Jump to content
Welcome to our new Citrix community!
  • 0

Security Events | SNMP Traps - Citrix WAF / LB


Deepak Shukla

Question

Hi Techs...

 

What are the list of SNMP trap rule names like "appfwPolicyHit" can be created/triggered in Citrix WAF or Load Balancer?

 

Currently I am getting events like below in my SIEM platform, which seems no use to Security Monitoring.

My objective here is to drill down on SNMP Traps events which can actually helps in Security monitoring of the environment, rest I am planning to drop to save the storage.

 

<134> 02/12/2020:05:58:59 GMT XXXXXXXXXX 0-PPE-1 : default SNMP TRAP_SENT 13621684 0 :  appfwPolicyHit (appfwLogMsg = "CEF:0|Citrix|NetScaler|NS12.0|APPFW|APPFW_POLI...", nsPartitionName = default)

 

 

TIA,

Deeshu

 

 

 

Link to comment

5 answers to this question

Recommended Posts

  • 0

I can't understand the point of your question. I can't understand the 1st sentence. This log is just telling you, the box sent a trap to the trap destination. It's not directly related to WAF but to SNMP.

 

You may disable it by going to System -> SNMP -> Alarms and disable the corresponding alarm (APPFW-POLICY-HIT).

 

Did I answer your question?

Link to comment
  • 0

Hi Johannes... Thanks for your inputs!

 

Though administration of Citrix is not in my hand. I majorly from SIEM platform (ArcSight, QRadar, LogRhythm, ElasticsSearch). I will drop these logs from my SIEM platform.

My main concern is to drop all such events from SIEM, which don't gives any value from SOC Security Monitoring point of view.

 

Currently in the environment, we have Citrix Load Balancer and Citrix WAF, and collecting logs from these devices through Syslog.

Referring below Citrix Syslog cheat sheet, objective is to drop all such events which don't gives any value from SOC Security Monitoring point of view.

 

https://developer-docs.citrix.com/projects/netscaler-syslog-message-reference/en/12.0/

 

 

TIA,

Deeshu

Link to comment
  • 0

If you're just interested about security, you would only allow logs containing APPFW. Everything related to the WAF is contains this string. It's capital letter. You might exclude the messages mentioned above (it's a duplicate from the previous message, but shortened down, so it's of hardly any value to you)

 

I guess,

 

tail -F /var/log/ns.log |grep APPDW |grep -v TRAP_SENT

 

would do a good job for you

 

Cheers

Johannes Norz

CCI, CCE-N, CTA

Link to comment
  • 0

Something I forgot to mention:

 

There might be some custom logs you could be interested in. These logs may be related to responder policies. I have written a blog about how to make responder policies logging. These policies are custom ones, so there is no general pattern to grep for, instead it's something your Citrix ADC guys will have to show to you

 

Cheers

 

Johannes Norz

CCI, CCE-N, CTA

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...