Self-service search for Gateway
Use the self-service search feature to get insights into the user events received from the Citrix Gateway data source. When users access their network resources such as file servers, applications, websites through Citrix Gateway, events are generated for each user connection. Some examples of user events are such as authentication stage, authorization type, and VPN session code. Citrix Analytics for Security receives these events and displays them on the self-service search page. You can view the users and their access details.
For more information on the search functionalities, see Self-service search.
Select the Gateway data source
To view the Gateway events, select Gateway from the list. By default, the self-service page displays the events for the last one day. You can also select the time period for which you want to view the events.
Note
Alternatively, you can access the Self-service search for Gateway page from the Security > Users > Access Summary dashboard. In successful login scenarios, you can access the data by the status code. For more information, see the Access Summary dashboard.
Use the facets to filter events
The facets are categorized based on the events received from your data source. Use the following facets to filter your events:
-
Authentication Stage- Search events based on different stages of client authentication such as primary, secondary, and tertiary.
-
Authentication Type- Search events based on the client authentication types such as Local, RADIUS, LDAP, TACACS, client certificate authentication including smart card authentication.
-
Device Agent- Search events based on the client devices such as iPhone, iPad, Windows Mobile.
-
Record Type- Search events based on the types of VPN records. Following VPN record types are available:
Record type Description VPN_AI Filters user events related to authentication. VPN_IF Filters user events related to ICA file. VPN_ST Filters user events related to session logout. -
Browser- Search events based on the browsers such as Internet Explorer, Chrome, Firefox, Safari.
-
OS- Search events based on the client operating systems such as Windows, Mac, Linux, Android, iOS.
-
Status Code- Search events based on the VPN status codes such as SSL redirect response failure, authorization failure, single sign-on failed.
-
Session State- Search events based on the VPN session states such as client state, authorization state, SSO state, application bandwidth update.
-
Session Mode- Search events based on the VPN session modes such as Full tunnel, ICA Proxy, Clientless.
-
SSO Authentication Method- Search events based on different methods of single sign-on authentication such as basic, digest, NTLM, Kerberos, AG basic, form-based SSO.
-
Logout Mode- Search events based on the VPN logout modes such as internal error logout, session time-out logout, user-initiated logout, administrator terminated session.
Specify search query to filter events
Place your cursor in the search box to view the list of dimensions for the Gateway events. Use the dimensions and the operators to specify your query and search for the required events.
For example, you want to view the events for a user “ns133” where the VPN status code is “successful login”.
-
Enter “user” in the search box to choose the related dimension.
-
Select User-Name and enter the value “ns133” using the equal operator.
-
Select the AND operator and then select the Status Code dimension. Enter the string “Successful login” for Status Code using the equal operator.
To identify the possible string values for Status Code, expand the Status Code filter list and use the filter name as the string in your search query.
-
Select the time period and click Search to view the events on the DATA table.
Supported values for your search query
Enter the following values for the dimensions to define your search query.
Access-Insight-Flags
Indicates the VPN session states. Enter one of the following flag values:
VPN session state | Flag value |
---|---|
Pre-authentication | 2 |
Last or final state of nFactor (multi-factor) authentication | 1 |
Post authentication | 4 |
Note
This flag is applicable only for the preceding VPN session states for the authentication events. For all other events, the flag value is zero.
Applications-Byte-Consumption
For the Applications-Byte-Consumption
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Examples: 40 , 100
|
Number | Data (in Bytes) consumed by the application that you are using. |
Authentication-Servers-IP
For the Authentication-Servers-IP
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 10.xxx.xx.xx
|
String | IP address of the authentication server. |
Authentication-Stage
For the Authentication-Stage
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Primary , Secondary , or Tertiary
|
String | Different stages of client authentication. |
Authentication-Type
For the Authentication-Type
dimension, enter the following value:
Value | Type | Description |
---|---|---|
LDAP ,SAML , Local , Radius , TACACS , SAMLIDP , or OTP . |
String | Authenticate your users through one of the available methods. |
Backend-Server-Name
For the Backend-Server-Name
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 10.xxx.xxx.xx
|
String | IP address of the back end server. |
Browser
For the Browser
dimension, enter the following value:
Value | Type | Description |
---|---|---|
PN Agent , Edge , Firefox , Chrome , or Safari . |
String | Browser used. |
City
For the City
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Examples: Boston , Beijing
|
String | City from where the user has logged on. |
Client-IP
For the Client-IP
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 10.xxx.xxx.xx
|
String | IP address of the user device. |
Client-IP-Type
For the Client-IP-Type
dimension, enter the following value:
Value | Type | Description |
---|---|---|
public, private | String | Indicates whether the user IP address is public or private. |
Note
The values are case-sensitive. Enter the values in lower case.
