NetScaler Console service

Previous releases

This topic is the list of previous releases for NetScaler Application Delivery Management (NetScaler Console).

November 29, 2021

Management and Monitoring

Manage ADC instances in a GSLB cluster

Sometimes, in a GSLB cluster, the configuration objects of the ADC instances try to overwrite each other. And, it leads to a race condition. To address such issues, you need to control the master node selection in the GSLB cluster. The configuration in the master node will be applied to the remaining ADC instances. In NetScaler Console, you can now create a GSLB cluster group and add ADC instances. You can also select a master node among the ADC instances and set the priority order for master node selection.

Under Network Functions > GSLB, a user can now view only the entities from master ADC node.

[NSADM-61374]

Analytics

Improvements to service graph

You can now view the following improvements in service graph:

  • In service graph for applications, when you click a discrete application, the Application View or Network Function View displays all services that are associated with the service group.

    Service group

  • When you hover the mouse pointer on the ADC instance, the metrics display the total SSL errors received by the ADC instance. Click the issue count to drill down and view the SSL error details.

    SSL errors

  • When you hover the mouse pointer on the client, the metrics no longer display the Client 4xx Errors and Client SSL Errors and they are replaced with Data Volume.

    Client metrics

    [NSADM-77427]

View analytics for Content Switching virtual server bound to Load Balancing virtual server

In Security > Security Violations, the Application Overview tab now displays analytics for content switching virtual server that is bound with load balancing virtual servers.

Click the content switching virtual server and under Bound Load Balancing Server, you can view the list of load balancing servers bound to the content switching virtual server.

Content Switching server with Load Balancing server

[NSADM-77369]

Select metrics and customize weightage for instance score calculation

In Infrastructure Analytics, you can now select the instance metrics, configure thresholds, and assign weightage for the metrics to calculate the instance score. By default, all metrics are selected, and the default weightage is assigned to each metric. In Settings, select the metric based on the requirement and assign a suitable weightage to determine the instance score calculation.

For more information, see Infrastructure Analytics.

[NSADM-52152]

November 09, 2021

Security

Support for identification and remediation of CVE-2021-22955 and CVE-2021-22956

NetScaler Console security advisory now supports identification and remediation of two new CVEs: CVE-2021-22955 and CVE-2021-22956.

Identification of CVE-2021-22955 requires a version scan, and remediation requires an upgrade of the vulnerable ADC instances to a release and build that has the fix. Identification of CVE-2021-22956 requires a custom scan, and remediation requires a two-step process:

  1. Upgrade the vulnerable ADC instance to a release and build that has the fix.

  2. Apply configuration jobs.

For more information about how to remediate CVE-2021-22955, see Security Advisory.

For more information about how to identify and remediate CVE-2021-22956, see Identify and remediate vulnerabilities for CVE-2021-22956.

Note

  • It might take some time for security advisory system scan to conclude and reflect the impact of CVE-2021-22955 and CVE-2021-22956 in the security advisory module. To see the impact sooner, start an on-demand scan by clicking Scan-Now.

[NSADM-76470]

Analytics

IPv6 support in Bot insight

When you drill down an application under Bot in Security > Security Violations > Application Overview, the Logs now display the IPv6 address for the Client IP and Bot True Client IP.

IPv6 support in Bot insight

[NSADM-77376]

StyleBooks

StyleBooks support new built-in functions

NetScaler Console StyleBooks now support the following built-in functions:

  • sha256() - Use this function to compute the SHA-256 hash for any string. This function accepts a string input of any length and returns a hash string of fixed length (64 characters). For more information, see Built-in functions.

  • relate() - Use this function to form a dictionary object from a set of lists. It accepts two arguments. The first argument is a list of key names for the dictionary object. The second argument is a list of lists, where each list contains the values to the corresponding key name in the list of the first argument. For more information, see Built-in functions.

[NSADM-77225]

October 26, 2021

Analytics

A unified process to enable analytics on virtual servers

Apart from the existing process to enable analytics, you can now use a single-pane workflow to configure analytics on:

  • All the existing licensed virtual servers

  • The subsequent licensed virtual servers

After configuration, this feature eliminates the necessity to manually enable analytics on the existing and subsequent virtual servers.

For more information, see A unified process to enable analytics on virtual servers.

[NSADM-74747]

Improvements to application slowness in Web Insight

In Applications > Web Insight, when you drill down an application from the Applications with Response Time Anomalies metric, the Client Network Latency and Server Network Latency now enables you to view:

  • A search bar - Click the search bar to view the IP address of all clients (in Client Network Latency) and servers (in Server Network Latency). You can select the IP address to filter the results.

  • An export option - Click Download CSV to export the details in CSV format.

For more information, see Analyze the root cause for application slowness

[NSADM-71521]

StyleBooks

StyleBooks meta-properties support expressions

Meta-properties define the actions to be taken on ADC objects. You can now specify expressions for a meta-property. These expressions dynamically apply the valid meta-property actions for ADC objects. Earlier, the meta-property action was only able to take static values.

