View application security violation details

Web applications that are exposed to the internet have become vulnerable to attacks drastically. Citrix ADM enables you to visualize actionable violation details to protect applications from attacks. Navigate to Security > Security Violations for a single-pane solution to:

  • Access the application security violations based on its categories such as Network, Bot, and WAF

  • Take corrective actions to secure the applications

To view the security violations in Citrix ADM, ensure:

  • You have a premium license for the Citrix ADC instance (for WAF and BOT violations).

  • You have applied license on the load balancing or content switching virtual servers (for WAF and BOT). For more information, see Manage licensing on virtual servers.

  • You enable additional settings. For more information, see the procedure available at Setting up section in this document.

Violation categories

Citrix ADM enables you to view the following violations:

Network BOT WAF
HTTP Slow Loris Excessive Client Connections Unusually High Upload Transactions
DNS Slow Loris Account Takeover** Unusually High Download Transactions
HTTP Slow Post Unusually High Upload Volume Excessive Unique IPs
NXDomain Flood Attack Unusually High Request Rate Excessive Unique IPs Per Geo
  Unusually High Download Volume  

** - You must configure the account takeover setting in Citrix ADM. See the prerequisite mentioned in Account Takeover.

Setting up

You must enable Advanced Security Analytics and select Web Transaction Settings to All to view the following violations in Citrix ADM:

  • Unusually High Upload Transactions (WAF)

  • Unusually High Download Transactions (WAF)

  • Excessive Unique IPs (WAF)

  • Account takeover (BOT)

For other violations, ensure if Metrics Collector is enabled. By default, Metrics Collector is enabled on the Citrix ADC instance. For more information, see Configure Intelligent App Analytics.

Enable Advanced Security Analytics

  1. Navigate to Networks > Instances > Citrix ADC, and select the instance type. For example, MPX.

  2. Select the Citrix ADC instance and from the Select Action list, select Configure Analytics.

  3. Select the virtual server and click Enable Analytics.

  4. On the Enable Analytics window:

    1. Select Web Insight. After you select Web Insight, the read-only Advanced Security Analytics option is enabled automatically.


      The Advanced Security Analytics option is displayed only for premium licensed ADC instances.

    2. Select Logstream as Transport Mode

    3. The Expression is true by default

    4. Click OK

      Advanced security analytics

Enable Web Transaction settings

  1. Navigate to Analytics > Settings.

    The Settings page is displayed.

  2. Click Enable Features for Analytics.

  3. Under Web Transaction Settings, select All.


  4. Click Ok.

Security violations dashboard

In the security violations dashboard, you can view:

  • Total violations occurred across all ADC instances and applications. The total violations are displayed based on the selected time duration.

    Total violations

  • Total violations under each category.

    Total violations

  • Total ADCs affected, total applications affected, and top violations based on the total occurrences and the affected applications.

    Affected violations

Violation details

For each violation, Citrix ADM monitors the behavior for a specific time duration and detects violations for unusual behaviors. Click each tab to view the violation details. You can view details such as:

  • The total occurrences, last occurred, and total applications affected

  • Under event details, you can view:

    • The affected application. You can also select the application from the list if two or more applications are affected with violations.

    • The graph indicating violations.

      Drag and select on the graph that lists the violations to narrow down the violation search.

      Drag and select on graph Search result
      Drag and select Search result

      Click Reset Zoom to reset the zoom result

    • Recommended Actions that suggest you troubleshoot the issue

    • Other violation details such as violence occurrence time and detection message