bot-profile
The following operations can be performed on “bot-profile”:
show | set | bind | rm | unbind | stat | add | unset |
show bot profile
Displays details of the specified bot profile. If no profile is specified, displays a list of all bot profiles on the Citrix ADC.
Synopsis
show bot profile [
Arguments
name Name of the bot management profile.
Output
stateflag signature Name of object containing bot static signature details.
errorURL URL that Bot protection uses as the Error URL.
trapURL URL that Bot protection uses as the Trap URL.
comment Any comments about the purpose of profile, or other useful information about the profile.
builtin Flag to determine if bot profille is built-in or not
feature The feature to be checked while applying this config
whiteList Enable white-list bot detection.
blackList Enable black-list bot detection.
rateLimit Enable rate-limit bot detection.
deviceFingerprint Enable device-fingerprint bot detection
deviceFingerprintAction Action to be taken for device-fingerprint based bot detection.
ipReputation Enable IP-reputation bot detection.
trap Enable trap bot detection.
signatureNoUserAgentHeaderAction Actions to be taken if no User-Agent header in the request (Applicable if Signature check is enabled).
spoofedReqAction Actions to be taken on a spoofed request (A request spoofing good bot user agent string).
signatureMultipleUserAgentHeaderAction Actions to be taken if multiple User-Agent headers are seen in a request (Applicable if Signature check is enabled). Log action should be combined with other actions
trapAction Action to be taken for bot trap based bot detection.
tps Enable TPS.
blackList Blacklist binding. Maximum 32 bindings can be configured per profile for Blacklist detection.
whiteList Whitelist binding. Maximum 32 bindings can be configured per profile for Whitelist detection.
rateLimit Rate-limit binding. Maximum 30 bindings can be configured per profile for rate-limit detection. For SOURCE_IP type, only one binding can be configured, and for URL type, only one binding is allowed per URL, and for SESSION type, only one binding is allowed for a cookie name. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.
ipReputation IP reputation binding. For each category, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with the new values.
captchaResource Captcha action binding. For each URL, only one binding is allowed. To update the values of an existing URL binding, user has to first unbind that binding, and then needs to bind the URL again with new values. Maximum 30 bindings can be configured per profile.
tps TPS binding. For each type only binding can be configured. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.
type Type of the black-list entry.
type Type of the white-list entry.
enabled Enabled or disbaled black-list binding.
enabled Enabled or disabled white-list binding.
value Value of the bot black-list entry.
value Value of bot white-list entry.
action One or more actions to be taken if bot is detected based on this Blacklist binding. Only LOG action can be combined with DROP or RESET action.
type Type of TPS binding.
threshold Maximum number of requests that are allowed from (or to) a IP, Geolocation, URL or Host in 1 second time interval.
percentage Maximum percentage increase in the requests from (or to) a IP, Geolocation, URL or Host in 30 minutes interval.
action One to more actions to be taken if bot is detected based on this TPS binding. Only LOG action can be combined with DROP, RESET, REDIRECT, or MITIGIATION action.
enabled Enabled or disabled TPS binding.
category IP Repuation category. Following IP Reuputation categories are allowed: *IP_BASED - This category checks whether client IP is malicious or not. *BOTNET - This category includes Botnet C&C channels, and infected zombie machines controlled by Bot master. *SPAM_SOURCES - This category includes tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities. *SCANNERS - This category includes all reconnaissance such as probes, host scan, domain scan, and password brute force attack. *DOS - This category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection. *REPUTATION - This category denies access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Webroot Reputation Index score. Enabling this category will prevent access from sources identified to contact malware distribution points. *PHISHING - This category includes IP addresses hosting phishing sites and other kinds of fraud activities such as ad click fraud or gaming fraud. *PROXY - This category includes IP addresses providing proxy services. *NETWORK - IPs providing proxy and anonymization services including The Onion Router aka TOR or darknet. *MOBILE_THREATS - This category checks client IP with the list of IPs harmful for mobile devices. *WINDOWS_EXPLOITS - This category includes active IP address offering or distributig malware, shell code, rootkits, worms or viruses. *WEB_ATTACKS - This category includes cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force attack. *TOR_PROXY - This category includes IP address acting as exit nodes for the Tor Network. *CLOUD - This category checks client IP with list of public cloud IPs. *CLOUD_AWS - This category checks client IP with list of public cloud IPs from Amazon Web Services. *CLOUD_GCP - This category checks client IP with list of public cloud IPs from Google Cloud Platform. *CLOUD_AZURE - This category checks client IP with list of public cloud IPs from Azure. *CLOUD_ORACLE - This category checks client IP with list of public cloud IPs from Oracle. *CLOUD_IBM - This category checks client IP with list of public cloud IPs from IBM. *CLOUD_SALESFORCE - This category checks client IP with list of public cloud IPs from Salesforce.