Example:

parameters:
    -
        name: meta-action-lbvserver
        type: string
        default: disable

components:
    -
        name: c1
        type: ns::lbvserver
        meta-properties:  action: $parameters meta-action-lbvserver
        properties:  name: $parameters.lbvserver
        ipv46: $parameters.ip
        port: 80
        servicetype: HTTP
 <!--NeedCopy-->

In this example, a StyleBook user can specify a valid meta property action while creating a configuration pack.

StyleBook supports these meta property actions - enable, disable, link, unlink, import, export, create, archive, and apply.

For more information, see Create a StyleBook to perform non-CRUD operations

[NSADM-77230]

October 14, 2021

Management and Monitoring

Buy ADM virtual server licenses from the ADM GUI

You can now use the ADM GUI to buy ADM virtual server licenses from Microsoft Azure cloud. Select Buy ADM License from the navigation menu. Alternatively, you can navigate to Settings > Licensing & Analytics and select Buy ADM License. Earlier, to buy the server license, you had to visit Citrix Cloud or contact Technical Support. For more information, see Buy ADM Licenses.

[NSADM-78172]

Changes to NetScaler Console express account

With NetScaler Console express account, you can now avail the following benefits:

  • No limit to use configuration jobs and StyleBook config packs. Earlier, you were only able to use up to two configuration jobs and StyleBook config packs.

  • View all discovered virtual servers in Network Functions and Network Reporting. Earlier, you were able to view only licensed virtual servers.

For more information, see Manage NetScaler Console resources using Express account.

[NSADM-76506]

Fixed Issue

When you are monitoring many virtual servers, the Network Functions dashboard takes longer time to load or it becomes unresponsive.

[NSHELP-29274]

September 29, 2021

Management and Monitoring

ADM service now supports maximum 50 instance backup files.

[NSADM-76475]

StyleBooks

StyleBooks support implicit typecasting of datatypes

When you use StyleBook expressions for different datatypes, the StyleBook engine now implicitly typecasts the output to an appropriate datatype. For example, if you do an add operation between ‘string’ and ‘integer’ types, the StyleBook engine sets the output datatype to ‘string’.

[NSADM-77219]

Fixed Issues

  • In Web Insight, the scheduled export option is temporarily disabled because the report appears blank.

    [NSADM-77966]

  • ADM agent displays an error message “Invalid PEM key: Incorrect password”, when you upload a password-protected certificate.

    [NSHELP-28983]

September 15, 2021

StyleBooks

Some internal config packs and StyleBooks do not appear on the ADM GUI

If the default StyleBook has type:apisec, the StyleBook and its config packs do not appear on the ADM GUI. However, you can create config packs for such StyleBooks using their API.

[NSADM-77222]

Case-insensitive ADM StyleBooks

ADM StyleBooks now treats all the variables and parameters with uppercase and lowercase as the same.

[NSADM-64246]

September 06, 2021

View users’ trend of Gateway virtual servers

Under Infrastructure > Network Reporting in the ADM GUI, now you can view the trend of total connected and current users of Gateway virtual servers.

[NSADM-70811]

View the exact SSL rating of an application

In Applications > Dashboard, you can now view the SSL rating of an application along with protocol and cipher suite scores. You can review SSL issues and upgrade the application to obtain an A+ rating. However, if you observe some drop in traffic because of this upgrade, you can roll back the secure front-end profile configured on your application. This action reverts the A+ rating to a previous rating.

Earlier, you were only able to view whether an application has an A+ rating or not.

[NSADM-74247]

WAF and Bot analytics support only for premium license virtual servers

You can now enable WAF Security Violations and Bot Security Violations, and view WAF/Bot analytics only for the premium licensed virtual servers. For the standard and advanced licensed virtual servers, these options are disabled.

[NSADM-72931]

Export realtime WAF/Bot data to Splunk

When you configure Splunk integration details in NetScaler Console by navigating to Settings > Ecosystem Integration, you can now view Realtime Export and Periodic Export options. Under Realtime Export, you can select the WAF and Bot features to export the data to Splunk in realtime.

For more information, see Splunk integration.

[NSADM-72909]

StyleBooks

Download the support bundle of a configuration pack

In Applications > Configuration > Config Packs, you can now download the support bundle of a configuration pack. This bundle helps the Citrix technical support team to view, analyze, and troubleshoot configuration pack issues.

[NSADM-72260]

August 20, 2021

User interface improvements

Several enhancements are added to the ADM user interface to improve user experience. These enhancements automate and simplify the process of onboarding ADC instances to ADM. Also, the new simpler and intuitive interface makes it easier to navigate. Here’s a summary of the GUI changes:

Add ADC instance workflow: Sometimes you might skip onboarding the ADC instances in the Getting Started workflow while setting up ADM service for the first time. In such cases, you can onboard the instances from the ADM GUI dashboard. If ADC instances are not yet added, the GUI prompts you to add the instances.

