ADC CLI Commands

bot-profile

The following operations can be performed on “bot-profile”:

show set bind rm unbind stat add unset

show bot profile

Displays details of the specified bot profile. If no profile is specified, displays a list of all bot profiles on the Citrix ADC.

Synopsis

show bot profile []

Arguments

name Name of the bot management profile.

Output

stateflag signature Name of object containing bot static signature details.

errorURL URL that Bot protection uses as the Error URL.

trapURL URL that Bot protection uses as the Trap URL.

comment Any comments about the purpose of profile, or other useful information about the profile.

builtin Flag to determine if bot profille is built-in or not

feature The feature to be checked while applying this config

whiteList Enable white-list bot detection.

blackList Enable black-list bot detection.

rateLimit Enable rate-limit bot detection.

deviceFingerprint Enable device-fingerprint bot detection

deviceFingerprintAction Action to be taken for device-fingerprint based bot detection.

ipReputation Enable IP-reputation bot detection.

trap Enable trap bot detection.

signatureNoUserAgentHeaderAction Actions to be taken if no User-Agent header in the request (Applicable if Signature check is enabled).

spoofedReqAction Actions to be taken on a spoofed request (A request spoofing good bot user agent string).

signatureMultipleUserAgentHeaderAction Actions to be taken if multiple User-Agent headers are seen in a request (Applicable if Signature check is enabled). Log action should be combined with other actions

trapAction Action to be taken for bot trap based bot detection.

tps Enable TPS.

blackList Blacklist binding. Maximum 32 bindings can be configured per profile for Blacklist detection.

whiteList Whitelist binding. Maximum 32 bindings can be configured per profile for Whitelist detection.

rateLimit Rate-limit binding. Maximum 30 bindings can be configured per profile for rate-limit detection. For SOURCE_IP type, only one binding can be configured, and for URL type, only one binding is allowed per URL, and for SESSION type, only one binding is allowed for a cookie name. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.

ipReputation IP reputation binding. For each category, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with the new values.

captchaResource Captcha action binding. For each URL, only one binding is allowed. To update the values of an existing URL binding, user has to first unbind that binding, and then needs to bind the URL again with new values. Maximum 30 bindings can be configured per profile.

tps TPS binding. For each type only binding can be configured. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.

type Type of the black-list entry.

type Type of the white-list entry.

enabled Enabled or disbaled black-list binding.

enabled Enabled or disabled white-list binding.

value Value of the bot black-list entry.

value Value of bot white-list entry.

action One or more actions to be taken if bot is detected based on this Blacklist binding. Only LOG action can be combined with DROP or RESET action.

type Type of TPS binding.

threshold Maximum number of requests that are allowed from (or to) a IP, Geolocation, URL or Host in 1 second time interval.

percentage Maximum percentage increase in the requests from (or to) a IP, Geolocation, URL or Host in 30 minutes interval.

action One to more actions to be taken if bot is detected based on this TPS binding. Only LOG action can be combined with DROP, RESET, REDIRECT, or MITIGIATION action.

enabled Enabled or disabled TPS binding.

category IP Repuation category. Following IP Reuputation categories are allowed: *IP_BASED - This category checks whether client IP is malicious or not. *BOTNET - This category includes Botnet C&C channels, and infected zombie machines controlled by Bot master. *SPAM_SOURCES - This category includes tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities. *SCANNERS - This category includes all reconnaissance such as probes, host scan, domain scan, and password brute force attack. *DOS - This category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection. *REPUTATION - This category denies access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Webroot Reputation Index score. Enabling this category will prevent access from sources identified to contact malware distribution points. *PHISHING - This category includes IP addresses hosting phishing sites and other kinds of fraud activities such as ad click fraud or gaming fraud. *PROXY - This category includes IP addresses providing proxy services. *NETWORK - IPs providing proxy and anonymization services including The Onion Router aka TOR or darknet. *MOBILE_THREATS - This category checks client IP with the list of IPs harmful for mobile devices. *WINDOWS_EXPLOITS - This category includes active IP address offering or distributig malware, shell code, rootkits, worms or viruses. *WEB_ATTACKS - This category includes cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force attack. *TOR_PROXY - This category includes IP address acting as exit nodes for the Tor Network. *CLOUD - This category checks client IP with list of public cloud IPs. *CLOUD_AWS - This category checks client IP with list of public cloud IPs from Amazon Web Services. *CLOUD_GCP - This category checks client IP with list of public cloud IPs from Google Cloud Platform. *CLOUD_AZURE - This category checks client IP with list of public cloud IPs from Azure. *CLOUD_ORACLE - This category checks client IP with list of public cloud IPs from Oracle. *CLOUD_IBM - This category checks client IP with list of public cloud IPs from IBM. *CLOUD_SALESFORCE - This category checks client IP with list of public cloud IPs from Salesforce.

action One or more actions to be taken if bot is detected based on this IP Reputation binding. Only LOG action can be combinded with DROP, RESET, REDIRECT or MITIGATION action.

enabled Enabled or disabled IP-repuation binding.

type Rate-limiting type Following rate-limiting types are allowed: *SOURCE_IP - Rate-limiting based on the client IP. *SESSION - Rate-limiting based on the configured cookie name. *URL - Rate-limiting based on the configured URL. *GEOLOCATION - Rate-limiting based on the configured country name.

url URL for the resource based rate-limiting.

cookieName Cookie name which is used to identify the session for session rate-limiting.

rate Maximum number of requests that are allowed in this session in the given period time.

