ADC

Configuring the AppFlow feature

You can configure AppFlow in the same manner as most other policy-based features. First, you enable the AppFlow feature. Then you specify the collectors to which the flow records are sent. After that, you define actions, which are sets of configured collectors. Then you configure one or more policies and associate an action to each policy. The policy instructs the NetScaler appliance to select requests the flow records of which are sent to the associated action. Finally, you bind each policy either globally or to the specific virtual server to put it into effect.

You can further set AppFlow parameters to specify the template refresh interval and to enable the exporting of httpURL, httpCookie, and httpReferer information. On each collector, you must specify the NetScaler IP address as the address of the exporter.

Note

For information about configuring the NetScaler as an exporter on the collector, see the documentation for the specific collector.

The configuration utility provides tools that help users define the policies and actions. It determines exactly how the NetScaler appliance export records for a particular flow to a set of collectors(action.) The command line interface provides a corresponding set of CLI-based commands for experienced users who prefer a command line.

Enabling AppFlow

To be able to use the AppFlow feature, you must first enable it.

Note

AppFlow can be enabled only on nCore NetScaler appliances.

Enable the AppFlow feature by using the command line interface

At the command prompt, type one of the following commands:


enable ns feature AppFlow

<!--NeedCopy-->

Enable the AppFlow feature by using the configuration utility

Navigate to System > Settings, click Configure Advanced Features, and select the AppFlow option.

Specifying a Collector

A collector receives AppFlow records generated by the NetScaler appliance. To send the AppFlow records, you must specify at least one collector. By default, the collector listens to IPFIX messages on UDP port 4739. You can change the default port, when configuring the collector. Similarly, by default, NSIP is used as the source IP for AppFlow traffic. You can change this default source IP to a SNIP address when configuring a collector. You can also remove unused collectors.

Specify a collector by using the command line interface

Important

Starting from NetScaler release 12.1 build 55.13, you can specify the type of collector that you want to use. A new parameter “Transport” is introduced in the add appflow collector command. By default, the collector listens to IPFIX messages. You can change the type of collector to either logstream or ipfix by using “Transport” parameter. For more information on configuration, see the example.

At the command prompt, type the following commands to add a collector and verify the configuration:


-  add appflow collector <name> -IPAddress <ipaddress> -port <port_number> -netprofile <netprofile_name> -Transport <Transport>

-  show appflow collector <name>

<!--NeedCopy-->

Example


add appflow collector col1 -IPaddress 10.102.29.251 -port 8000 -netprofile n2 -Transport ipfix

<!--NeedCopy-->

Specify multiple collectors by using the command line interface

At the command prompt, type the following commands to add and send same data to multiple collectors:

add appflow collector <collector1> -IPAddress <IP>

add appflow collector <collector2> -IPAddress <IP>

add appflow action <action> -collectors <collector1> <collector2>

add appflow policy <policy> true <action>

bind lbvserver <lbvserver> -policy <policy> -priority <priority>
<!--NeedCopy-->

Specify one or more collectors by using the configuration utility

Navigate to System > AppFlow > Collectors, and create the AppFlow collector.

Configure an AppFlow Action

An AppFlow action is a set collector, to which the flow records are sent if the associated AppFlow policy matches.

Configure an AppFlow action by using the command line interface

At the command prompt, type the following commands to configure an AppFlow action and verify the configuration:


add appflow action <name> --collectors <string> ... [-clientSideMeasurements (Enabled|Disabled) ] [-comment <string>]

show appflow action

<!--NeedCopy-->

Example


add appflow action apfl-act-collector-1-and-3 -collectors collector-1 collecter-3

<!--NeedCopy-->

Configure an AppFlow action by using the configuration utility

Navigate to System > AppFlow > Actions, and create the AppFlow action.

Configure an AppFlow Policy

After you configure an AppFlow action, you must next configure an AppFlow policy. An AppFlow policy is based on a rule, which consists of one or more expressions.

Note

For creating and managing AppFlow policies, the configuration utility provides assistance that is not available at the command line interface.

Configure an AppFlow policy by using the command line interface

At the command prompt, type the following command to add an AppFlow policy and verify the configuration:


add appflow policy <name> <rule> <action>

show appflow policy <name>

<!--NeedCopy-->

Example


add appflow policy apfl-pol-tcp-dsprt client.TCP.DSTPORT.EQ(22) apfl-act-collector-1-and-3

<!--NeedCopy-->

Configure an AppFlow policy by using the configuration utility

Navigate to System > AppFlow > Policies, and create the AppFlow policy.