action One or more actions to be taken if bot is detected based on this IP Reputation binding. Only LOG action can be combinded with DROP, RESET, REDIRECT or MITIGATION action.
enabled Enabled or disabled IP-repuation binding.
type Rate-limiting type Following rate-limiting types are allowed: *SOURCE_IP - Rate-limiting based on the client IP. *SESSION - Rate-limiting based on the configured cookie name. *URL - Rate-limiting based on the configured URL. *GEOLOCATION - Rate-limiting based on the configured country name.
url URL for the resource based rate-limiting.
cookieName Cookie name which is used to identify the session for session rate-limiting.
rate Maximum number of requests that are allowed in this session in the given period time.
limitType Rate-Limiting traffic Type
condition Expression to be used in a rate-limiting condition. This expression result must be a boolean value.
timeSlice Time interval during which requests are tracked to check if they cross the given rate.
action One or more actions to be taken when the current rate becomes more than the configured rate. Only LOG action can be combined with DROP, REDIRECT, RESPOND_STATUS_TOO_MANY_REQUESTS or RESET action.
enabled Enable or disable rate-limit binding.
url URL for which the Captcha action, if configured under IP reputation, TPS or device fingerprint, need to be applied.
waitTime Wait time in seconds for which ADC needs to wait for the Captcha response. This is to avoid DOS attacks.
gracePeriod Time (in seconds) duration for which no new captcha challenge is sent after current captcha challenge has been answered successfully.
mutePeriod Time (in seconds) duration for which client which failed captcha need to wait until allowed to try again. The requests from this client are silently dropped during the mute period.
requestSizeLimit Length of body request (in Bytes) up to (equal or less than) which captcha challenge will be provided to client. Above this length threshold the request will be dropped. This is to avoid DOS and DDOS attacks.
retryAttempts Number of times client can retry solving the captcha.
action One or more actions to be taken when client fails captcha challenge. Only, log action can be configured with DROP, REDIRECT or RESET action.
enabled Enable or disable the captcha binding.
log Enable logging for Whitelist binding.
logMessage Message to be logged for this binding.
comment Any comments about this binding.
trapInsertionURL Bind the trap URL for the configured request URLs. Maximum 30 bindings can be configured per profile.
url Request URL regex pattern for which Trap URL is inserted.
enabled Enable or disable the request URL pattern.
deviceFingerprintMobile Enabling bot device fingerprint protection for mobile clients
headlessBrowserDetection Enable Headless Browser detection.
logExpression Log expression binding.
name Name of the log expression object.
expression Expression whose result to be logged when violation happened on the bot profile.
enabled Enable or disable the log expression binding.
clientIpExpression Expression to get the client IP.
KMJavaScriptName Name of the JavaScript file that the Bot Management feature will insert in the response for keyboard-mouse based detection. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my javascript file name” or ‘my javascript file name’).
KMDetection Enable keyboard-mouse based bot detection.
KMDetectionExpr Keyboard-mouse based detection binding. For each name, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, then needs to bind again with new vlaues. Maximum 30 bindings can be configured per profile.
enabled Enable or disable the keyboard-mouse based binding.
name Name of the keyboard-mouse expression object.
expression JavaScript file for keyboard-mouse detection, would be inserted if the result of the expression is true.