limitType Rate-Limiting traffic Type

condition Expression to be used in a rate-limiting condition. This expression result must be a boolean value.

timeSlice Time interval during which requests are tracked to check if they cross the given rate.

action One or more actions to be taken when the current rate becomes more than the configured rate. Only LOG action can be combined with DROP, REDIRECT, RESPOND_STATUS_TOO_MANY_REQUESTS or RESET action.

enabled Enable or disable rate-limit binding.

url URL for which the Captcha action, if configured under IP reputation, TPS or device fingerprint, need to be applied.

waitTime Wait time in seconds for which ADC needs to wait for the Captcha response. This is to avoid DOS attacks.

gracePeriod Time (in seconds) duration for which no new captcha challenge is sent after current captcha challenge has been answered successfully.

mutePeriod Time (in seconds) duration for which client which failed captcha need to wait until allowed to try again. The requests from this client are silently dropped during the mute period.

requestSizeLimit Length of body request (in Bytes) up to (equal or less than) which captcha challenge will be provided to client. Above this length threshold the request will be dropped. This is to avoid DOS and DDOS attacks.

retryAttempts Number of times client can retry solving the captcha.

action One or more actions to be taken when client fails captcha challenge. Only, log action can be configured with DROP, REDIRECT or RESET action.

enabled Enable or disable the captcha binding.

log Enable logging for Whitelist binding.

logMessage Message to be logged for this binding.

comment Any comments about this binding.

trapInsertionURL Bind the trap URL for the configured request URLs. Maximum 30 bindings can be configured per profile.

url Request URL regex pattern for which Trap URL is inserted.

enabled Enable or disable the request URL pattern.

deviceFingerprintMobile Enabling bot device fingerprint protection for mobile clients

headlessBrowserDetection Enable Headless Browser detection.

logExpression Log expression binding.

name Name of the log expression object.

expression Expression whose result to be logged when violation happened on the bot profile.

enabled Enable or disable the log expression binding.

clientIpExpression Expression to get the client IP.

KMJavaScriptName Name of the JavaScript file that the Bot Management feature will insert in the response for keyboard-mouse based detection. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my javascript file name” or ‘my javascript file name’).

KMDetection Enable keyboard-mouse based bot detection.

KMDetectionExpr Keyboard-mouse based detection binding. For each name, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, then needs to bind again with new vlaues. Maximum 30 bindings can be configured per profile.

enabled Enable or disable the keyboard-mouse based binding.

name Name of the keyboard-mouse expression object.

expression JavaScript file for keyboard-mouse detection, would be inserted if the result of the expression is true.

KMEventsPostBodyLimit Size of the KM data send by the browser, needs to be processed on ADC

verboseLogLevel Bot verbose Logging. Based on the log level, ADC will log additional information whenever client is detected as a bot.

countryCode Country name which is used for geolocation rate-limiting.

dfpRequestLimit Number of requests to allow without bot session cookie if device fingerprint is enabled

sessionCookieName Name of the SessionCookie that the Bot Management feature uses for tracking. Must begin with a letter or number, and can consist of from 1 to 31 letters, numbers, and the hyphen (-) and underscore (_) symbols.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cookie name” or ‘my cookie name’).

sessionTimeout Timeout, in seconds, after which a user session is terminated.

devno count

set bot profile

Set the bot profile parameters

Synopsis

set bot profile \[-signature ] \[-errorURL ] \[-trapURL ] \[-comment ] \[-whiteList \( ON | OFF )] \[-blackList \( ON | OFF )] \[-rateLimit \( ON | OFF )] \[-deviceFingerprint \( ON | OFF )] \[-deviceFingerprintAction ...] \[-ipReputation \( ON | OFF )] \[-trap \( ON | OFF )] \[-signatureNoUserAgentHeaderAction ...] \[-signatureMultipleUserAgentHeaderAction ...] \[-trapAction ...] \[-tps \( ON | OFF )] \[-deviceFingerprintMobile ...] \[-headlessBrowserDetection \( ON | OFF )] \[-clientIpExpression ] \[-KMJavaScriptName ] \[-KMDetection \( ON | OFF )] \[-KMEventsPostBodyLimit <positive\_integer>] \[-verboseLogLevel \( NONE | HTTP\_FULL\_HEADER )] \[-spoofedReqAction ...] \[-dfpRequestLimit <positive\_integer>] \[-sessionCookieName ] \[-sessionTimeout <positive\_integer>]

Arguments

name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).

signature Name of object containing bot static signature details.

errorURL URL that Bot protection uses as the Error URL. Default value: NS_S_BOT_DEFAULT_ERRORURL

trapURL URL that Bot protection uses as the Trap URL. Default value: NS_S_BOT_DEFAULT_TRAPURL

comment Any comments about the purpose of profile, or other useful information about the profile. Default value: NS_S_BOT_DEFAULT_PROFILE_COMMENTS

whiteList Enable white-list bot detection.

Possible values: ON, OFF Default value: OFF

blackList Enable black-list bot detection.

Possible values: ON, OFF Default value: OFF

rateLimit Enable rate-limit bot detection.

Possible values: ON, OFF Default value: OFF

deviceFingerprint Enable device-fingerprint bot detection

Possible values: ON, OFF Default value: OFF

deviceFingerprintAction Action to be taken for device-fingerprint based bot detection. Default value: NONE

ipReputation Enable IP-reputation bot detection.

Possible values: ON, OFF Default value: OFF

trap Enable trap bot detection.