Add instance workflow

Navigation menu: The left-hand navigation menu has been reorganized and regrouped. The new modules in the menu are Security, Gateway, and Infrastructure. Some of the old modules, Networks, Analytics, and Orchestration, are now merged into the new modules. If you’ve not added ADC instances yet, when you click any module on the navigation bar, a tabular preview of the features of that module appears.

Menu comparison

The following image helps you map the old modules and topics with the new navigation.

Menu navigation

For more information, see Onboard ADC instances by using the ADM GUI dashboard.

[NSADM-68433]

WAF recommendation

NetScaler Console now enables you to scan applications and get recommendations for:

  • WAF profiles

  • WAF signatures

Navigate to Security > WAF Recommendation and under Applications, click Start Scan to configure the WAF scan settings for an application.

Using these recommendations, you can apply the required WAF profiles and signatures to the application and ensure that the application is secured.

For more information, see WAF recommendations.

[NSADM-57849]

Invite users with a limited access to ADM

As a super administrator, you can now invite users with a group level access to ADM service. With this feature, you can limit the users’ access to a group in their first login. In Citrix Cloud, navigate to Identity Access Management > Administrators. Under the Custom access option, select Application Delivery Management. Then, select the group to which you want to add this user.

The invitation link is sent to the specified user email address. When the user logs in to ADM using this link, the user is added to the specified group. Earlier, the invited users were able to access all ADM features. You were not able to limit users’ access to a group. For more information, see Configure users on NetScaler Console.

[NSADM-69347]

Select labels in service graph for microservices

In service graph for microservices, you can now change the Service Info labels from Settings. The Filters tab in settings enables you to select the labels (based on the selected duration and the active transactions from the services). After selecting the labels from settings, the Service Info tab in the Filters section enables you to apply filters on the selected labels to filter results. This feature ensures better visibility to the service graph.

[NSADM-76557]

Enhancement: Update a StyleBook definition inline

Updating a StyleBook definition inline allows you to modify the StyleBook without upgrading its version. You can now update the custom StyleBook definitions that are imported from a StyleBook bundle. And, you can also update a StyleBook definition or StyleBook bundle that has config packs with it. Earlier, you were only able to update StyleBook definitions that are imported as a file.

Note

Before you update the StyleBook definition, ensure it is backward compatible. So, all parameters can be retained in the updated StyleBook. And, the newly added parameters appear as optional.

For more information, see Update custom StyleBooks.

[NSADM-72258]

IPv6 support in IP Reputation violation

In Security > Security Violations, the IP Reputation violation now displays the IPv6 address for the client IP.

IP reputation

[NSADM-72372]

July 27, 2021

StyleBooks

StyleBook definition supports a splat expression

A splat expression [*] provides a simpler way to retrieve a certain attribute from a complex list for all the iterations. You can now include splat expressions in a StyleBook definition. Earlier, you had to specify a repeat construct to retrieve the same information.

Syntax: list[*].attribute

This expression iterates over all the items of the list specified to its left and returns the attribute value specified to its right. When you want to retrieve an IP address or host name of each virtual server from the list, you can use the following splat expressions:

Example 1:

 $parameters.server-members[*].hostname
<!--NeedCopy-->

This expression returns a list of host names from all the server-members.

Example 2:


 $parameters.server-members[*].sub-domains[*].name
<!--NeedCopy-->

This expression returns a list of all names under the subdomains of each server-members.

These expressions always return the right-most element type’s list.

[NSADM-67724]

Manage SSL certificates by using StyleBooks

You can now write a StyleBook definition to allow users to select SSL certificates from the ADM certificate store. This store lists the existing SSL certificates that are uploaded to your ADM server. With this feature, you can store SSL certificates at one place that is the ADM certificate store and reuse them whenever required.

Add this field in the Create Configuration packGUI using the new certkey parameter. And, it is an object type attribute. The following is an example snippet to specify in the StyleBook definition

parameters:
-
    name: certificate
    label: Certificate
    description: Certificate to be bound to this virtual load balanced application`
    type: certkey
    required: true
<!--NeedCopy-->

When creating a configuration pack, a user can add or select SSL certificates from the certificate store. Also, the user can select the same certificate for multiple config packs. Earlier, users were able to specify certificate details only while creating a configuration pack.

[NSADM-57943]

Name change for security insight and bot insight

When you enable analytics for a virtual server, you can now view the following name change for security insight and bot insight:

  • WAF Security Violations

  • Bot Security Violations

    Name change

[NSADM-72932]

Fixed Issues

  • In App Dashboard, when you drill down an application and in the Web Insight tab, the See more option under Clients does not work. This issue is also observed in Applications > Web Insight.

    [NSHELP-28153]

  • Under Infrastructure > Instance Advisory > Security Advisory, when you click Proceed to upgrade workflow to upgrade a vulnerable NetScaler CPX instance, an error message appears. This issue happens because the ADM upgrade workflow supports only MPX, SDX, and VPX instances.

    With this fix, a separate CPX column is added under Current CVEs > ADC instances are impacted by CVEs. To upgrade a vulnerable CPX instance, click the document link in the GUI, which ishttps://docs.citrix.com/en-us/citrix-adc-cpx/current-release/upgrade-cpx.html.

