Citrix Analytics for Security

Self-service search for Gateway

Use the self-service search feature to get insights into the user events received from the Citrix Gateway data source. When users access their network resources such as file servers, applications, websites through Citrix Gateway, events are generated for each user connection. Some examples of user events are such as authentication stage, authorization type, and VPN session code. Citrix Analytics for Security receives these events and displays them on the self-service search page. You can view the users and their access details.

For more information on the search functionalities, see Self-service search.

Select the Gateway data source

To view the Gateway events, select Gateway from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.

Select gateway datasource

Note

Alternatively, you can access the Self-service search for Gateway page from the Security > Users > Access Summary dashboard. In successful login scenarios, you can access the data by the status code. For more information, see the Access Summary dashboard.

Use the facets to filter events

The facets are categorized based on the events received from your data source. Use the following facets to filter your events:

Gateway facets

  • Authentication Stage- Search events based on different stages of client authentication such as primary, secondary, and tertiary.

  • Authentication Type- Search events based on the client authentication types such as Local, RADIUS, LDAP, TACACS, client certificate authentication including smart card authentication.

  • Device Agent- Search events based on the client devices such as iPhone, iPad, Windows Mobile.

  • Record Type- Search events based on the types of VPN records. Following VPN record types are available:

    Record type Description
    VPN_AI Filters user events related to authentication.
    VPN_IF Filters user events related to ICA file.
    VPN_ST Filters user events related to session logout.
  • Browser- Search events based on the browsers such as Internet Explorer, Chrome, Firefox, Safari.

  • OS- Search events based on the client operating systems such as Windows, Mac, Linux, Android, iOS.

  • Status Code- Search events based on the VPN status codes such as SSL redirect response failure, authorization failure, single sign-on failed.

  • Session State- Search events based on the VPN session states such as client state, authorization state, SSO state, application bandwidth update.

  • Session Mode- Search events based on the VPN session modes such as Full tunnel, ICA Proxy, Clientless.

  • SSO Authentication Method- Search events based on different methods of single sign-on authentication such as basic, digest, NTLM, Kerberos, AG basic, form-based SSO.

  • Logout Mode- Search events based on the VPN logout modes such as internal error logout, session time-out logout, user-initiated logout, administrator terminated session.

Specify search query to filter events

Place your cursor in the search box to view the list of dimensions for the Gateway events. Use the dimensions and the operators to specify your query and search for the required events.

Gateway dimension list

For example, you want to view the events for a user “ns133” where the VPN status code is “successful login”.

  1. Enter “user” in the search box to choose the related dimension.

    Gateway search query 1

  2. Select User-Name and enter the value “ns133” using the equal operator.

    Gateway search query 2

    Gateway search query 3

  3. Select the AND operator and then select the Status Code dimension. Enter the string “Successful login” for Status Code using the equal operator.

    Gateway search query 4

    To identify the possible string values for Status Code, expand the Status Code filter list and use the filter name as the string in your search query.

    Status code values

  4. Select the time period and click Search to view the events on the DATA table.

Supported values for your search query

Enter the following values for the dimensions to define your search query.

Access-Insight-Flags

Indicates the VPN session states. Enter one of the following flag values:

VPN session state Flag value
Pre-authentication 2
Last or final state of nFactor (multi-factor) authentication 1
Post authentication 4

Note

This flag is applicable only for the preceding VPN session states for the authentication events. For all other events, the flag value is zero.

Applications-Byte-Consumption

For the Applications-Byte-Consumption dimension, enter the following value:

Value Type Description
Examples: 40, 100 Number Data (in Bytes) consumed by the application that you are using.

Authentication-Servers-IP

For the Authentication-Servers-IP dimension, enter the following value:

Value Type Description
Example: 10.xxx.xx.xx String IP address of the authentication server.

Authentication-Stage

For the Authentication-Stage dimension, enter the following value:

Value Type Description
Primary, Secondary, or Tertiary String Different stages of client authentication.

Authentication-Type

For the Authentication-Type dimension, enter the following value:

Value Type Description
LDAP,SAML, Local, Radius, TACACS, SAMLIDP, or OTP. String Authenticate your users through one of the available methods.

Backend-Server-Name

For the Backend-Server-Name dimension, enter the following value:

Value Type Description
Example: 10.xxx.xxx.xx String IP address of the back end server.