Possible values: ON, OFF Default value: OFF

signatureNoUserAgentHeaderAction Actions to be taken if no User-Agent header in the request (Applicable if Signature check is enabled). Default value: DROP

signatureMultipleUserAgentHeaderAction Actions to be taken if multiple User-Agent headers are seen in a request (Applicable if Signature check is enabled). Log action should be combined with other actions Default value: CHECKLAST

trapAction Action to be taken for bot trap based bot detection. Default value: NONE

tps Enable TPS.

Possible values: ON, OFF Default value: OFF

deviceFingerprintMobile Enabling bot device fingerprint protection for mobile clients Default value: NONE

headlessBrowserDetection Enable Headless Browser detection.

Possible values: ON, OFF Default value: OFF

clientIpExpression Expression to get the client IP.

KMJavaScriptName Name of the JavaScript file that the Bot Management feature will insert in the response for keyboard-mouse based detection. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my javascript file name” or ‘my javascript file name’). Default value: NS_S_BOT_DEFAULT_KM_JS_NAME

KMDetection Enable keyboard-mouse based bot detection.

Possible values: ON, OFF Default value: OFF

KMEventsPostBodyLimit Size of the KM data send by the browser, needs to be processed on ADC Default value: NS_BOT_DEFAULT_KM_POST_BODY_LIMIT Minimum value: 1 Maximum value: 204800

verboseLogLevel Bot verbose Logging. Based on the log level, ADC will log additional information whenever client is detected as a bot.

Possible values: NONE, HTTP_FULL_HEADER Default value: NONE

spoofedReqAction Actions to be taken on a spoofed request (A request spoofing good bot user agent string). Default value: BOT_ACTION_LOG_DROP

dfpRequestLimit Number of requests to allow without bot session cookie if device fingerprint is enabled Minimum value: 1

sessionCookieName Name of the SessionCookie that the Bot Management feature uses for tracking. Must begin with a letter or number, and can consist of from 1 to 31 letters, numbers, and the hyphen (-) and underscore (_) symbols.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cookie name” or ‘my cookie name’).

sessionTimeout Timeout, in seconds, after which a user session is terminated. Minimum value: 1 Maximum value: 65535

bind bot profile

Bind the specified bot detection mechanism to the specified profile.

Synopsis

bind bot profile \(\(-blackList -type -value -action ... \[-enabled \( ON | OFF )]) | \(-whiteList -type -value \[-log \( ON | OFF )] \[-enabled \( ON | OFF )]) | \(-rateLimit -type \[-url ] \[-cookieName ] \[-countryCode ] -rate <positive\_integer> -timeSlice <positive\_integer> \[-limitType \( BURSTY | SMOOTH )] \[-condition ] \[-action ...] \[-enabled \( ON | OFF )]) | \(-ipReputation -category \[-enabled \( ON | OFF )] \[-action ...]) | \(-captchaResource -url \[-waitTime <positive\_integer>] \[-gracePeriod <positive\_integer>] \[-mutePeriod <positive\_integer>] \[-requestSizeLimit <positive\_integer>] \[-retryAttempts <positive\_integer>] -action ... \[-enabled \( ON | OFF )]) | \(-tps -type \[-threshold <positive\_integer>] \[-percentage <positive\_integer>] \[-action ...] \[-enabled \( ON | OFF )]) | \(-trapInsertionURL -url \[-enabled \( ON | OFF )]) | \(-logExpression -name -expression \[-enabled \( ON | OFF )]) | \(-KMDetectionExpr -name -expression \[-enabled \( ON | OFF )])) \[-logMessage ] \[-comment ]

Arguments

name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).

blackList Blacklist binding. Maximum 32 bindings can be configured per profile for Blacklist detection.

type Type of the black-list entry.

Possible values: IPv4, SUBNET, IPv6, IPv6_SUBNET, EXPRESSION

value Value of the bot black-list entry.

action One or more actions to be taken if bot is detected based on this Blacklist binding. Only LOG action can be combined with DROP or RESET action. Default value: NONE

enabled Enabled or disbaled black-list binding.

Possible values: ON, OFF Default value: OFF

whiteList Whitelist binding. Maximum 32 bindings can be configured per profile for Whitelist detection.

type Type of the white-list entry.

Possible values: IPv4, SUBNET, IPv6, IPv6_SUBNET, EXPRESSION

value Value of bot white-list entry.

log Enable logging for Whitelist binding.

Possible values: ON, OFF Default value: OFF

enabled Enabled or disabled white-list binding.

Possible values: ON, OFF Default value: OFF

rateLimit Rate-limit binding. Maximum 30 bindings can be configured per profile for rate-limit detection. For SOURCE_IP type, only one binding can be configured, and for URL type, only one binding is allowed per URL, and for SESSION type, only one binding is allowed for a cookie name. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.

type Rate-limiting type Following rate-limiting types are allowed: *SOURCE_IP - Rate-limiting based on the client IP. *SESSION - Rate-limiting based on the configured cookie name. *URL - Rate-limiting based on the configured URL. *GEOLOCATION - Rate-limiting based on the configured country name.

Possible values: SESSION, SOURCE_IP, URL, GEOLOCATION, JA3_FINGERPRINT

url URL for the resource based rate-limiting.

cookieName Cookie name which is used to identify the session for session rate-limiting.

countryCode Country name which is used for geolocation rate-limiting.

