Citrix Application Delivery Management service

All Violations

The All Violations page displays the application security violation details based on the Network, WAF, and Bot categories. To view the security violations in Citrix ADM, ensure:

  • You have a premium license for the Citrix ADC instance (for WAF and BOT violations).

  • You have applied license on the load balancing or content switching virtual servers (for WAF and BOT). For more information, see Manage licensing on virtual servers.

  • You enable more settings. For more information, see the procedure available at Setting up.

Violation categories

Citrix ADM enables you to view the following violations. Under Violation Details, you can click each violation tab to view the violation details.

Network WAF Bot
HTTP Slow Loris Unusually High Upload Transactions Excessive Client Connections
DNS Slow Loris Unusually High Download Transactions Account Takeover
HTTP Slow Post Excessive Unique IPs Unusually High Upload Volume
NXDomain Flood Attack Excessive Unique IPs Per Geo Unusually High Request Rate
HTTP desync attack Cookie Hijack Unusually High Download Volume
Bleichenbacher Attack Infer Content Type XML Website Scanners
Segment smack Attack Buffer Overflow Account Takeover for Citrix Gateway
SYN Flood Attack Content Type API Abuse
Small Window Attack Cookie Consistency Content Scapers
  CSRF Form Tagging Keystroke and mouse dynamics based bot detection
  Deny URL Scraper
  Form Field Consistency Screenshot Creator
  Field Formats Search Engine
  Maximum Uploads Service Agent
  Referrer Header Site Monitor
  Safe Commerce Speed Tester
  Safe Object Tool
  HTML SQL Inject Uncategorized
  Start URL Virus Scanner
  Cross-site scripting Vulnerability Scanner
  XML DoS DeviceFP Wait Exceeded
  XML Format Invalid DeviceFP
  XML WSI Invalid Captcha Response
  XML SSL Captcha Attempts Exceeded
  XML Attachment Valid Captcha Response
  XML SOAP Fault Captcha Client Muted
  XML Validation Captcha Wait Time Exceeded
  Others Request Size Limit Exceeded
  IP Reputation Rate Limit Exceeded
  HTTP DOS Block list (IP, subnet, policy expression)
  TCP Small Window Allow list (IP, subnet, policy expression)
  Signature Violation Zero Pixel Request
  File Upload Type Source IP
  JSON cross-site scripting Host
  JSON SQL Geo Location
  JSON DOS URL
  Command Injection Crawler
    Feed Fetcher
    Link Checker
    Marketing

Note

To view the Account Takeover, Website Scanners, and Content Scrapers violations, you must configure the settings in Citrix ADM. See the prerequisite mentioned in the violation details page.

Security violations dashboard

In the security violations dashboard, you can view:

  • Total violations occurred across all ADC instances and applications. The total violations are displayed based on the selected time duration.

    Total violations

  • Total violations under each category.

    Total violations

  • Total ADCs affected, total applications affected, and top violations based on the total occurrences and the affected applications.

    Affected violations

Violation details

For each violation, Citrix ADM monitors the behavior for a specific time duration and detects violations for unusual behaviors. Click each tab to view the violation details. You can view details such as:

  • The total occurrences, last occurred, and total applications affected

  • Under event details, you can view:

    • The affected application. You can also select the application from the list if two or more applications are affected with violations.

    • The graph indicating violations.

      Drag and select on the graph that lists the violations to narrow down the violation search.

      Drag and select on graph Search result
      Drag and select Search result

      Click Reset Zoom to reset the zoom result

    • Recommended Actions that suggest you troubleshoot the issue

    • Other violation details such as violence occurrence time and detection message

Behavior checks with no violations

Apart from violation details, you can visualize a 3-week traffic prediction based on the machine learning algorithm. As an administrator, this 3-week prediction enables you to:

  • Analyze the traffic pattern even if no violations are observed

  • Take troubleshooting actions for any unusual traffic patterns observed from the predictions

  • Observe that Citrix ADM is processing data, apart from the anomalies

In the Security Violations page, click the Behavior checks with no violation tab to view the 3-week traffic prediction.

No violation

The security violations are displayed. Consider that you want to view the traffic prediction for Excessive Unique IPs Per Geo.

Prediction example

From the example image, you can view:

  • Expected Unique IP Range – Citrix ADM has predicted the expected IP range based on the traffic pattern

  • Unique IP – Citrix ADM has predicted about 1970 unique IPs that will be transacting with the app from Malaysia

Using this data, you can proactively take precautionary steps to avoid these excessive unique IPs.

If Citrix ADM does not have any predictions for a security violation, you can view the following message:

Prediction message

See the Setting Up topic to ensure if all the required settings are enabled to view the app security violation details.

All Violations