-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configure a NetScaler VPX on KVM hypervisor to use Intel QAT for SSL acceleration in SR-IOV mode
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Configure DNS resource records
-
Configure NetScaler as a non-validating security aware stub-resolver
-
Jumbo frames support for DNS to handle responses of large sizes
-
Caching of EDNS0 client subnet data when the NetScaler appliance is in proxy mode
-
Use case - configure the automatic DNSSEC key management feature
-
Use Case - configure the automatic DNSSEC key management on GSLB deployment
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
-
-
Authentication and authorization for System Users
-
-
HTTP and TCP attack detection and logging
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
HTTP and TCP attack detection and logging
NetScaler provides comprehensive logging capabilities for HTTP and TCP attack events and non-RFC compliant traffic. This feature enhances security monitoring by providing detailed visibility into dropped packets and security violations that were previously only tracked through counters.
The new logging functionality enables administrators to identify malicious traffic sources with complete connection details. Administrators can monitor RFC compliance violations for troubleshooting and security purposes. Also, administrators can track attack patterns with contextual information for forensic analysis and configure flexible logging levels to filter events based on severity requirements.
Note:
The HTTP and TCP attack event logging feature is available starting from NetScaler version 14.1 build 51.x.
Key benefits
This enhanced logging capability delivers significant value across the following critical business areas:
-
Immediate threat response with real-time detection and forensic analysis.
-
Operational efficiency through faster incident resolution and automated compliance reporting.
-
Cost optimization using targeted remediation and proactive security monitoring that reduces overall incident volume.
Supported attack types and log levels
NetScaler’s attack event logging covers a comprehensive range of security threats and protocol violations across both HTTP and TCP layers. The system automatically categorizes events by severity level (ALERT, WARNING, ERROR) to enable appropriate prioritization and response workflows in your security operations.
HTTP attack detection
NetScaler monitors and logs various HTTP-based security threats and protocol violations. These threats are classified into multiple categories based on their potential impact and security risk.
The following HTTP-based attacks and violations are logged:
ALERT level - Active security attacks requiring immediate attention:
These attacks require immediate attention and pose significant security risks to your infrastructure.
-
Desync Attack
-
Slow Loris Attack
-
Slow Post Attack
-
HTTP/2 Ping Flood
-
HTTP/2 Reset Flood
-
HTTP/2 Settings Flood
-
HTTP/2 Empty Frame Flood
WARNING level - Protocol violations and non-compliant traffic:
These violations indicate non-standard HTTP behavior that suggests malicious intent or application issues requiring investigation.
-
Invalid Body
-
Invalid Character in header field name
-
Invalid symbol character in header field name
-
Duplicate headers
-
Duplicate host headers
-
Header overflow
-
Invalid host header
ERROR level - Connection tracking failures and invalid requests:
These events capture connection abnormalities that indicate attack attempts or system issues affecting request processing.
- Various connection tracking aborted scenarios when requests are marked as invalid.
TCP attack detection
NetScaler detects and logs network-layer TCP attacks that target connection establishment and data transmission protocols, providing visibility into sophisticated network-based threats.
ALERT level - Critical network attacks targeting TCP infrastructure:
These events represent sophisticated network-level attacks that attempt to exhaust system resources or exploit TCP protocol weaknesses.
-
SYN flood attack
-
Segments smack attacks
-
Small window attacks
Log information template
Every security event is logged with a standardized set of data fields that provide complete context for threat analysis and incident response.
Each logged event includes the following comprehensive information:
Field | Description |
---|---|
Event Category | Type of attack or violation detected |
Source IP | Client IP address |
Source Port | Client port number |
Destination IP | Target server IP address |
Destination Port | Target server port |
Protocol | HTTP or TCP |
Payload Sample | First 128 bytes of packet payload |
Context Description | Human-readable explanation of the violation |
Configure audit log (Syslog and Nslog) with HTTP and TCP attack logging by using the CLI
To implement the HTTP and TCP attack detection and logging feature, a new -protocolViolations
parameter is added to audit log related commands. This parameter enables logging of protocol violations and attack events for specified protocols. The -protocolViolations
parameter currently supports the following values:
-
ALL: Enables logging for all supported protocol violations and attacks
-
NONE: Disables protocol violation logging (default value).
The -protocolViolations
parameter is available in the following audit log configuration commands:
set syslogparams [-protocolViolations <protocol> ...]
add audit syslogAction <name> <syslog server IP> <loglevel> [-protocolViolations <protocol> ...]
set nslogparams [-protocolViolations <protocol> ...]
add audit nslogAction <name> <nslog server IP> <loglevel> [-protocolViolations <protocol> ...]