Possible values: AF, AX, AL, DZ, AS, AD, AO, AI, AQ, AG, AR, AM, AW, AU, AT, AZ, BS, BH, BD, BB, BY, BE, BZ, BJ, BM, BT, BO, BQ, BA, BW, BR, IO, BN, BG, BF, BI, KH, CM, CA, CV, KY, CF, TD, CL, CN, CX, CC, CO, KM, CG, CD, CK, CR, CI, HR, CU, CW, CY, CZ, DK, DJ, DM, DO, EC, EG, SV, GQ, ER, EE, ET, FK, FO, FJ, FI, FR, GF, PF, TF, GA, GM, GE, DE, GH, GI, GR, GL, GD, GP, GU, GT, GG, GN, GW, GY, HT, HM, VA, HN, HK, HU, IS, IN, ID, IR, IQ, IE, IM, IL, IT, JM, JP, JE, JO, KZ, KE, KI, XK, KW, KG, LA, LV, LB, LS, LR, LY, LI, LT, LU, MO, MK, MG, MW, MY, MV, ML, MT, MH, MQ, MR, MU, YT, MX, FM, MD, MC, MN, ME, MS, MA, MZ, MM, NA, NR, NP, NL, NC, NZ, NI, NE, NG, NU, NF, KP, MP, NO, OM, PK, PW, PS, PA, PG, PY, PE, PH, PN, PL, PT, PR, QA, RE, RO, RU, RW, BL, SH, KN, LC, MF, PM, VC, WS, SM, ST, SA, SN, RS, SC, SL, SG, SX, SK, SI, SB, SO, SZA, GS, KR, SS, ES, LK, SD, SR, SJ, SZ, SE, CH, SY, TW, TJ, TZ, TH, TL, TG, TK, TO, TT, TN, TR, TM, TC, TV, UG, UA, AE, GB, US, UM, UY, UZ, VU, VE, VN, VG, VI, WF, EH, YE, ZM, ZW

rate Maximum number of requests that are allowed in this session in the given period time. Default value: 1 Minimum value: 1

timeSlice Time interval during which requests are tracked to check if they cross the given rate. Default value: 1000 Minimum value: 10

limitType Rate-Limiting traffic Type

Possible values: BURSTY, SMOOTH Default value: BURSTY

condition Expression to be used in a rate-limiting condition. This expression result must be a boolean value.

action One or more actions to be taken when the current rate becomes more than the configured rate. Only LOG action can be combined with DROP, REDIRECT, RESPOND_STATUS_TOO_MANY_REQUESTS or RESET action. Default value: NONE

enabled Enable or disable rate-limit binding.

Possible values: ON, OFF Default value: OFF

ipReputation IP reputation binding. For each category, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with the new values.

category IP Repuation category. Following IP Reuputation categories are allowed: *IP_BASED - This category checks whether client IP is malicious or not. *BOTNET - This category includes Botnet C&C channels, and infected zombie machines controlled by Bot master. *SPAM_SOURCES - This category includes tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities. *SCANNERS - This category includes all reconnaissance such as probes, host scan, domain scan, and password brute force attack. *DOS - This category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection. *REPUTATION - This category denies access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Webroot Reputation Index score. Enabling this category will prevent access from sources identified to contact malware distribution points. *PHISHING - This category includes IP addresses hosting phishing sites and other kinds of fraud activities such as ad click fraud or gaming fraud. *PROXY - This category includes IP addresses providing proxy services. *NETWORK - IPs providing proxy and anonymization services including The Onion Router aka TOR or darknet. *MOBILE_THREATS - This category checks client IP with the list of IPs harmful for mobile devices. *WINDOWS_EXPLOITS - This category includes active IP address offering or distributig malware, shell code, rootkits, worms or viruses. *WEB_ATTACKS - This category includes cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force attack. *TOR_PROXY - This category includes IP address acting as exit nodes for the Tor Network. *CLOUD - This category checks client IP with list of public cloud IPs. *CLOUD_AWS - This category checks client IP with list of public cloud IPs from Amazon Web Services. *CLOUD_GCP - This category checks client IP with list of public cloud IPs from Google Cloud Platform. *CLOUD_AZURE - This category checks client IP with list of public cloud IPs from Azure. *CLOUD_ORACLE - This category checks client IP with list of public cloud IPs from Oracle. *CLOUD_IBM - This category checks client IP with list of public cloud IPs from IBM. *CLOUD_SALESFORCE - This category checks client IP with list of public cloud IPs from Salesforce.

Possible values: IP, BOTNETS, SPAM_SOURCES, SCANNERS, DOS, REPUTATION, PHISHING, PROXY, NETWORK, MOBILE_THREATS, WINDOWS_EXPLOITS, WEB_ATTACKS, TOR_PROXY, CLOUD, CLOUD_AWS, CLOUD_GCP, CLOUD_AZURE, CLOUD_ORACLE, CLOUD_IBM, CLOUD_SALESFORCE

enabled Enabled or disabled IP-repuation binding.