    [NSADM-75311]

  • When you remove an ADC instance from theInfrastructure > Instance Dashboard > NetScaler page, the Asset Inventory page does not update the claim status of the instance. As a result, sometimes, the ADC instance gets automatically registered after around 15 minutes.

    [NSADM-63266]

July 01, 2021

Security advisory notifications

You can now receive the following notifications for ADM security advisory activities.

  1. Email, Slack, PagerDuty, and ServiceNow notifications for:

    • Difference between the latest and previous scans

    • New CVEs added in security advisory repository

  2. Cloud notification for scan result changes

To enable or disable notifications, from the ADM GUI, navigate to Infrastructure > Instance Advisory > Security Advisory and click the settings icon on the upper-right corner.

[NSADM-71234]

Performance indicator for an application - Non-A+ SSL rating

When you drill down an application that is not having the A+ SSL Rating, you can now view:

  • The impact on the app score
  • The Non-A+ SSL Rating details under Issues

For more information, see Non-A+ SSL rating.

[NSADM-71320]

Import StyleBooks from GitHub Enterprise Server

When you add a StyleBooks repository in ADM, you can now specify repositories on GitHub Enterprise Server. This feature helps you import or sync StyleBooks and config packs from a GitHub Enterprise Server. Earlier, you were able to import and sync StyleBooks and config packs only from the GitHub website.

[NSADM-72257]

Fixed Issues

The issues that are addressed in Build July 01, 2021.

  • If you rename a scheduled configuration job and delete it from the ADM GUI, the ADM server does not remove this job.

    [NSADM-73577]

  • In ADM, when you deploy a configuration job on a CPX instance, it fails with the SSH authentication error message.

    [NSHELP-27521]

  • Web Insight data does not populate properly if the application name contains a space.

    [NSHELP-27178]

June 08, 2021

Support for identification and remediation of CVE-2020-8299 and CVE-2020-8300

NetScaler Console security advisory now supports identification and remediation of the newly announced CVE-2020-8299 and CVE-2020-8300.

Remediation for CVE-2020-8299 requires an upgrade of the vulnerable ADC instances to a release and build that has the fix. Remediation for CVE-2020-8300 requires a two-step process:

  1. Upgrade the vulnerable ADC instance to a release and build that has the fix.

  2. Apply configuration jobs.

For details about how to remediate CVE-2020-8300, see Remediate vulnerabilities for CVE-2020-8300.

For more information about security advisory and how to remediate other CVEs, see Security Advisory.

Note

It might take a couple of hours for security advisory system scan to conclude and reflect the impact of CVE-2020-8299 and CVE-2020-8300 in the security advisory module. To see the impact sooner, start an on-demand scan by clicking Scan-Now.

[NSADM-71136]

View monitor status to check application health

You can now use the Application dashboard in the ADM GUI under Applications > Dashboard, to view the health monitor status of an application and the failure message if any. For details, see Application details.

[NSADM-46935]

View app security configuration in app dashboard

When you drill-down an application from Applications > Dashboard, the Security tab now enables you to view if the application is configured with app security. If the WAF or Bot configuration is not enabled for the application, you can use the StyleBook to configure.

StyleBook configure

[NSADM-66873]

Improvements to RTT calculation

NetScaler instances might not able to calculate the RTT value for some transactions. For such transactions, the web transaction analytics and Web Insight in ADM display the RTT value as < 1 ms.

The RTT calculation for such transactions is improved and ADM now displays the following RTT values as:

  • NA - Displays when the ADC instance cannot calculate the RTT.

  • < 1ms - Displays when the ADC instance calculates the RTT in decimals between 0 ms and 1 ms. For example, 0.22 ms.

[NSADM-65648]

In Applications > Web Insight, you can now view details for the following SSL parameters under SSL Errors:

  • Cipher mismatch

  • Unsupported Ciphers

SSL error details

Under SSL errors, click an SSL parameter (Cipher Mismatch or Unsupported Ciphers) to view details such as the SSL cipher name, the recommended actions, and the details of the affected applications and clients.

For more information, see Web Insight.

[NSADM-62525]

Fixed Issues

  • If you rename a scheduled configuration job and delete it from the ADM GUI, the ADM server does not remove this job.

    [NSADM-73577]

  • While registering the ADM agent, the default password must be changed. If the new password contains a special character such as open and/or close bracket, a syntax error occurs. As a result, you cannot log on to ADM agent.

    [NSHELP-27638]

May 17, 2021

Troubleshoot issues using the diagnostic tool

When you onboard an ADC instance onto NetScaler Console service, you might experience issues that prevent the ADC instance from successful onboarding. As an administrator, you must know the reason for the onboarding failure.

You can now perform diagnostic checks using the diagnostic tool when you:

Experience any issues during auto-onboarding or script-based onboarding Want to ensure if the ADC instance is ready to onboard Want to analyze issues for the already onboarded ADC instances that show “Down” status in the ADM GUI After analyzing the issues, you can troubleshoot and then onboard the ADC instances to ADM service. For more information, see Troubleshoot issues using the diagnostic tool

Service graph: simplified on-boarding process

The service graph on-boarding process is now simplified. To populate a service graph in NetScaler Console, see Service Graph - Simplified onboarding.