<!--NeedCopy-->
Configure audit log (Syslog and ns log) with HTTP and TCP attack logging by using the GUI
-
Navigate to Configuration > System > Auditing > Syslog or Nslog.
-
Select the Servers tab.
-
Click Add.
-
In the Create Auditing Server page, populate the relevant fields.
-
Select the Protocol Violations checkbox.
-
Click Create.
Implementation and configuration
The following configuration examples demonstrate different deployment scenarios for enabling attack event logging based on your environment’s specific requirements and security monitoring strategy:
Use case 1: Global external syslog server
This configuration is ideal for organizations that require centralized security monitoring across their entire NetScaler infrastructure. NetScaler sends all violation and attack logs to an external syslog server for centralized monitoring.
To configure this setup, perform the following procedure:
-
Create a syslog action for an external server.
At the command prompt, type:
add audit syslogAction external_act <syslog server IP> logLevel ALL -protocolViolations ALL <!--NeedCopy-->
Example:
add audit syslogAction external_act 10.146.121.48 -logLevel ALL -protocolViolations ALL <!--NeedCopy-->
-
Create and bind syslog policy.
At the command prompt, type:
add audit syslogPolicy external_pol TRUE external_act bind audit syslogGlobal -policyName external_pol -priority 100 <!--NeedCopy-->
Use case 2: Local syslog server
For smaller deployments or environments with specific data locality requirements, local syslog configuration provides a simpler alternative. Configure a local syslog server to capture all protocol violations.
To enable protocol violation logging on local syslog, run the following command:
set syslogparams -protocolViolations ALL
<!--NeedCopy-->
Use case 3: Multiple external servers per virtual server
If you need more flexibility for complex environments, you can configure different virtual servers to send their logs to different destinations. This means that you can have some virtual servers sending logs to one server while others send to a different server, all with their own specific configurations.
To configure this setup, run the following commands in sequence:
-
Configure the first external server (all events).
add audit nslogAction external_act_1 <nslog server IP> logLevel ALL -protocolViolations ALL <!--NeedCopy-->
Example:
add audit nslogAction external_act_1 10.146.121.48 -logLevel ALL -protocolViolations ALL add audit nslogPolicy external_pol_1 TRUE external_act_1 <!--NeedCopy-->
-
Configure a second external server (critical events only).
add audit nslogAction external_act_2 <nslog server IP> logLevel ALERT WARNING -protocolViolations ALL <!--NeedCopy-->
Example:
add audit nslogAction external_act_2 10.146.127.50 -logLevel ALERT WARNING -protocolViolations ALL add audit nslogPolicy external_pol_2 TRUE external_act_2 <!--NeedCopy-->
-
Bind policies to a specific virtual server.
bind lb vserver vserver1 -policyName external_pol_1 -priority 100 bind lb vserver vserver1 -policyName external_pol_2 -priority 110 <!--NeedCopy-->
Use case 4: Filter logging by severity
When dealing with high-traffic environments, filtering logs by severity helps manage log volume while maintaining focus on critical security events. You can configure logging to capture only critical attacks (ALERT level) to reduce log volume.
-
Create syslog action for critical events only.
add audit syslogAction external_act 10.146.121.48 -logLevel ALERT -protocolViolations ALL <!--NeedCopy-->
-
Create and bind syslog policy.
add audit syslogPolicy external_pol TRUE external_act bind audit syslogGlobal -policyName external_pol -priority 100 <!--NeedCopy-->
Best practices
Follow these recommended practices to maximize the effectiveness of attack logging while maintaining optimal system performance:
-
Start with WARNING level to understand your traffic patterns before enabling all log levels.
-
Use external syslog servers for production environments to ensure log persistence.
-
Configure log rotation to manage disk space on syslog servers.
-
Set up alerting on ALERT level events for immediate threat response.
-
Regularly review logged events to identify trends and adjust security policies.
Troubleshooting
When implementing attack event logging, you might encounter configuration challenges or performance considerations. The following guidance helps resolve common issues:
-
Ensure syslog server connectivity before enabling logging.
-
Verify log level compatibility with your SIEM or log analysis tools.
-
Check that network policies allow syslog traffic to external servers.
To ensure optimal system performance while maintaining comprehensive security monitoring, consider the following recommendations:
-
Monitor NetScaler performance when enabling comprehensive logging.
-
Consider using filtered logging (ALERT only) for high-traffic environments.
-
Implement log aggregation for multiple NetScaler instances.
Share
Share
In this article
- Key benefits
- Supported attack types and log levels
- Log information template
- Configure audit log (Syslog and Nslog) with HTTP and TCP attack logging by using the CLI
- Configure audit log (Syslog and ns log) with HTTP and TCP attack logging by using the GUI
- Implementation and configuration
- Best practices
- Troubleshooting
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.