Possible values: ON, OFF Default value: OFF

action One or more actions to be taken if bot is detected based on this IP Reputation binding. Only LOG action can be combinded with DROP, RESET, REDIRECT or MITIGATION action. Default value: NONE

captchaResource Captcha action binding. For each URL, only one binding is allowed. To update the values of an existing URL binding, user has to first unbind that binding, and then needs to bind the URL again with new values. Maximum 30 bindings can be configured per profile.

url URL for which the Captcha action, if configured under IP reputation, TPS or device fingerprint, need to be applied.

waitTime Wait time in seconds for which ADC needs to wait for the Captcha response. This is to avoid DOS attacks. Default value: 15 Minimum value: 10 Maximum value: 60

gracePeriod Time (in seconds) duration for which no new captcha challenge is sent after current captcha challenge has been answered successfully. Default value: 900 Minimum value: 60 Maximum value: 900

mutePeriod Time (in seconds) duration for which client which failed captcha need to wait until allowed to try again. The requests from this client are silently dropped during the mute period. Default value: 300 Minimum value: 60 Maximum value: 900

requestSizeLimit Length of body request (in Bytes) up to (equal or less than) which captcha challenge will be provided to client. Above this length threshold the request will be dropped. This is to avoid DOS and DDOS attacks. Default value: 8000 Minimum value: 10 Maximum value: 30000

retryAttempts Number of times client can retry solving the captcha. Default value: 3 Minimum value: 1 Maximum value: 10

action One or more actions to be taken when client fails captcha challenge. Only, log action can be configured with DROP, REDIRECT or RESET action. Default value: NONE

enabled Enable or disable the captcha binding.

Possible values: ON, OFF Default value: OFF

tps TPS binding. For each type only binding can be configured. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.

type Type of TPS binding.

Possible values: SOURCE_IP, GEOLOCATION, REQUEST_URL, Host

threshold Maximum number of requests that are allowed from (or to) a IP, Geolocation, URL or Host in 1 second time interval. Minimum value: 1

percentage Maximum percentage increase in the requests from (or to) a IP, Geolocation, URL or Host in 30 minutes interval. Minimum value: 10

action One to more actions to be taken if bot is detected based on this TPS binding. Only LOG action can be combined with DROP, RESET, REDIRECT, or MITIGIATION action. Default value: NONE

enabled Enabled or disabled TPS binding.

Possible values: ON, OFF Default value: ON

trapInsertionURL Bind the trap URL for the configured request URLs. Maximum 30 bindings can be configured per profile.

url Request URL regex pattern for which Trap URL is inserted.

enabled Enable or disable the request URL pattern.

Possible values: ON, OFF Default value: OFF

logExpression Log expression binding.

name Name of the log expression object.

expression Expression whose result to be logged when violation happened on the bot profile.

enabled Enable or disable the log expression binding.

Possible values: ON, OFF Default value: OFF

KMDetectionExpr Keyboard-mouse based detection binding. For each name, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, then needs to bind again with new vlaues. Maximum 30 bindings can be configured per profile.

name Name of the keyboard-mouse expression object.

expression JavaScript file for keyboard-mouse detection, would be inserted if the result of the expression is true.

enabled Enable or disable the keyboard-mouse based binding.

Possible values: ON, OFF Default value: OFF

logMessage Message to be logged for this binding.

comment Any comments about this binding.

rm bot profile

Removes the specified bot management profile.

Synopsis

rm bot profile

Arguments

name Name of the profile.

unbind bot profile

Unbind the specified bot detection mechanism to the specified profile.

Synopsis

unbind bot profile \(\(-blackList -value ) | \(-whiteList -value ) | \(-rateLimit -type \[-url ] \[-cookieName ] \[-countryCode ] \[-condition ]) | \(-ipReputation -category ) | \(-captchaResource -url ) | \(-tps -type ) | \(-trapInsertionURL -url ) | \(-logExpression -name ) | \(-KMDetectionExpr -name ))

Arguments

name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).

blackList Blacklist binding. Maximum 32 bindings can be configured per profile for Blacklist detection.

value Value of the bot black-list entry.

whiteList Whitelist binding. Maximum 32 bindings can be configured per profile for Whitelist detection.

value Value of bot white-list entry.

rateLimit Rate-limit binding. Maximum 30 bindings can be configured per profile for rate-limit detection. For SOURCE_IP type, only one binding can be configured, and for URL type, only one binding is allowed per URL, and for SESSION type, only one binding is allowed for a cookie name. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.

type Rate-limiting type Following rate-limiting types are allowed: *SOURCE_IP - Rate-limiting based on the client IP. *SESSION - Rate-limiting based on the configured cookie name. *URL - Rate-limiting based on the configured URL. *GEOLOCATION - Rate-limiting based on the configured country name.

Possible values: SESSION, SOURCE_IP, URL, GEOLOCATION, JA3_FINGERPRINT

url URL for the resource based rate-limiting.

cookieName Cookie name which is used to identify the session for session rate-limiting.

countryCode Country name which is used for geolocation rate-limiting.

Possible values: AF, AX, AL, DZ, AS, AD, AO, AI, AQ, AG, AR, AM, AW, AU, AT, AZ, BS, BH, BD, BB, BY, BE, BZ, BJ, BM, BT, BO, BQ, BA, BW, BR, IO, BN, BG, BF, BI, KH, CM, CA, CV, KY, CF, TD, CL, CN, CX, CC, CO, KM, CG, CD, CK, CR, CI, HR, CU, CW, CY, CZ, DK, DJ, DM, DO, EC, EG, SV, GQ, ER, EE, ET, FK, FO, FJ, FI, FR, GF, PF, TF, GA, GM, GE, DE, GH, GI, GR, GL, GD, GP, GU, GT, GG, GN, GW, GY, HT, HM, VA, HN, HK, HU, IS, IN, ID, IR, IQ, IE, IM, IL, IT, JM, JP, JE, JO, KZ, KE, KI, XK, KW, KG, LA, LV, LB, LS, LR, LY, LI, LT, LU, MO, MK, MG, MW, MY, MV, ML, MT, MH, MQ, MR, MU, YT, MX, FM, MD, MC, MN, ME, MS, MA, MZ, MM, NA, NR, NP, NL, NC, NZ, NI, NE, NG, NU, NF, KP, MP, NO, OM, PK, PW, PS, PA, PG, PY, PE, PH, PN, PL, PT, PR, QA, RE, RO, RU, RW, BL, SH, KN, LC, MF, PM, VC, WS, SM, ST, SA, SN, RS, SC, SL, SG, SX, SK, SI, SB, SO, SZA, GS, KR, SS, ES, LK, SD, SR, SJ, SZ, SE, CH, SY, TW, TJ, TZ, TH, TL, TG, TK, TO, TT, TN, TR, TM, TC, TV, UG, UA, AE, GB, US, UM, UY, UZ, VU, VE, VN, VG, VI, WF, EH, YE, ZM, ZW