[NSADM-66696]

Import and synchronize config packs from a GitHub repository

You can now import and synchronize config packs from a GitHub repository to NetScaler Console. To do so, you must create a folder with the name “config packs” in the root directory of the repository. Then, keep all the config packs in this folder that you want to import or synchronize with ADM. In Applications > Configuration > Repositories, click Sync to import config packs. Earlier, this action was only synchronizing StyleBooks. For more information, see Import and synchronize StyleBooks from GitHub repository.

[NSADM-67722]

A+ SSL rating (by Qualys SSL Labs) analytics

When an application uses unsecured ciphers, protocols and SSL settings for SSL transactions, it can impact the privacy, data integrity and security of the users accessing the application. For this purpose, Qualys SSL Labs gives rating to applications based on ciphers, protocols, and other SSL settings. Learn more about SSL Server Test.

As an application owner, you can now assess if your application will be rated A+ by Qualys. To assess, check the compliance of the applications virtual server SSL settings to the ADC secure front-end profile. The settings required for an A+ rating (as of May 2018) from Qualys SSL Labs are preloaded into the secure front-end profile.

If your application SSL rating is “Not A+”, you can use a one-click way to deploy the secure front-end SSL profile on your applications.

When your application is rated as “Not A+”, you can see the details of a virtual server whose configuration does not comply with the secure front-end profile. Likewise, you can see remediation measures to make the virtual server comply with the secure front-end profile.

After you deploy the secure SSL profile to make your application A+, you can assess the incoming traffic in SSL insight to see the ciphers, protocols on which SSL transactions are getting negotiated. In case some legitimate traffic gets dropped after deploying A+ profile, you can roll back the secure front-end profile configured for your application. For information, see Assess application security ratings in ADM.

Note

In some cases, after deploying the secure front-end profile, if you make some custom configuration to the virtual server, rollback might not be possible due to inconsistent configuration.

[NSADM-67076]

April 27, 2021

Fixed Issues

  • ADM does not communicate with NetScaler BLX instances through SSH, and some ADC features such as Config Audit and Config Jobs might not run on BLX as expected.

    [NSADM-68985]

  • AppFlow and Bot signature creation fails in ADM service.

    [NSADM-70199]

April 17, 2021

Improvements to security violations

In Security > Security Violations, you can now view the following improvements:

  • When you enable analytics for Account Takeover, Website Scanning, and Content Scraping violations, the Advanced Security Analytics and Web Insight settings are also enabled automatically.

  • From the settings option, when you select the application to configure the prerequisite settings for Account Takeover, Website Scanning, and Content Scraping violations, the Premium license filter is applied. This enhancement enables you to view and select only the premium licensed applications.

    Premium license filter

  • From the settings option, the Website Scanning and Scraping prerequisite configuration page enables you to select the Session Tracking Method first and then the application.

  • The All Virtual Servers page in Settings > ADM Licensing & Analytics Config displays the Instance License option that enables you to analyze the license type of the instance.

    License type

[NSADM-68058]

View security violations in App Dashboard

In Security > Security Violations > Application Overview, the violation details that you were able to view for WAF and Bot are also now available in the Application Dashboard. Navigate to Applications > Dashboard, select an application, and click the Security tab to view the WAF and Bot violations applicable for the selected application.

Violations in App dashboard

Apart from the visibility of the application performance and usage, this enhancement also enables you to visualize the violation details in a single-pane view.

[NSADM-66876]

IP address color code changes dynamically to indicate instance status

In the ADM GUI, under Network > Instances > NetScaler, in the IP address column, the color codes for IP addresses marks change dynamically to indicate instance status. For example, if a particular primary instance is in “up” state, the color code for the circular P mark for the corresponding IP address changes to green. Also, you can hover the circular mark to check the instance status. Previously, the color codes for IP addresses were static: blue for primary and grey for secondary.

[NSADM-67681]

Fixed issue

For SSL certificates, the ADM GUI displays the issuer type as “Not Recommended” even if the certificates are configured in SSL Dashboard settings.

[NSHELP-26123]

March 30, 2021

Bot insight - View log message for bot management

In Security > Security Violations > Application Overview, under Bot, when you select an application and click Logs to view bot details, you can now view the bot category identified as signature and the signature ID. The signature ID enables you to analyze if the detected bot is a good bot or a bad bot. For any other bot category, the signature ID displays N/A.

For more information about signature category and ID, see Bot signature update.

[NSADM-63099]

App Security Violation - Bot

In Security > Security Violations > All Violations, you can now view Keystroke and Mouse dynamic based bot detection under the BOT violation category. For more information, see App Security Violation.

[NSADM-61855]

Fixed issues

  • In Infrastructure Analytics, the UI term “Packet dropped” for SSL violation counters (PE CPU Limit, PPS Limit, Throughput Limit, SSL Throughput Limit, SSL TPS Limit) is now changed to “rate limit breaches”.