Browser

For the Browser dimension, enter the following value:

Value Type Description
PN Agent, Edge, Firefox, Chrome, or Safari. String Browser used.

City

For the City dimension, enter the following value:

Value Type Description
Examples: Boston, Beijing String City from where the user has logged on.

Client-IP

For the Client-IP dimension, enter the following value:

Value Type Description
Example: 10.xxx.xxx.xx String IP address of the user device.

Client-IP-Type

For the Client-IP-Type dimension, enter the following value:

Value Type Description
public, private String Indicates whether the user IP address is public or private.

Note

The values are case-sensitive. Enter the values in lower case.

Client-Port

For the Client-Port dimension, enter the following value:

Value Type Description
Example: 45334 Number Port number of the user device.

Country

For the Country dimension, enter the following value:

Value Type Description
Examples: United States, India String Country from where the user has logged on.

Note

Enclose the value within “” if the value contains spaces. Example: Country = “Unites States”.

Event-Type

For the Event-Type dimension, enter the following value:

Value Type Description
Authentication, ICA file, Session logout String Type of user events.

Gateway-FQDN

For the Gateway-FQDN dimension, enter the following value:

Value Type Description
Example: Gateway-test String Domain name of your Citrix Gateway.

Gateway-IP

For the Gateway-IP dimension, enter the following value:

Value Type Description
Example: 10.xxx.xxx.xx String IP address of your Citrix Gateway.

Gateway-Port

For the Gateway-Port dimension, enter the following value:

Value Type Description
Example: 443 String Port number of your Citrix Gateway.

Logout-Mode

For the Logout-Mode dimension, enter the following value:

Value Type Description
"Internal error", "Inactive time out", "User initiated logout", or "Administrator killed session". String Reason for timeout or termination of VPN session.

Note

Enclose the value within “” if the value contains spaces. Example: Logout-Mode = "Internal error".

NetScaler-IP

For the NetScaler-IP dimension, enter the following value:

Value Type Description
Example: 10.xxx.xx.xx String IP address of your Citrix ADC appliance.

OS

For the OS dimension, enter the following value:

Value Type Description
Examples: MAC_OS, WINDOWS String Operating system of the user device.

Record Type

For the Record Type dimension, enter the following value:

Value Type Description
VPN_AI String Indicates user events related to authentication.
VPN_IF String Indicates user events related to ICA file.
VPN_ST String Indicates user events related to session logout.

SSO-Authentication-Method

For the SSO-Authentication-Method dimension, enter the following value:

Value Type Description
NSAUTH_BEARER, NSAUTH_FORM, NSAUTH_CITRIXAGBASIC, NSAUTH_NEGOTIATE, NSAUTH_NTLM, or NSAUTH_BASIC. String Different methods of single sign-on authentication.

Server-IP

For the Server-IP dimension, enter the following value:

Value Type Description
Example: 10.xx.xxx.xx String IP address of the back end server.

Server-Port

For the Server-Port dimension, enter the following value:

Value Type Description
Example: 47054 Number Port number of the back end server.

Session-State

For the Session-State dimension, enter the following value:

Value Type Description
"Set Client State", "Authorization State", "SSO State", and "Application Bandwidth Update" String The VPN session state.

Note

Enclose the value within “” if the value contains spaces. Example: Session-State = "Set Client State".

Status-Code

For the Status-Code dimension, enter the following value:

Value Type Description
"Successful login", "Invalid credentials passed", "Post auth failed and connection quarantined", "Login not permitted", "Maximum login failures reached" String The VPN status code.

Note

Enclose the value within “” if the value contains spaces. Example: Session-Code = "Successful login".

User-Agent

For the User-Agent dimension, enter the following value:

Value Type Description
IPHONE, IPAD, or WINPHONE String The agent or the device used to access the VPN.

VPN-Session-ID

For the VPN-Session-ID dimension, enter the following value:

Value Type Description
c2c290c61dfe4e07247bde1e22142a12 String Session ID assigned by the server for a user’s VPN session.

VPN-Session-Mode

For the VPN-Session-Mode dimension, enter the following value:

Value Type Description
"Full Tunnel", "ICA Proxy", or Clientless String Different modes of a user’s VPN session.

Note

Enclose the value within “” if the value contains spaces. Example: Session-Code = "Full Tunnel".

Self-service search for Gateway