Citrix NetScaler VPX

NetScaler only sends syslog messages for IPv4 extended ACL. Usage will not work for IPv6 extended ACL, IPv4/6 standard ACL or NAT rules. This is a NetScaler, not FireMon, limitation.

NetScaler will only send up to 10k syslog messages per second for any single ACL. If a rule is being hit 20k times a second, it will only send 10k messages. Meaning FireMon will only see a maximum usages on any single rule from a NetScaler of 10k hits a second, even if there are more. This is a NetScaler, not FireMon, limitation.

To add a Citrix NetScaler VPX device, complete the following steps.

Step 1: Configure the Device

FireMon strives to provide up-to-date product information, however we are not always aware when vendors change their device UI. If any Configure the Device procedure differs from your device version (UI location of fields, not information needed), please consult your device's user guide.

  1. Log in to the Citrix CLI.
  2. Create a read-only access user.
    1. Go to Configuration > System > User Administration > Users > Add.
    2. Enter a User Name and Password, and then re-enter the password.
    3. Click Continue.
    4. On the next page, in the Bindings section, click No Group.
    5. In the User Group Binding section, click the Add icon to open the Create System Group page.
      • Enter a Group Name.
      • Click the Add icon next to the user (group name) that was created.
      • Under Command Policies, click Bind.
      • On the Command Policies page, select the user (group name) you created, and then click Insert.
      • At the bottom of the Create System Group page, click Create.
    6. Back to the User Group Binding page, select the user (group name) from the Select Group list and then click Bind.
    7. On the System User page, verify the user is now listed under Bindings (1 Group).
    8. Click Save.
    9. Click Done.
    10. Save the user settings by clicking the floppy disk icon.
  3. Set up a backup retrieval.
    1. On the System User page, click No System Command Policy.
    2. In the User Command Policy Binding section, click the Add icon to open the Create Command Policy page.
      • Enter a Policy Name. Do not use spaces.
      • Select Allow as the Action.
      • Enter the following in the Command Spec field: (create\ssystem\sbackup.*|scp.*/var/ns_sys_backup/.*\.tgz|rm\ssystem\sbackup\sfiremon.*)

      Note: This regex will allow the user to run the following CLI commands: "create system backup firemon_netscaler_fullbackup_DEVICEIP_TIMESTAMP -level full" , "scp -P PORTUSERNAME@DEVICEIP:/var/ns_sys_backup/firemon_netscaler_fullbackup_DEVICEIP_TIMESTAMP.tgz firemon_netscaler_fullbackup_DEVICEIP_TIMESTAMP.tgz" , "rm backup firemon_netscaler_fullbackup_DEVICEIP_TIMESTAMP.tgz" . DEVICEIP is the Netscaler management IP as defined in SIP. TIMESTAMP is in YYMMDD format based upon SIP's server time. PORT is the port defined in SIP.

      • Click Create.
    3. In the User Command Policy section, click Bind.
    4. On the System User page, verify the policy is now listed under Bindings (1 System Command Policy).
    5. Click Done.
    6. Save the policy settings by clicking the floppy disk icon.
  4. Set up syslog usage on the Netscaler device.
  5. Go to Configuration tab > System > Auditing > Syslog > Syslog Auditing page, Servers tab and click Add.
    1. Specify the following Create Auditing Server settings:
      • Server Type: Server IP
      • IP Address: the data collector's IP address
      • Port: 514
      • Log Levels: Custom - Informational
      • Log Facility: LOCAL0
      • Date Format: MMDDYYYY
      • ACL Logging: Enabled
      • User Configurable Log Messages: Enable
      • Transport Type: UDP
    2. Click OK.
  6. Go to Syslog Auditing page, click the Policies tab and then click Add.
    1. Specify the Create Auditing Syslog settings:
      • Expression Type: Advanced Policy
      • Server: select the auditing server created in step 1.
    1. Click Create.
    1. Select the check box next to the created policy.
    1. Click Action.
    1. Click Advanced Policy Global Bindings, and then click Add Binding.
    2. Specify the Policy Binding setting:
      • Select Policy: the policy created in step 3
      • Global Bind Type: SYSTEM_GLOBAL
  7. Netscaler Rule Configuration—for each IPv4 extended ACL that you want to collect usage data, the following settings are required:
    1. Log State: Enabled
    2. Log Rate Limit: 10000

    This is the maximum number of syslog messages the device will send for a single ACL.

Step 2: Add the Device in the Administration Module

  1. On the toolbar, click Device > Devices.
  2. Click Create, and then click Citrix > NetScaler.
  1. General Properties section.

To prevent errors in device group-level device maps and incorrect reporting data, all devices added in Administration must have unique IP addresses. If devices with duplicate IP addresses must be added within a domain, it is strongly recommended that those devices be separated into discrete device groups, where no duplicate IP addresses are included in the same device group. Devices with duplicate IP addresses will cause errors in the All Devices device map, and may cause incorrect data in reports, even if they are in discrete device groups.