    [NSADM-69007]

  • ADM generated tech-support bundle fails to unzip.

    [NSHELP-26726]

March 17, 2021

Protect your organization by using security advisory

NetScaler Console Security Advisory helps you identify ADC instances impacted by Citrix Common Vulnerabilities and Exposures (CVEs) and apply appropriate remediation. The advisory highlights NetScaler CVEs putting your ADC instances at risk and recommends mitigations and remediations. You can review the recommendations and take appropriate actions, by using ADM service to apply the mitigations and remediations.

The following are the security advisory features:

  • Scan: includes default system scan and on-demand scan.
    • System scan: scans all managed instances by default once a week. ADM decides the date and time of system scans, and you cannot change them.
    • On-demand scan: enables you to manually scan the instances when required. If the time elapsed after the last system scan is significant, you can run on-demand scan to assess the current security posture. Or scan after a remediation or mitigation has been applied, to assess the revised posture.
  • CVE impact analysis: shows results of all CVEs impacting your infrastructure and all the ADC instances getting impacted and suggests remediation and mitigation. Use this information to apply mitigation and remediation to fix security risks.

  • CVE reports: stores copies of the last five scans. You can download these reports and analyze them.

  • CVE repository: gives a detailed view of all the ADC-related CVEs that Citrix has announced since December 2019, that might have an impact on your ADC infrastructure. You can use this view to understand the CVEs in Security Advisory scope and to learn more about the CVE.

For more information, see Security advisory.

[NSADM-69280]

New features added to Citrix low-touch onboarding workflow

The new Citrix low-touch onboarding workflow comes with an enhanced GUI with several new features and better user experience. Two new tabs, Security Advisory and Upgrade Advisory, are introduced. NetScaler Console Security Advisory alerts you about vulnerabilities putting your ADC instances at risk and recommends mitigations and remediations. You can use the Upgrade Advisory to check ADC instances that are nearing end of life (EOL) or on older versions. We can upgrade these ADCs to latest releases and benefit from the latest enhancements and fixes. To know more, see Low-touch onboarding of NetScaler instances using NetScaler Console service connect.

[NSADM-69280]

Monitor ADC instance lifecycle using NetScaler Console upgrade advisory

NetScaler Console upgrade advisory helps you monitor the lifecycle of your ADC instances. As a network administrator, you might manage many instances running on different ADC releases in NetScaler Console. Monitoring the lifecycle of each ADC instance can be a cumbersome task. To ease this process, ADM upgrade advisory provides the following information:

  • Identifies instances reaching or reached EOL or EOM. So, you can plan ADC upgrades ahead of EOL or EOM date.

  • Highlights the instances that are not on latest release or build. You can upgrade these instances to latest release or build to benefit from new features and bug fixes.

  • Highlights the instances that are not on preferred ADC builds. Some organizations might have a preferred ADC builds for their instances. In ADM, you can set the preferred build for your organization depending on features, fixed issues, and other considerations. Then, review and upgrade the instances that are not on preferred builds. Instances running the preferred builds are indicated with a star icon.

  • Highlights instances running on the most popular releases or builds. Instances running the popular builds are indicated with a ribbon icon.

After you review the abovementioned points, you can proceed to create a maintenance job to upgrade ADC instances from the Upgrade Advisory page.

Important

Upgrade advisory only monitors EOM or EOL of ADC software versions. It doesn’t check the EOL of ADC hardware appliances.

Upgrade Advisory page

For more information, see Upgrade Advisory.

[NSADM-56646]

Analyze the root cause for application slowness

Application slowness is a major concern for any organization because it results in business impact or productivity. In Applications > Web Insight, you can now view a new metric, Applications with Response Time Anomalies. Using this metric, as an administrator, you can analyze if the application slowness arises from:

  • Client network latency

  • Server network latency

  • Server processing time

For more information, see Analyze the root cause for application slowness.

[NSADM-63170]

March 03, 2021

Discover API endpoints in ADM

You can now discover the API endpoints that are in your organization using API gateway. In NetScaler Console, the Security > API Gateway > API Discovery page displays the API endpoints that are part of ADC instances and API deployments.

In API Discovery, when you select a virtual server or API deployment, the ADM GUI displays the API endpoints and their details such as:

  • Method - It displays the method used in an API endpoint. For example, GET and POST methods
  • Total requests - It displays the count of API requests on the API endpoint.
  • Response statuses - It displays the count for each response status. For example, 2xx, 3xx, 4xx, and 5xx.
  • Found in Spec - This column appears only for API deployments. Sometimes, the internal APIs that are not part of the API definition might receive traffic from outside. This column helps you identify whether the API endpoint and observed method are part of the API definition.

Virtual servers:

API endpoints in the virtual server

API deployments:

API endpoints in the virtual server

[NSAPISEC-1234]

Grant API gateway configuration and management permissions

As an administrator, you can create an access policy to grant user permissions for API gateway configuration and management. The user permissions can be view, add, edit, and delete. To do so, navigate to Settings > User & Roles > Access policies.