Add an expression by using the Add Expression dialog box

  1. In the Add Expression dialog box, in the first list box choose the first term for your expression.

    - HTTP The HTTP protocol. Choose the option if you want to examine some aspect of the request that pertains to the HTTP protocol. - SSL

    The protected websites. Choose the option if you want to examine some aspect of the request that pertains to the recipient of the request. -
    CLIENT
    
    The computer that sent the request. Choose the option if you want to examine some aspect of the sender of the request. When you make your choice, the rightmost list box lists appropriate terms for the next part of your expression.
    
  2. In the second list box, choose the second term for your expression. The choices depend upon which choice you made in the previous step, and are appropriate to the context. After you make your second choice, the Help window below the Construct Expression window (which was blank) displays help describing the purpose and use of the term you just chose.
  3. Continue choosing terms from the list boxes that appear to the right of the previous list box, or typing strings or numbers in the text boxes that appear to prompt you to enter a value, until your expression is finished.

Bind an AppFlow Policy

To put a policy into effect, you must bind it either globally, so that it applies to all traffic that flows through the NetScaler, or to a specific virtual server, so that the policy applies only to the traffic related to that virtual server.

When you bind a policy, you assign it a priority. The priority determines the order in which the policies you define are evaluated. You can set the priority to any positive integer.

In the NetScaler operating system, policy priorities work in reverse order—the higher the number, the lower the priority. For example, if you have three policies with priorities of 10, 100, and 1000, the policy assigned a priority of 10 is performed first. Later, the policy assigned with a priority of 100, and finally the policy assigned an order of 1000.

You can leave yourself plenty of a room to add other policies in any order, and still set them to evaluate in the order you want. You can achieve by setting priorities with intervals of 50 or 100 between each policy when you globally bind it. You can then add more policies at any time without having to change the priority of an existing policy.

Globally bind an AppFlow policy by using the command line interface

At the command prompt, type the following command to globally bind an AppFlow policy and verify the configuration:


bind appflow global <policyName> <priority> [<gotoPriorityExpression [-type <type>] [-invoke (<labelType> <labelName>)]

show appflow global

<!--NeedCopy-->

Example


bind appflow global af_policy_lb1_10.102.71.190 1 NEXT -type REQ_OVERRIDE -invoke vserver google

<!--NeedCopy-->

Bind an AppFlow policy to a specific virtual server by using the command line interface

At the command prompt, type the following command to bind an AppFlow policy to a specific virtual server and verify the configuration:


bind lb vserver <name> -policyname <policy_name> -priority <priority>

<!--NeedCopy-->

Example


bind lb vserver google -policyname af_policy_google_10.102.19.179 -priority 251

<!--NeedCopy-->

Globally bind an AppFlow policy by using the configuration utility

Navigate to System > AppFlow, click AppFlow policy Manager, and select the relevant Bind Point (Default Global) and Connection Type, and then bind the AppFlow policy.

Bind an AppFlow policy to a specific virtual server by using the configuration utility

Navigate to Traffic Management > Load Balancing > Virtual Servers, select the virtual server, and click Policies, and bind the AppFlow policy.

Enable AppFlow for Virtual Servers

If you want to monitor only the traffic through certain virtual servers, enable AppFlow specifically for those virtual servers. You can enable AppFlow for load balancing, content switching, cache redirection, SSL VPN, GSLB, and authentication virtual servers.

Enable AppFlow for a virtual server by using the command line interface

At the command prompt, type:


set cs vserver <name> <protocol> <IPAddress> <port> -appflowLog ENABLED

<!--NeedCopy-->

Example


set cs vserver Vserver-CS-1 HTTP 10.102.29.161 80 -appflowLog ENABLED

<!--NeedCopy-->

Enable AppFlow for a virtual server by using the configuration utility

Navigate to Traffic Management > Content Switching > Virtual Servers, select the virtual server, and enable AppFlow Logging option.

Enable AppFlow for a Service

You can enable AppFlow for services that are to be bound to the load balancing virtual servers.

Enable AppFlow for a service by using the command line interface

At the command prompt, type:


set service <name> -appflowLog ENABLED

<!--NeedCopy-->

Example


set service ser -appflowLog ENABLED

<!--NeedCopy-->

Enable AppFlow for a service by using the configuration utility

Navigate to Traffic Management > Load Balancing > Services, select the service, and enable AppFlow Logging option.

Set the AppFlow Parameters

You can set AppFlow parameters to customize the exporting of data to the collectors.

Set the AppFlow Parameters by using the command line interface

Important

  • Starting from NetScaler release 12.1 build 55.13, you can use the NSIP to send Logstream records instead of the SNIP. A new parameter “logstreamOverNSIP” is introduced in the set appflow param command. By default, the “logstreamOverNSIP” parameter is DISABLED, you must “ENABLE” it. For more information on configuration, see the example.