condition Expression to be used in a rate-limiting condition. This expression result must be a boolean value.

ipReputation IP reputation binding. For each category, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with the new values.

category IP Repuation category. Following IP Reuputation categories are allowed: *IP_BASED - This category checks whether client IP is malicious or not. *BOTNET - This category includes Botnet C&C channels, and infected zombie machines controlled by Bot master. *SPAM_SOURCES - This category includes tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities. *SCANNERS - This category includes all reconnaissance such as probes, host scan, domain scan, and password brute force attack. *DOS - This category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection. *REPUTATION - This category denies access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Webroot Reputation Index score. Enabling this category will prevent access from sources identified to contact malware distribution points. *PHISHING - This category includes IP addresses hosting phishing sites and other kinds of fraud activities such as ad click fraud or gaming fraud. *PROXY - This category includes IP addresses providing proxy services. *NETWORK - IPs providing proxy and anonymization services including The Onion Router aka TOR or darknet. *MOBILE_THREATS - This category checks client IP with the list of IPs harmful for mobile devices. *WINDOWS_EXPLOITS - This category includes active IP address offering or distributig malware, shell code, rootkits, worms or viruses. *WEB_ATTACKS - This category includes cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force attack. *TOR_PROXY - This category includes IP address acting as exit nodes for the Tor Network. *CLOUD - This category checks client IP with list of public cloud IPs. *CLOUD_AWS - This category checks client IP with list of public cloud IPs from Amazon Web Services. *CLOUD_GCP - This category checks client IP with list of public cloud IPs from Google Cloud Platform. *CLOUD_AZURE - This category checks client IP with list of public cloud IPs from Azure. *CLOUD_ORACLE - This category checks client IP with list of public cloud IPs from Oracle. *CLOUD_IBM - This category checks client IP with list of public cloud IPs from IBM. *CLOUD_SALESFORCE - This category checks client IP with list of public cloud IPs from Salesforce.

Possible values: IP, BOTNETS, SPAM_SOURCES, SCANNERS, DOS, REPUTATION, PHISHING, PROXY, NETWORK, MOBILE_THREATS, WINDOWS_EXPLOITS, WEB_ATTACKS, TOR_PROXY, CLOUD, CLOUD_AWS, CLOUD_GCP, CLOUD_AZURE, CLOUD_ORACLE, CLOUD_IBM, CLOUD_SALESFORCE

captchaResource Captcha action binding. For each URL, only one binding is allowed. To update the values of an existing URL binding, user has to first unbind that binding, and then needs to bind the URL again with new values. Maximum 30 bindings can be configured per profile.

url URL for which the Captcha action, if configured under IP reputation, TPS or device fingerprint, need to be applied.

tps TPS binding. For each type only binding can be configured. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.

type Type of TPS binding.

Possible values: SOURCE_IP, GEOLOCATION, REQUEST_URL, Host

trapInsertionURL Bind the trap URL for the configured request URLs. Maximum 30 bindings can be configured per profile.

url Request URL regex pattern for which Trap URL is inserted.

logExpression Log expression binding.

name Name of the log expression object.

KMDetectionExpr Keyboard-mouse based detection binding. For each name, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, then needs to bind again with new vlaues. Maximum 30 bindings can be configured per profile.

name Name of the keyboard-mouse expression object.

stat bot profile

Displays statistics for the specified bot profile. If no profile is specified, displays abbreviated statistics for all the profiles.

Synopsis

stat bot profile [] \[-detail] \[-fullValues] \[-ntimes <positive\_integer>] \[-logFile <input\_filename>] \[-clearstats \( basic | full )]

Arguments

name Name of the bot profile.

detail Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.

fullValues Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated

ntimes The number of times, in intervals of seven seconds, the statistics should be displayed. Default value: 1 Minimum value: 0

logFile The name of the log file to be used as input.

clearstats Clear the statsistics / counters

Possible values: basic, full

Output

count devno stateflag

Counters

requests (reqs) HTTP/HTTPS requests sent to your protected web servers via the Bot profile.

Request Bytes (reqBytes) Number of bytes transfered for requests

responses (resps) HTTP/HTTPS responses sent by your protected web servers via the Bot profile.

Response Bytes (resBytes) Number of bytes transfered for responses

total logs profile (botLogProfile) Total number of logs by the Bot profile.

total drop profile (botDropProfile) Total number of drops by the Bot profile.

total redirect profile (botRedirectProfile) Total number of redirects by the Bot profile.

total reset profile (botResetProfile) Total number of resets by the Bot profile.

Device Fingerprint (deviceFingerPrintProfile) Number of device fingerprint violations seen by the Bot profile.