Grant API gateway management permissions

[NSADM-63097]

Improvements to global service graph

In Applications > Service Graph > Global, you can now view:

  • The microservices based on the cluster name.

    Note

    You can view microservices for only three clusters.

    Microservice cluster name

  • The enhanced view of the discrete virtual servers and custom apps

    Discrete virtual servers

    Custom apps

Venafi integration in NetScaler Console

To maintain digital security, you must automate the management of SSL certificates in your environment. Expired SSL certificates can lead to security risk. Now you can configure Venafi Trust Protection Platform servers to manage SSL certificates from the ADM service GUI.

With Venafi integration, you can reissue certificates and automate renewal of certificates installed on the ADC instances, through ADM service GUI. For more information, see Automate SSL certificate management.

[NSADM-58047]

Fixed issues

  • When you a create a job in Infrastructure > Configuration Jobs and select the Execution Frequency as specific day of a week or date of a month, the scheduled job does not run according to the specified time.

    [NSHELP-26034]

  • ADM fails to register or update without a DNS server, when a proxy server is enabled and the agent fails to get its IP address.

    [NSHELP-25835]

  • For non-admin users, GSLB Services data takes more than a minute to appear under Infrastructure > Network Functions > GSLB in the ADM GUI.

    [NSHELP-25740]

  • You receive email notifications on license pool thresholds, even when it is not configured.

    [NSHELP-25723]

  • In Gateway Insight, when you schedule a report (Export Reports > Schedule Export), the generated report displays Page Not Found.

    [NSHELP-25496]

  • Sometimes, the ADM GUI fails to display instance licenses.

    [NSADM-67697]

February 11, 2021

Reconcile your StyleBook configuration

When you audit the ADC configuration with the StyleBook configuration pack, you can now reconcile any changes or drifts detected on the ADC instance. This action restores the ADC configuration to match the configuration pack version on ADM.

Reconcile confirmation message

Consider that you created an object on the ADC instance using the StyleBook configuration. If that object is deleted from the ADC instance, the Configuration Audit page identifies the change and allows you to reconcile it. The Reconcile action restores the deleted object on the ADC instance as defined in the configuration pack.

If any changes or drifts detected during the configuration pack update, a confirmation message appears to reconcile the changes.

Reconcile confirmation message

[NSADM-62742]

Update custom StyleBook definitions in the GUI

You can now update a custom StyleBook definition from the ADM GUI itself.

Note

Before you update the StyleBook definition from the ADM GUI, ensure the following:

  • The StyleBook definition has no dependent StyleBooks.
  • There are no config packs created from the StyleBook definition.

Update custom StyleBook

Earlier, you had to do the following:

  1. Download the StyleBook.
  2. Delete it from ADM.
  3. Update the definition offline.
  4. Import it back to ADM.

With this feature, you can update the definition in place.

[NSADM-67726]

New data type and built-in IP functions to StyleBook definition

The ADM StyleBooks now support the ipnetwork data type to facilitate new IP functions. This data type has two parts. First part is the IP address and second part is the netmask.

The netmask is represented using a netmask length (netmask-len) or netmask IP address (netmask_ip). The netmask length is an integer between 0-32 and 0–128 for an IPv6 address. It is used to determine the IP addresses count in a network.

Following are the new built-in IP functions:

  • ip_network(): Returns an IP network notation when it receives the IP address and netmask length as the input.
  • network_ip(): Returns the first IP address of the specified IP network.
  • subnets(): Returns the list of subnets from the specified IP network and netmask length.
  • netmask_ip(): Returns the netmask IP address for the specified IP network.
  • broadcast_ip(): Returns the broadcast IP address for the specified IP network.
  • cidr(): Returns a CIDR notation for the specified IP network.
  • is_cidr(): This function accepts an ipnetwork value. And, it returns True if the specified value matches the CIDR notation of the IP network.
  • is_in_network(): This function accepts ipnetwork and ipaddress values. And, it returns True if the specified IP address exists in the specified IP network.

[NSADM-56083]

Introduced an advanced option while you import a StyleBook configuration

In Applications > Configuration > Config Packs, the Import Configuration option now includes an advanced option. This option is useful when you import the configuration pack that already has the configuration objects on the ADC instance.

Advanced option to import StyleBook configuration

Consider that the same ADC instance is added on two ADM servers. And, one of the ADM servers has deployed a configuration pack on that ADC instance. If you want to migrate that configuration pack to another server (or to the ADM Service), export it to your local computer. Then, use this option on the ADM server where you want to import the configuration pack. This option imports it without redeploying the configuration objects on the ADC instance.

[NSADM-62743]

View API analytics for all API traffic

The API Gateway > API Analytics page now displays all the API requests and responses. Earlier, this page only displayed the API traffic that configured the rate limit or authentication policy.