  • Starting from NetScaler release 13.0 build 58.x release, you can enable the Web SaaS application option in AppFlow feature. It can be enabled to receive the data usage of Web or SaaS applications from the Citrix Gateway service. For more information on configuration, see the example.

At the command prompt, type the following commands to set the AppFlow parameters and verify the settings:


-  set appflow param [-templateRefresh <secs>] [-appnameRefresh <secs>] [-flowRecordInterval <secs>] [-udpPmtu <positive_integer>] [-httpUrl ( **ENABLED** | **DISABLED** )] [-httpCookie ( **ENABLED** | **DISABLED** )] [-httpReferer ( **ENABLED** | **DISABLED** )] [-httpMethod ( **ENABLED** | **DISABLED** )] [-httpHost ( **ENABLED** | **DISABLED** )] [-httpUserAgent ( **ENABLED** | **DISABLED** )] [-httpXForwardedFor ( **ENABLED** | **DISABLED** )][-clientTrafficOnly ( **YES** | **NO**)] [-webSaaSAppUsageReporting ( **ENABLED** | **DISABLED** )] [-logstreamOverNSIP ( **ENABLED** | **DISABLED** )]

-  show appflow Param

<!--NeedCopy-->

Example


set appflow Param -templateRefresh 240 -udpPmtu 128 -httpUrl enabled -webSaaSAppUsageReporting ENABLED -logstreamOverNSIP ENABLED

<!--NeedCopy-->

Set the AppFlow parameters by using the configuration utility

Navigate to System > AppFlow, click Change AppFlow Settings, and specify relevant AppFlow parameters.

Support for subscriber ID obfuscation

Starting from NetScaler release 13.0 build 35.xx, the AppFlow configuration is enhanced to support “subscriberIdObfuscation” algorithm for obfuscating MSISDN in layer 4 or layer 7, AppFlow records. However, before configuring the algorithm as MD5 or SHA256, you must first enable it as an AppFlow parameter. The parameter is disabled by default.

Configure the subscriber ID obfuscation algorithm by using the CLI

At the command prompt, type:


set appflow param [-subscriberIdObfuscation ( ENABLED | DISABLED )  [-subscriberIdObfuscationAlgo ( MD5 | SHA256 )]]

<!--NeedCopy-->

Example


set appflow param –subscriberIdObfuscation ENABLED – subscriberIdObfuscationAlgo SHA256

<!--NeedCopy-->

Configure the subscriber ID obfuscation algorithm by using the GUI

  1. Navigate to System > AppFlow.
  2. In the AppFlow detailed pane, click Change AppFlow Setting under Settings.
  3. In Configure AppFlow Settings page, set the following parameters:

    • Subscriber ID Obfuscation. Enable the option for obfuscation MSISDN in L4/L7 AppFlow records.
    • Subscriber ID Obfuscation Algo. Select algorithm type as MD5 or SHA256.
  4. Click OK and Close.

    Subscriber ID obfuscation

Example: Configure AppFlow for DataStream

The following example illustrates the procedure for configuring AppFlow for DataStream using the command line interface.


enable feature appflow

add db user sa password freebsd

add lbvserver lb0 MSSQL 10.102.147.97 1433 -appflowLog ENABLED

add service sv0 10.103.24.132 MSSQL 1433 -appflowLog ENABLED

bind lbvserver lb0 sv0

add appflow collector col0 -IPAddress 10.102.147.90

add appflow action act0 -collectors col0

add appflow policy pol0 "mssql.req.query.text.contains("select")" act0

bind lbvserver lb0 -policyName pol0 -priority 10

<!--NeedCopy-->

When the NetScaler appliance receives a database request, the appliance evaluates the request against a configured policy. If a match is found, the details are sent to the AppFlow collector configured in the policy.

Configure the metrics collector

Metrics collector is a service that you can enable on NetScaler to collect and export metrics from NetScaler to various endpoints. You can export metrics in two formats: Avro and Prometheus. The exported metrics can be processed and visualized to get meaningful insights. By default, the metrics collector supports the export of time-series analytics data every 30 seconds. However, you can configure it as a value from 30 to 300 seconds so that you can decide the interval for exporting the time-series analytics profile data.

Do the following to configure a metrics collector using the CLI.

  1. Configure a collector service with IP address, protocol, and port using the following command.

    add service <metrics_service_name> <ip-address> <protocol> <port>
    

    Example:

    add service metrics_service1 192.168.1.1 HTTP 5563   
    
  2. Configure the analytics time series profile to send metrics data to the collector service. Specify the collector service, frequency for exporting metrics, and output mode.

    set analytics profile ns_analytics_time_series_profile -collectors <metrics_service_name> -type timeseries -metrics ENABLED metricsExportFrequency <30-300> -outputMode <avro/prometheus>
    

    Example:

    set analytics profile ns_analytics_time_series_profile -collectors metrics_service1 -type timeseries -metrics Enabled metricsExportFrequency 90 -outputMode prometheus --serveMode PUSH 
    

    Note:

    This example uses the default time series profile ns_analytics_time_series_profile. If you want to create a time series profile, you can use the add analytics profile command.

