Citrix Analytics for Security

Self-service search for Gateway

Use the self-service search feature to get insights into the user events received from the Citrix Gateway data source. When users access their network resources such as file servers, applications, websites through Citrix Gateway, events such as authentication stage, authorization type, and VPN session code are generated for each user connection. Citrix Analytics for Security receives these events and displays them on the self-service search page. You can view the users and their access details.

For more information on the search functionalities, see Self-service search.

Select the Gateway data source

To view the Gateway events, in the search box, select Gateway from the list. Select the time period for which you want to view the events and then click Search.

Select gateway data

By default, the self-service page displays the events for the last one month. The page also provides you with several facets and a search box to filter and focus on the required events.

Gateway overview page


Alternatively, you can access the Self-service search for Gateway page from the Security > Users > Access Summary dashboard. In successful login scenarios, you can access the data by the status code. For more information, see the Access Summary dashboard.

Use the facets to filter events

The facets are categorized based on the events received from your data source. Use the following facets to filter your events:

Gateway facets

  • Authentication Stage- Search events based on different stages of client authentication such as primary, secondary, and tertiary.

  • Authentication Type- Search events based on the client authentication types such as Local, RADIUS, LDAP, TACACS, client certificate authentication including smart card authentication.

  • Device Agent- Search events based on the client devices such as iPhone, iPad, Windows Mobile.

  • Event Type- Search events based on the types of VPN records. Following VPN record types are available:

    Record type Record name
    VPN_AI Authentication record
    VPN_SU Session Update record
    VPN_ST Session Logout record
    VPN_AF Application Launch Failure record
  • Browser- Search events based on the browsers such as Internet Explorer, Chrome, Firefox, Safari.

  • OS- Search events based on the client operating systems such as Windows, Mac, Linux, Android, iOS.

  • Status Code- Search events based on the VPN status codes such as SSL redirect response failure, authorization failure, single sign-on failed.

  • Session State- Search events based on the VPN session states such as client state, authorization state, SSO state, application bandwidth update.

  • Session Mode- Search events based on the VPN session modes such as Full tunnel, ICA Proxy, Clientless.

  • SSO Authentication Method- Search events based on different methods of single sign-on authentication such as basic, digest, NTLM, Kerberos, AG basic, form-based SSO.

  • Logout Mode- Search events based on the VPN logout modes such as internal error logout, session time-out logout, user-initiated logout, administrator terminated session.

The following figure shows the user events where the client authentication stage is primary and the record type is authentication.

Gateway facet selection

Specify search query to filter events

Place your cursor in the search box to view the list of dimensions for the Gateway events. Use the dimensions and the operators to specify your query and search for the required events.

Gateway dimension list

For example, you want to view the events for a user “ns133” where the VPN status code is “successful login”.

  1. Enter “user” in the search box to choose the related dimension.

    Gateway search query 1

  2. Select User-Name and enter the value “ns133” using the equal operator.

    Gateway search query 2

    Gateway search query 3

  3. Select the AND operator and then select the Status Code dimension. Enter the string “Successful login” for Status Code using the equal operator.

    Gateway search query 4

    To identify the possible string values for Status Code, expand the Status Code filter list and use the filter name as the string in your search query.

    Status code values

  4. Select the time period and click Search to view the events on the DATA table.

Self-service search for Gateway