[NSADM-62936]

Improvements to service graph

In the Microservices service graph, as an administrator, you can now analyze:

  • The number of hits between the services based on the edge width.
  • The reasons for the services in review or critical status.
Service icon Description
Service graph edge detection The edge width indicates the number of hits. The greater or more the edge width, indicates the number of hits is higher.
Service graph errors Service with a warning icon indicates that the service has errors.
Service graph latency Service with a stopwatch icon indicates that the service has latency or response time issues.
Service graph latency Service with both stopwatch and warning icons indicate that the service has both errors and latency/response time issues.

Note

If a service has no warning or stopwatch icon, it indicates that the service has anomalies or threshold breach for Hits.

[NSADM-65798]

Fixed issues

  • In Gateway Insight, when you schedule a report (Export Reports > Schedule Export), the generated report displays “Page Not Found”.

    [NSHELP-25496]

  • While you add an ADC instance in ADM, if you select SNMP v2 as the NetScaler profile, the ADM IP address is added as the SNMP manager.

    [NSHELP-26245]

  • In Infrastructure > Configuration Jobs, the scheduled configuration job does not run according to the specified time when the Execution Frequency is set as follows:

    • Specific day of a week.
    • Specific date of a month.

    [NSHELP-26034]

  • ADM fails to register or update without a DNS server when the following conditions are met:

    • A proxy server is enabled.
    • The agent fails to obtain its IP address.

    [NSHELP-25835]

  • Sometimes, the ADM GUI fails to display instance licenses.

    [NSADM-67697]

January 29, 2021

IPAM displays the resources of the allocated IP address

You can now view more details about allocated IP addresses from an IPAM network:

  • Module: Displays the ADM module that reserved the IP address. For example, if the IP address is reserved by StyleBooks, this column displays StyleBooks as the module.

  • Resource Type: Displays the resource type in that module. For the StyleBooks module, only the configurations resource type uses the IPAM network. So, it displays Configurations under this column.

  • Resource ID: Displays the exact resource id with a link. Click this link to access the resource that is using the IP address. For the configuration resource type, it displays the configuration pack ID as the resource ID.

[NSADM-62751]

Fixed issues

You cannot remove a NetScaler SDX instance from NetScaler Console if the instance is configured as an FQDN and contains a hyphen (“-“) in the name. [NSHELP-26022]

ADM fails to register or update without a DNS server, when a proxy server is enabled and the agent fails to get its IP address. [NSHELP-25835]

January 13, 2021

In service graph, you can now use the tabular view to see:

  • Key metrics for the service

  • Key metrics between a source service to a destination service

    Key metrics

As an administrator, using these key metrics, you can analyze the trends of golden signals for the selected time duration. For more information, see View service details.

[NSADM-65163]

Service graph - Use the Poll Now option to get the pod status

In service graph, you can now use the Poll Now option to get the latest pod status. The Poll Now option fetches the latest pod status from the cluster.

  1. Click a node and select View Details

  2. In the Pods tab, click Poll Now

    Poll Now

[NSADM-62963]

New StyleBook attribute to add a dynamic list

In the StyleBook definition, you can now add the allow-new-values attribute to add a dynamic list for a parameter. When a user selects this StyleBook to create a configuration, the user can add new values to the list.

You can use the allow-new-values and allowed-values attributes in a combination. This combination allows you to define a list of valid values for a parameter and also accept new values.

Example:

-
      name: port
      type: tcp-port
      allowed-values:
            - 80
            - 81
            - 8080
      allow-new-values: true
<!--NeedCopy-->

In this example, a user can either select from 80, 81, 8080, or enter a new value for the parameter port while creating/updating a configuration pack. For more information, see allow-new-values.

[NSADM-62749]

Invite users with a custom access to ADM service

As a super administrator, you can now invite new users with the custom access to use the ADM service. This option allows you to limit the user access only to ADM service in Citrix Cloud. Earlier, you were not able to invite users to access only ADM service. So, you had to send an invitation with the full access.

To invite new users in Citrix Cloud, navigate to Identity Access Management > Administrators. In the Custom access option, select Application Delivery Management. By default, the Administrator role is selected.

Inviter users with a custom access

The invitation link is sent to the specified user email address. And, the user can log on to NetScaler Console with this link as an administrator. With an administrative access, the user can do the following:

  • Add and manage ADC instances in ADM.
  • Deploy configurations on ADC instances using StyleBook.
  • Configure pooled capacity licenses for ADC instances.
  • Create and configure Autoscale groups.

Note

The administrator can access the ADM GUI from Citrix Cloud. However, the Settings > User & Roles page is restricted. A super administrator can grant access to this page if needed.

For more information about how to send an invite and configure the users, see Configure Users on NetScaler Console.

[NSADM-55384]

Fixed issues

  • In Gateway Insight, the total count displayed under Gateway is incorrect.

    [NSHELP-25729]

  • When you select Record and Play under Configuration Source in Infrastructure > Configuration Jobs > Create Job, the following error message appears:

    Unable to get config diff for: <instance IP>

    [NSADM-63986]

  • If you provide invalid regex in application for a group and select few applications manually, the manually selected applications are not visible if the regex is invalid.

    [NSHELP-25739]