WAF violation details

Note

• You can also view the traffic pattern analytics, even if no violations are observed. For more information, see Behavior checks with no violations.

• You can view the following WAF violations after you configure the advanced security analytics option. A virtual server is automatically enabled with a default profile if no profile is configured. For more information, see advanced security analytics.

Unusually High Upload Transactions

Using the Unusually High Upload Transactions indicator, you can analyze the transactions with the unusually high amount of data uploaded to the Citrix ADC instance.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating all violations

• The violation occurrence time

• The detection message for the violation, indicating the total uploads that exceeded the configured limit

• The anomalous uploads. Click the number to view details

Unusually High Download Transactions

Using the Unusually High Download Transactions indicator, you can analyze the transactions with the unusually high amount of downloaded data from the Citrix ADC instance.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating all violations

• The violation occurrence time

• The detection message for the violation, indicating the total downloads that exceeded the configured limit

• The anomalous downloads. Click the number to view details

Excessive Unique IPs

Using the Excessive Unique IPs indicator, you can analyze if the Citrix ADC instance is transacting with the abnormally high number of IP addresses.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with violations.

• The graph indicating all violations

• The violation occurrence time

• The detection message for the violation, indicating the total unique IP addresses transacting than the expected range

• The accepted range of unique IP addresses

Excessive Unique IPs per Geo

Bad bots are capable of making more visits to a web application than the human users accessing the application. This activity from the bad bots can result in slow performance of the web application or any other performance issues. As an administrator, you must analyze and block the bad bots accessing the web application.

Using the Excessive Unique IPs Per Geo indicator, you can analyze the unusually high number of IPs accessing the application from a particular location.

Under Event Details, you can view:

• The affected application. You can also select the application from the list if two or more applications are affected with this violation.

• The Geo map that displays the total anomalies based on the regions.

• The location and total unique hits from where the application is accessed. You can also select the location from the list, if the application is accessed from two or more locations.

• The graph indicating the violations.

• The violation occurrence time.

• The detection message for the violation, indicating the total unique IP addresses transacting than the expected range.

• The accepted range of unique IP addresses.

Suspicious sign-up attempts

Attackers create fake accounts to access and abuse your application services. They might orchestrate phishing attacks, spread fake news, or manipulate application traffic. These attacks affect your business revenue and trust of customers. Fake accounts can also affect your analytics and influence your business decisions. So, you must identify suspicious sign-ups and block such attacks on your application services.

With machine-learning capabilities, Citrix ADM detects and reports the suspicious sign-up attempts on your application. You can review them and take appropriate actions to prevent attacks on your application services.

Prerequisites

• Create and deploy a configuration using the advanced WAF StyleBook (waf-adv, version = 1.3). When you create a configuration, under WAF settings > AppFw Profile Settings. Go to WAF Advanced Protections > Analytics Use Case Settings > Suspicious signup attempts Settings, specify the following attributes:

  • Sign up or account creation URL - The URL that processes the signup forms.

    Example 1: If http://10.10.10.10/register.php is the processing URL, the same URL becomes the signup or account creation URL.

    Example 2: If you have multiple signup URLs, you can use form expressions. When you have signup URLs such as http://www.example.com/US/register.php and http://www.example.com/IN/register.php, use URL = HTTP.REQ.URL.CONTAINS(\”register.php\”).

  • First Name - The First Name field in a signup form.

  • Last Name - The Last Name field in a signup form.

  • Email Address - The Email Address field in a signup form.

    

• Enable WAF Security Violations when you configure analytics on an ADC instance. To configure analytics:

  1. Go to Infrastructure > Instances > Citrix ADC.
  2. Select the ADC instance on which you want to enable WAF security violation.
  3. In Select Action, select Configure Analytics.

  4. Select the virtual server and click Enable Analytics. If analytics is already enabled, click Edit Analytics.

     

• In Security > Security Violations, either use an existing profile or create a new profile, select Suspicious Signup Attempts, and set the sensitivity level. For more information, see advanced security analytics.

View suspicious sign-up attempts

After you configure the settings, Citrix ADM detects and reports the suspicious sign-up attempts on your application, the GUI indicates Suspicious Signup Attempts. This violation appears under Security > Security Violations > All Violations > WAF. You can view insights on application sign-ups for the selected period as shown in the following image:

From this example image, you can view:

• The total number of sign-ups occurring daily and among them how many are suspicious sign-ups.

• The number of clients creating accounts. They are categorized as clients who created one account, two accounts, and three or more accounts.

To view the details of each suspicious sign-up attempt, click the link under the Suspicious Sign-up Attempts column. In this page, you can find out why these events are marked as suspicious sign-ups.

You can export this report and take corrective actions outside Citrix ADM. The actions can be any of the following:

• Temporarily disable the user account.
• Request a user to reverify the account.
• Block or rate limit the suspicious client IP addresses.
• Block the user account permanently.