, and total applications affected
Under event details, you can view:
The affected application. You can also select the application from the list if two or more applications are affected with violations.
The graph indicating violations.
Drag and select on the graph that lists the violations to narrow down the violation search.
Drag and select on graph Search result
Click Reset Zoom to reset the zoom result
Recommended Actions that suggest you troubleshoot the issue
Other violation details such as violence occurrence time and detection message
Behavior checks with no violations
Apart from violation details, you can visualize a 3-week traffic prediction based on the machine learning algorithm. As an administrator, this 3-week prediction enables you to:
Analyze the traffic pattern even if no violations are observed
Take troubleshooting actions for any unusual traffic patterns observed from the predictions
Observe that Citrix ADM is processing data, apart from the anomalies
In the Security Violations page, click the Behavior checks with no violation tab to view the 3-week traffic prediction.
The security violations are displayed. Consider that you want to view the traffic prediction for Excessive Unique IPs Per Geo.
From the example image, you can view:
Expected Unique IP Range – Citrix ADM has predicted the expected IP range based on the traffic pattern
Unique IP – Citrix ADM has predicted about 1970 unique IPs that will be transacting with the app from Malaysia
Using this data, you can proactively take precautionary steps to avoid these excessive unique IPs.
If Citrix ADM does not have any predictions for a security violation, you can view the following message:
See the Setting Up topic to ensure if all the required settings are enabled to view the app security violation details.