Citrix Application Delivery Management service

View application security violation details

Web applications that are exposed to the internet have become vulnerable to attacks drastically. Citrix ADM enables you to visualize actionable violation details to protect applications from attacks. Navigate to Security > Security Violations for a single-pane solution to:

  • Access the application security violations based on its categories such as Network, Bot, and WAF

  • Take corrective actions to secure the applications

To view the security violations in Citrix ADM, ensure:

  • You have a premium license for the Citrix ADC instance (for WAF and BOT violations).

  • You have applied license on the load balancing or content switching virtual servers (for WAF and BOT). For more information, see Manage licensing on virtual servers.

  • You enable more settings. For more information, see the procedure available at Setting up section in this document.

Violation categories

Citrix ADM enables you to view the following violations:

Network BOT WAF
HTTP Slow Loris Excessive Client Connections Unusually High Upload Transactions
DNS Slow Loris Account Takeover** Unusually High Download Transactions
HTTP Slow Post Unusually High Upload Volume Excessive Unique IPs
NXDomain Flood Attack Unusually High Request Rate Excessive Unique IPs Per Geo
HTTP desync attack Unusually High Download Volume  
Bleichenbacher Attack Website Scanners  
Segment smack Attack    
Syn Flood Attack    
Small Window Attack    

** - You must configure the account takeover setting in Citrix ADM. See the prerequisite mentioned in Account Takeover.

Apart from these violations, you can also view the following Security Insight and Bot Insight violations under WAF and Bot categories respectively:

WAF Bot
Buffer Overflow Crawler
Content Type Feed Fetcher
Cookie Consistency Link Checker
CSRF Form Tagging Marketing
Deny URL Scraper
Form Field Consistency Screenshot Creator
Field Formats Search Engine
Maximum Uploads Service Agent
Referrer Header Site Monitor
Safe Commerce Speed Tester
Safe Object Tool
HTML SQL Inject Uncategorized
Start URL Virus Scanner
XSS Vulnerability Scanner
XML DoS DeviceFP Wait Exceeded
XML Format Invalid DeviceFP
XML WSI Invalid Captcha Response
XML SSL Captcha Attempts Exceeded
XML Attachment Valid Captcha Response
XML SOAP Fault Captcha Client Muted
XML Validation Captcha Wait Time Exceeded
Others Request Size Limit Exceeded
IP Reputation Rate Limit Exceeded
HTTP DOS BlackList (IP, subnet, policy expression)
TCP Small Window WhiteList (IP, subnet, policy expression)
Signature Violation Zero Pixel Request
File Upload Type Source IP
JSON XSS Host
JSON SQL Geo Location
JSON DOS URL
Command Injection  
Infer Content Type XML  
Cookie Hijack  

Setting up

You must enable Advanced Security Analytics and select Web Transaction Settings to All to view the following violations in Citrix ADM:

  • Unusually High Upload Transactions (WAF)

  • Unusually High Download Transactions (WAF)

  • Excessive Unique IPs (WAF)

  • Account takeover (BOT)

For other violations, ensure if Metrics Collector is enabled. By default, Metrics Collector is enabled on the Citrix ADC instance. For more information, see Configure Intelligent App Analytics.

Enable Advanced Security Analytics

  1. Navigate to Networks > Instances > Citrix ADC, and select the instance type. For example, MPX.

  2. Select the Citrix ADC instance and from the Select Action list, select Configure Analytics.

  3. Select the virtual server and click Enable Analytics.

  4. On the Enable Analytics window:

    1. Select Web Insight. After you select Web Insight, the read-only Advanced Security Analytics option is enabled automatically.

      Note

      The Advanced Security Analytics option is displayed only for premium licensed ADC instances.

    2. Select Logstream as Transport Mode

    3. The Expression is true by default

    4. Click OK

      Advanced security analytics

Enable Web Transaction settings

  1. Navigate to Analytics > Settings.

    The Settings page is displayed.

  2. Click Enable Features for Analytics.

  3. Under Web Transaction Settings, select All.

    web-transaction-settings

  4. Click Ok.

Security violations dashboard

In the security violations dashboard, you can view:

  • Total violations occurred across all ADC instances and applications. The total violations are displayed based on the selected time duration.

    Total violations

  • Total violations under each category.

    Total violations

  • Total ADCs affected, total applications affected, and top violations based on the total occurrences and the affected applications.

    Affected violations

Violation details

For each violation, Citrix ADM monitors the behavior for a specific time duration and detects violations for unusual behaviors. Click each tab to view the violation details. You can view details such as:

  • The total occurrences, last occurred, and total applications affected

  • Under event details, you can view:

    • The affected application. You can also select the application from the list if two or more applications are affected with violations.

    • The graph indicating violations.

      Drag and select on the graph that lists the violations to narrow down the violation search.

      Drag and select on graph Search result
      Drag and select Search result

      Click Reset Zoom to reset the zoom result

    • Recommended Actions that suggest you troubleshoot the issue

    • Other violation details such as violence occurrence time and detection message

View application security violation details