Device Fingerprint Logs (deviceFingerPrintLogProfile) Number of device fingerprint violations logged by the Bot profile.

Device Fingerprint Drop (deviceFingerPrintDropProfile) Number of device fingerprint violations dropped by the Bot profile.

Device Fingerprint Redirect (deviceFingerPrintRedirectProfile) Number of device fingerprint violations requests redirected by the Bot profile to a different Web page or web server.

Device Fingerprint Captcha (deviceFingerPrintCaptchaProfile) Number of device fingerprint violation requests for which CAPTCHA challenge was sent due to Bot profile.

Device Fingerprint Reset (deviceFingerPrintResetProfile) Number of device fingerprint violations reset by the Bot profile.

IP Reputation (ipRepProfile) Number of ip reputation violations seen by the Bot profile.

IP Reputation Logs (ipRepLogProfile) Number of ip reputation violations logged by the Bot Profile.

IP Reputation Drop (ipRepDropProfile) Number of ip reputation violations dropped by the Bot profile.

IP Reputation Redirect (ipRepRedirectProfile) Number of ip reputation violations requests redirected by the Bot profile to a different Web page or web server.

IP Reputation Captcha (ipRepCaptchaProfile) Number of ip reputation violation requests for which CAPTCHA challenge was sent due to Bot profile.

IP Reputation Reset (ipRepResetProfile) Number of ip reputation violations reset by the Bot profile.

White List (whiteListProfile) Number of white list violations seen by the Bot profile.

White List Logs (whiteListLogProfile) Number of white list violations logged by the Bot profile.

Black List (blackListProfile) Number of black list violations seen by the Bot profile.

Black List Logs (blackListLogProfile) Number of black list violations logged by the Bot profile.

Black List Drop (blackListDropProfile) Number of black list violations dropped by the Bot profile.

Black List Reset (blackListResetProfile) Number of black list violations reset by the Bot profile.

Black List Redirect (blackListRedirectProfile) Number of black list violations redirected by the Bot profile to a different Web page or web server.

Rate Limit (rateLimitProfile) Number of rate limiting violations seen by the Bot profile.

Rate Limit Logs (rateLimitLogProfile) Number of rate limiting violations logged by the Bot profile.

Rate Limit Drop (rateLimitDropProfile) Number of rate limiting violations dropped by the Bot profile.

Rate Limit Redirect (rateLimitRedirectProfile) Number of rate limiting violations requests redirected by the Bot profile to a different Web page or web server.

Rate Limit Exceeded Response (rateLimitExceededResponseProfile) Number of rate limiting violations requests responded resulted in too many requests response by the Bot profile.

Rate Limit Reset (rateLimitResetProfile) Number of rate limiting violations reset by the Bot profile.

Static Signature (staticSignnatureProfile) Number of static signatutre violations seen by the Bot profile.

Static Signature Logs (staticSignnatureLogProfile) Number of static signatutre violations logged by the Bot profile.

Static Signature Drop (staticSignnatureDropProfile) Number of static signatutre violations dropped by the Bot profile.

Static Signature Redirect (staticSignnatureRedirectProfile) Number of static signatutre violations redirected by the Bot profile to a different Web page or web server.

Static Signature Reset (staticSignnatureResetProfile) Number of static signatutre violations reset by the Bot profile to a different Web page or web server.

TPS (tpsProfile) Number of tps violations seen by the Bot profile.

Tps Logs (tpsLogProfile) Number of tps violations logged by the Bot profile.

Tps Drop (tpsDropProfile) Number of tps violations dropped by the Bot profile.

Tps Redirect (tpsRedirectProfile) Number of tps violations requests redirected by the Bot profile to a different Web page or web server.

Tps Reset (tpsResetProfile) Number of tps violations reset by the Bot profile.

Tps Captcha (tpsCaptchaProfile) Number of tps violation requests for which CAPTCHA challenge was sent due to Bot profile.

Captcha (captchaProfile) Number of Captcha challenge failures seen by the Bot profile.

Captcha Log (captchaLogProfile) Number of Captcha challenge failures logged by the Bot profile.

Captcha Drop (captchaDropProfile) Number of Captcha challenge failures dropped by the Bot profile.

Captcha Redirect (captchaRedirectProfile) Number of Captcha challenge failures redirected by the Bot profile.

Captcha Reset (captchaResetProfile) Number of Captcha challenge failures reset by the Bot profile.

Trap (trapProfile) Number of trap violations seen by the Bot profile.

Trap Logs (trapLogProfile) Number of trap violations logged by the Bot profile.

Trap Drop (trapDropProfile) Number of trap violations dropped by the Bot profile.

Trap Redirect (trapRedirectProfile) Number of trap violations requests redirected by the Bot profile to a different Web page or web server.

Trap Reset (trapResetProfile) Number of trap violations reset by the Bot profile.

Bot whitelist enabled (botCfgWhitelistProfile) Whitelist enabled under bot profile.

Bot blacklist enabled (botCfgBlacklistProfile) Blacklist enabled under bot profile.

Bot IP Reputation enabled (botCfgIpRepProfile) IP Reputation enabled under bot profile.

Bot Ratelimit enabled (botCfgRatelimitProfile) Ratelimit enabled under bot profile.

Bot Signatures enabled (botCfgSignatureProfile) Static Signatures enabled under bot profile.

Bot device fingerprint enabled (botCfgDFPProfile) Device Fingerprint enabled under bot profile.

Bot TPS enabled (botCfgTpsProfile) TPS enabled under bot profile.