Client-Port
For the Client-Port
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 45334
|
Number | Port number of the user device. |
Country
For the Country
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Examples: United States , India
|
String | Country from where the user has logged on. |
Note
Enclose the value within “” if the value contains spaces. Example: Country = “Unites States”.
Event-Type
For the Event-Type
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Authentication, ICA file, Session logout | String | Type of user events. |
Gateway-FQDN
For the Gateway-FQDN
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: Gateway-test
|
String | Domain name of your Citrix Gateway. |
Gateway-IP
For the Gateway-IP
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 10.xxx.xxx.xx
|
String | IP address of your Citrix Gateway. |
Gateway-Port
For the Gateway-Port
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 443
|
String | Port number of your Citrix Gateway. |
Logout-Mode
For the Logout-Mode
dimension, enter the following value:
Value | Type | Description |
---|---|---|
"Internal error" , "Inactive time out" , "User initiated logout" , or "Administrator killed session" . |
String | Reason for timeout or termination of VPN session. |
Note
Enclose the value within “” if the value contains spaces. Example: Logout-Mode =
"Internal error"
.
NetScaler-IP
For the NetScaler-IP
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 10.xxx.xx.xx
|
String | IP address of your Citrix ADC appliance. |
OS
For the OS
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Examples: MAC_OS , WINDOWS
|
String | Operating system of the user device. |
Record Type
For the Record Type
dimension, enter the following value:
Value | Type | Description |
---|---|---|
VPN_AI |
String | Indicates user events related to authentication. |
VPN_IF |
String | Indicates user events related to ICA file. |
VPN_ST |
String | Indicates user events related to session logout. |
SSO-Authentication-Method
For the SSO-Authentication-Method
dimension, enter the following value:
Value | Type | Description |
---|---|---|
NSAUTH_BEARER , NSAUTH_FORM , NSAUTH_CITRIXAGBASIC , NSAUTH_NEGOTIATE , NSAUTH_NTLM , or NSAUTH_BASIC . |
String | Different methods of single sign-on authentication. |
Server-IP
For the Server-IP
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 10.xx.xxx.xx
|
String | IP address of the back end server. |
Server-Port
For the Server-Port
dimension, enter the following value:
Value | Type | Description |
---|---|---|
Example: 47054
|
Number | Port number of the back end server. |
Session-State
For the Session-State
dimension, enter the following value:
Value | Type | Description |
---|---|---|
"Set Client State" , "Authorization State" , "SSO State" , and "Application Bandwidth Update"
|
String | The VPN session state. |
Note
Enclose the value within “” if the value contains spaces. Example: Session-State =
"Set Client State"
.
Status-Code
For the Status-Code
dimension, enter the following value:
Value | Type | Description |
---|---|---|
"Successful login" , "Invalid credentials passed" , "Post auth failed and connection quarantined" , "Login not permitted" , "Maximum login failures reached"
|
String | The VPN status code. |
Note
Enclose the value within “” if the value contains spaces. Example: Session-Code =
"Successful login"
.
User-Agent
For the User-Agent
dimension, enter the following value:
Value | Type | Description |
---|---|---|
IPHONE , IPAD , or WINPHONE
|
String | The agent or the device used to access the VPN. |
VPN-Session-ID
For the VPN-Session-ID
dimension, enter the following value:
Value | Type | Description |
---|---|---|
c2c290c61dfe4e07247bde1e22142a12 |
String | Session ID assigned by the server for a user’s VPN session. |
VPN-Session-Mode
For the VPN-Session-Mode
dimension, enter the following value:
Value | Type | Description |
---|---|---|
"Full Tunnel" , "ICA Proxy" , or Clientless
|
String | Different modes of a user’s VPN session. |
Note
Enclose the value within “” if the value contains spaces. Example: Session-Code =
"Full Tunnel"
.