    In this example, metrics export frequency is set as 90 seconds and export mode is specified as Prometheus.

    Verify the metrics collector configuration using the show analytics profile <analytics-profile-name> command:

    show analytics profile ns_analytics_time_series_profile
    
        Name: ns_analytics_time_series_profile
        Collector: metrics_service1
        Profile-type: timeseries
            Output Mode: Prometheus
            Metrics: ENABLED
              Schema File: schema.json
              Metrics Export Frequency: 90
            Events: DISABLED
            Auditlog: DISABLED
            Serve mode: Pull
        Reference Count: 0
    

Debugging metrics collector

The required debugging logs are stored at /var/nslog/metricscollector.log location.

Metrics File generation

The metrics_<format>_log.* files are generated under the /var/nslog/ folder location.

Dynamic schema support in metrics collector

With the support of dynamic schema counters, a schema file containing a list of counters can be updated at run time based on the requirement. By default, /var/metrics_conf/schema.json file is configured with a list of counters.

Note:

The metrics collector default schema file /var/metrics_conf/schema.json can be installed on a NetScaler appliance by installns procedure.

Configure the metrics collector to subscribe counters using the CLI

Start the metrics export by configuring a collector service.

At the command prompt, type:


set analytics profile ns_analytics_time_series_profile -metrics ENABLED -collectors <collector_name> -schemaFile  schema.json -outputMode <avro | prometheus>

<!--NeedCopy-->

Note:

schema.json is the default schemaFile configuration.

A new schema file with a required set of counters can be configured using the CLI command for the metrics collector to export. The schema file must be present at the /var/metrics_conf/ location.

The schema file containing all the list of counters (reference_schema.json) supported by stats infra is present in the /var/metrics_conf/ location. This file can be used as a reference to build a custom list of counters.

Configure a schema file using the CLI

set analytics profile ns_analytics_time_series_profile -metrics ENABLED -collectors <collector name> -schemaFile <schema file_name> -outputMode <avro | prometheus>

<!--NeedCopy-->

A new schema file with the required counters can be added and configured using the preceding CLI command for metrics collector to export.

The reference schema file with all the list of counters (reference_schema.json) supported by stats infra are present in /var/metrics_conf/ location. This file can be used as a reference to build a custom list of counters.

Check the CLI configuration output at the command prompt:


show analytics profile ns_analytics_time_series_profile

    Name: ns_analytics_time_series_profile
    Collector: <collector_name>
    Profile-type: timeseries
    Output Mode: avro
    Metrics: ENABLED
    Schema File: schema.json
    Events: ENABLED
    Auditlog: DISABLED
    Serve mode: Push
    Reference Count: 0

<!--NeedCopy-->

Steps to update the list of counters exported

The following procedure describes the steps to update the list of exported counters:

  1. Update the custom/new schema file.
  2. Disable or enable metrics using the -metrics option shown in the CLI configuration for the updated schema file to be used.

Multiple time-series profile support

The metrics collector supports up to three time-series profile configurations on the NetScaler appliance. You can configure each time series to have the following.

  • Collector.

  • Schema file containing the required set of counters to be exported.

  • The data format in which the metrics are to be exported.

  • The option to enable or disable metrics audit logs and events.

With the multiple time-series profile support, the metrics collector can simultaneously export a different set (based on the schema file configured) of metrics to different collectors in different formats (AVRO, Prometheus, Influx).

Add time-series profile using the CLI

At the command prompt, type:

add analytics profile <profile_name> -type timeseries
<!--NeedCopy-->

Configure time-series profile using the CLI

At the command prompt, type:

set analytics profile <profile_name> -metrics <DISABLED|ENABLED> -auditlogs <DISABLED|ENABLED> -events <DISABLED|ENABLED> -collectors <collector_name> -schemaFile schema.json -outputMode <avro | influx | prometheus>

<!--NeedCopy-->

Log file-naming conventions with multiple time-series profile support

  • Avro log files are generated as metrics_avro_<profile_name>_log.*.
  • Prometheus log files are generated as metrics_prom_<profile_name>.log.

Notes:

  • Even though metrics can be enabled on all the configured time-series profiles, events and audit logs can be enabled only on one profile.
  • The dynamic schema feature is supported from version 13.1 build 23.16 onwards.
  • The multiple time-series profile is supported from version 13.1 build 33.6 onwards.