Self-service search for Gateway
Use the self-service search feature to get insights into the user events received from the Citrix Gateway data source. When users access their network resources such as file servers, applications, websites through Citrix Gateway, events such as authentication stage, authorization type, and VPN session code are generated for each user connection. Citrix Analytics for Security receives these events and displays them on the self-service search page. You can view the users and their access details.
For more information on the search functionalities, see Self-service search.
Select the Gateway data source
To view the Gateway events, in the search box, select Gateway from the list. Select the time period for which you want to view the events and then click Search.
By default, the self-service page displays the events for the last one month. The page also provides you with several facets and a search box to filter and focus on the required events.
Alternatively, you can access the Self-service search for Gateway page from the Security > Users > Access Summary dashboard. In successful login scenarios, you can access the data by the status code. For more information, see the Access Summary dashboard.
Use the facets to filter events
The facets are categorized based on the events received from your data source. Use the following facets to filter your events:
Authentication Stage- Search events based on different stages of client authentication such as primary, secondary, and tertiary.
Authentication Type- Search events based on the client authentication types such as Local, RADIUS, LDAP, TACACS, client certificate authentication including smart card authentication.
Device Agent- Search events based on the client devices such as iPhone, iPad, Windows Mobile.
Event Type- Search events based on the types of VPN records. Following VPN record types are available:
Record type Record name VPN_AI Authentication record VPN_SU Session Update record VPN_ST Session Logout record VPN_AF Application Launch Failure record
Browser- Search events based on the browsers such as Internet Explorer, Chrome, Firefox, Safari.
OS- Search events based on the client operating systems such as Windows, Mac, Linux, Android, iOS.
Status Code- Search events based on the VPN status codes such as SSL redirect response failure, authorization failure, single sign-on failed.
Session State- Search events based on the VPN session states such as client state, authorization state, SSO state, application bandwidth update.
Session Mode- Search events based on the VPN session modes such as Full tunnel, ICA Proxy, Clientless.
SSO Authentication Method- Search events based on different methods of single sign-on authentication such as basic, digest, NTLM, Kerberos, AG basic, form-based SSO.
Logout Mode- Search events based on the VPN logout modes such as internal error logout, session time-out logout, user-initiated logout, administrator terminated session.
For example, you want to view the events where LDAP is used as the primary authentication type. Select Primary in the Authentication Stage facet and select LDAP in the Authentication Type facet. Select the time period and click Search to view the events.
Specify search query to filter events
Place your cursor in the search box to view the list of dimensions for the Gateway events. Use the dimensions to specify your query and search for the required events.
You can also use the operators in your search query to expand your search criteria and get the required result.
For example, you want to view the events for a user “ns133” where the VPN status code is “successful login”.
Enter “user” in the search box to choose the related dimension.
Select User-Name and enter the value “ns133” using the equal operator.
Select the AND operator and then select the Status Code dimension. Enter the string “Successful login” for Status Code using the equal operator.
To identify the possible string values for Status Code, expand the Status Code filter list and use the filter name as the string in your search query.
Select the time period and click Search to view the events on the DATA table.