Bot Trap enabled (botCfgTrapProfile) Bot Trap enabled under bot profile.

Keyboard Mouse Detection enabled (botCfgKMDetectionProfile) Keyboard mouse detection enabled under bot profile.

Example

stat bot profile

add bot profile

Creates bot profile, which has configuration options for bot management. (A profile is equivalent to an action in other Citrix ADC features.)

Synopsis

add bot profile \[-signature ] \[-errorURL ] \[-trapURL ] \[-comment ] \[-whiteList \( ON | OFF )] \[-blackList \( ON | OFF )] \[-rateLimit \( ON | OFF )] \[-deviceFingerprint \( ON | OFF )] \[-deviceFingerprintAction ...] \[-ipReputation \( ON | OFF )] \[-trap \( ON | OFF )] \[-trapAction ...] \[-signatureNoUserAgentHeaderAction ...] \[-signatureMultipleUserAgentHeaderAction ...] \[-tps \( ON | OFF )] \[-deviceFingerprintMobile ...] \[-headlessBrowserDetection \( ON | OFF )] \[-clientIpExpression ] \[-KMJavaScriptName ] \[-KMDetection \( ON | OFF )] \[-KMEventsPostBodyLimit <positive\_integer>] \[-verboseLogLevel \( NONE | HTTP\_FULL\_HEADER )] \[-spoofedReqAction ...] \[-dfpRequestLimit <positive\_integer>] \[-sessionCookieName ] \[-sessionTimeout <positive\_integer>]

Arguments

name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).

signature Name of object containing bot static signature details.

errorURL URL that Bot protection uses as the Error URL. Default value: NS_S_BOT_DEFAULT_ERRORURL

trapURL URL that Bot protection uses as the Trap URL. Default value: NS_S_BOT_DEFAULT_TRAPURL

comment Any comments about the purpose of profile, or other useful information about the profile. Default value: NS_S_BOT_DEFAULT_PROFILE_COMMENTS

whiteList Enable white-list bot detection.

Possible values: ON, OFF Default value: OFF

blackList Enable black-list bot detection.

Possible values: ON, OFF Default value: OFF

rateLimit Enable rate-limit bot detection.

Possible values: ON, OFF Default value: OFF

deviceFingerprint Enable device-fingerprint bot detection

Possible values: ON, OFF Default value: OFF

deviceFingerprintAction Action to be taken for device-fingerprint based bot detection. Default value: NONE

ipReputation Enable IP-reputation bot detection.

Possible values: ON, OFF Default value: OFF

trap Enable trap bot detection.

Possible values: ON, OFF Default value: OFF

trapAction Action to be taken for bot trap based bot detection. Default value: NONE

signatureNoUserAgentHeaderAction Actions to be taken if no User-Agent header in the request (Applicable if Signature check is enabled). Default value: DROP

signatureMultipleUserAgentHeaderAction Actions to be taken if multiple User-Agent headers are seen in a request (Applicable if Signature check is enabled). Log action should be combined with other actions Default value: CHECKLAST

tps Enable TPS.

Possible values: ON, OFF Default value: OFF

deviceFingerprintMobile Enabling bot device fingerprint protection for mobile clients Default value: NONE

headlessBrowserDetection Enable Headless Browser detection.

Possible values: ON, OFF Default value: OFF

clientIpExpression Expression to get the client IP.

KMJavaScriptName Name of the JavaScript file that the Bot Management feature will insert in the response for keyboard-mouse based detection. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my javascript file name” or ‘my javascript file name’). Default value: NS_S_BOT_DEFAULT_KM_JS_NAME

KMDetection Enable keyboard-mouse based bot detection.

Possible values: ON, OFF Default value: OFF

KMEventsPostBodyLimit Size of the KM data send by the browser, needs to be processed on ADC Default value: NS_BOT_DEFAULT_KM_POST_BODY_LIMIT Minimum value: 1 Maximum value: 204800

verboseLogLevel Bot verbose Logging. Based on the log level, ADC will log additional information whenever client is detected as a bot.

Possible values: NONE, HTTP_FULL_HEADER Default value: NONE

spoofedReqAction Actions to be taken on a spoofed request (A request spoofing good bot user agent string). Default value: BOT_ACTION_LOG_DROP

dfpRequestLimit Number of requests to allow without bot session cookie if device fingerprint is enabled Minimum value: 1

sessionCookieName Name of the SessionCookie that the Bot Management feature uses for tracking. Must begin with a letter or number, and can consist of from 1 to 31 letters, numbers, and the hyphen (-) and underscore (_) symbols.

The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cookie name” or ‘my cookie name’).

sessionTimeout Timeout, in seconds, after which a user session is terminated. Minimum value: 1 Maximum value: 65535

unset bot profile

Use this command to remove bot profile settings.Refer to the set bot profile command for meanings of the arguments.

Synopsis

unset bot profile [-signature] [-errorURL] [-trapURL] [-comment] [-whiteList] [-blackList] [-rateLimit] [-deviceFingerprint] [-deviceFingerprintAction] [-ipReputation] [-trap] [-signatureNoUserAgentHeaderAction] [-signatureMultipleUserAgentHeaderAction] [-trapAction] [-tps] [-deviceFingerprintMobile] [-headlessBrowserDetection] [-clientIpExpression] [-KMJavaScriptName] [-KMDetection] [-KMEventsPostBodyLimit] [-verboseLogLevel] [-spoofedReqAction] [-dfpRequestLimit] [-sessionCookieName] [-sessionTimeout]

bot-profile