  1. In the Name box, type the name of the device as you want to see it in SIP.
  2. In the Description box, type an optional description of the device being added.
  3. In the Management IP Address box, type the IP address of the device.
  4. In the Data Collector Group box, select the IP address of the data collector group that will collect data from this device.
  5. In the Central Syslog Server box, select the syslog server from the list (optional).

Syslog fields are optional if the device uses the same IP for syslog and management.
A central syslog server is required only if syslog messages come from a different IP. A central syslog server must be created before it can be assigned to a device. To track usage via syslog, the device must support Level 3+.

  1. In the Syslog Match Names box, type the syslog match name (optional). You can enter multiple comma-separated names.
  2. By default, the Automatically Retrieve Configuration check box is selected.
  3. In the External ID box, type a unique identifier to be used when the device identifier is different than what is displayed in SIP.
  1. Collection Configuration is enabled on the management station or by duplicating and then editing the default configuration (DeviceCollection Configuration). Default is what is set on the installed device pack.
  1. Device Settings section.

Credentials

  1. In the User Name box, type the administrator user name that was created during device configuration.
  2. In the Password box, type the administrator password that was created during device configuration.
  3. In the Enable User Name box, re-enter the password.

Retrieval

  • By default, the Protocol is SSH and the Port is 22.
  1. Monitoring section.

    Log Monitoring

By default, the Enable Log Monitoring check box is selected. To disable this automatic function, clear the check box.

  • By default, Track Usage Via is set to Hit Counters.
  • By default, the Count Retrieval Interval is set to 10 minutes.

    Change Monitoring

By default, the Enable Change Monitoring check box is selected.

  • Enter an optional Alternate Syslog Source IP.

Select the Perform Change Verification check box to allow the Data Collector to verify there are actual changes prior to posting a revision to Security Manager. This will enable more efficient use of disk space by not posting revisions that did not change from the last normalized revision.

  1. Retrieval section.

Scheduled Retrieval

Select the Enable Scheduled Retrieval check box to perform a retrieval at a set time daily regardless of change.

  • The default Check for Change Interval time is 1440 minutes (every 24 hours). You can change the check interval time to best fit your requirements. The minimum required interval is 60 minutes (1 hour).
  • Set an optional time in the Check for Change Start Time box. To schedule the first retrieval for a specific time, select the Starting at check box and select a time. The first retrieval will run at the time you enter. All subsequent retrievals will occur at the interval you entered above, based on the time that the first retrieval occurred. If you do not select a Change Start Time, the first scheduled retrieval will occur immediately after you save the settings. Subsequent retrievals will occur at the interval you entered.

Check for Change Retrieval

Select the Enable Check for Change check box to enable checking for configuration changes after the specified interval, and perform a retrieval is changes are detected.

  1. Advanced section.
    • Select the Enable Device Backup check box to enable the functionality to generate a backup on the NetScaler device when a retrieval is processed. Selecting this enables additional setting fields:
      • Backup Timeout (minutes) is the maximum amount of time that FireMon will wait for NetScaler to generate its backup.
      • SCP Timeout (minutes) is the maximum amount of time that FireMon will wait when transferring the Netscaler backup to the data collector.

If the backup takes 1 hour, but the timeout is set to 30 minutes, the process will never complete.

If you enable device backup and have numerous changes that occur daily, it is suggested that you disable change monitoring and utilize a scheduled retrieval process instead.

  • Select the Use Batch Config Retrieval check box if you are manually sending configurations for this device via your data collector's batchconfig directory. While this option is enabled, online retrievals will be disabled.
  • Select the Automatically Update SSH Keys check box if you want the data collector to automatically update the SSH key for a device when a conflict occurs.

  1. Enforcement section.

Select one of the available enforcement options:

  •  Allow All: All automation is allowed (enforcement, change, manual).

  • Manual Only: When selected all changes must be manually pushed for this device.

  •  Prevent All: No automation is allowed.

  • Window Only: Automation can only take place in the assigned enforcement window.

If this device is assigned to an enforcement or change window, it will be listed. If no assignment, changes must be manually pushed for this device.

  1. Supplemental Routes section.

Supplemental routes cannot be added until after a retrieval normalizes successfully. You can perform a manual retrieval before continuing.

  1. Click Add.

  2. Complete fields in the Add Supplemental Routes dialog box:

  • Select an Interface.

If you select an Interface, you will not need to select a virtual router and next virtual router. If no interface is selected, you will need to select a Virtual Router and Next Virtual Router.

  • Type the Destination IP address.
  • Type the Gateway IP address.
  • Select a Virtual Router.
  • Select a Next Virtual Router.
  • Switch the Drop toggle to enable (disabled = Accept).
  • Click Add.
  1. Click Save.

Step 3: Verify Communication

Because automatically retrieving a configuration is enabled by default, there is nothing for you to do. Security Manager will automatically attempt to retrieve a device configuration.

To do a manual retrieval, select the device row, click the Menu icon and then click Retrieve Configuration.

It may take up to 15 minutes to see the status result of the retrieval.