KMEventsPostBodyLimit Size of the KM data send by the browser, needs to be processed on ADC
verboseLogLevel Bot verbose Logging. Based on the log level, ADC will log additional information whenever client is detected as a bot.
countryCode Country name which is used for geolocation rate-limiting.
dfpRequestLimit Number of requests to allow without bot session cookie if device fingerprint is enabled
sessionCookieName Name of the SessionCookie that the Bot Management feature uses for tracking. Must begin with a letter or number, and can consist of from 1 to 31 letters, numbers, and the hyphen (-) and underscore (_) symbols.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cookie name” or ‘my cookie name’).
sessionTimeout Timeout, in seconds, after which a user session is terminated.
devno count
set bot profile
Set the bot profile parameters
Synopsis
set bot profile
Arguments
name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).
signature Name of object containing bot static signature details.
errorURL URL that Bot protection uses as the Error URL. Default value: NS_S_BOT_DEFAULT_ERRORURL
trapURL URL that Bot protection uses as the Trap URL. Default value: NS_S_BOT_DEFAULT_TRAPURL
comment Any comments about the purpose of profile, or other useful information about the profile. Default value: NS_S_BOT_DEFAULT_PROFILE_COMMENTS
whiteList Enable white-list bot detection.
Possible values: ON, OFF Default value: OFF
blackList Enable black-list bot detection.
Possible values: ON, OFF Default value: OFF
rateLimit Enable rate-limit bot detection.
Possible values: ON, OFF Default value: OFF
deviceFingerprint Enable device-fingerprint bot detection
Possible values: ON, OFF Default value: OFF
deviceFingerprintAction Action to be taken for device-fingerprint based bot detection. Default value: NONE
ipReputation Enable IP-reputation bot detection.
Possible values: ON, OFF Default value: OFF
trap Enable trap bot detection.
Possible values: ON, OFF Default value: OFF
signatureNoUserAgentHeaderAction Actions to be taken if no User-Agent header in the request (Applicable if Signature check is enabled). Default value: DROP
signatureMultipleUserAgentHeaderAction Actions to be taken if multiple User-Agent headers are seen in a request (Applicable if Signature check is enabled). Log action should be combined with other actions Default value: CHECKLAST
trapAction Action to be taken for bot trap based bot detection. Default value: NONE
tps Enable TPS.
Possible values: ON, OFF Default value: OFF
deviceFingerprintMobile Enabling bot device fingerprint protection for mobile clients Default value: NONE
headlessBrowserDetection Enable Headless Browser detection.
Possible values: ON, OFF Default value: OFF
clientIpExpression Expression to get the client IP.
KMJavaScriptName Name of the JavaScript file that the Bot Management feature will insert in the response for keyboard-mouse based detection. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my javascript file name” or ‘my javascript file name’). Default value: NS_S_BOT_DEFAULT_KM_JS_NAME
KMDetection Enable keyboard-mouse based bot detection.
Possible values: ON, OFF Default value: OFF
KMEventsPostBodyLimit Size of the KM data send by the browser, needs to be processed on ADC Default value: NS_BOT_DEFAULT_KM_POST_BODY_LIMIT Minimum value: 1 Maximum value: 204800
verboseLogLevel Bot verbose Logging. Based on the log level, ADC will log additional information whenever client is detected as a bot.
Possible values: NONE, HTTP_FULL_HEADER Default value: NONE
spoofedReqAction Actions to be taken on a spoofed request (A request spoofing good bot user agent string). Default value: BOT_ACTION_LOG_DROP
dfpRequestLimit Number of requests to allow without bot session cookie if device fingerprint is enabled Minimum value: 1
sessionCookieName Name of the SessionCookie that the Bot Management feature uses for tracking. Must begin with a letter or number, and can consist of from 1 to 31 letters, numbers, and the hyphen (-) and underscore (_) symbols.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cookie name” or ‘my cookie name’).
sessionTimeout Timeout, in seconds, after which a user session is terminated. Minimum value: 1 Maximum value: 65535
bind bot profile
Bind the specified bot detection mechanism to the specified profile.
Synopsis
bind bot profile
Arguments
name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).
blackList Blacklist binding. Maximum 32 bindings can be configured per profile for Blacklist detection.
type Type of the black-list entry.
Possible values: IPv4, SUBNET, IPv6, IPv6_SUBNET, EXPRESSION
value Value of the bot black-list entry.
action One or more actions to be taken if bot is detected based on this Blacklist binding. Only LOG action can be combined with DROP or RESET action. Default value: NONE
enabled Enabled or disbaled black-list binding.
Possible values: ON, OFF Default value: OFF
whiteList Whitelist binding. Maximum 32 bindings can be configured per profile for Whitelist detection.
type Type of the white-list entry.
Possible values: IPv4, SUBNET, IPv6, IPv6_SUBNET, EXPRESSION
value Value of bot white-list entry.
log Enable logging for Whitelist binding.
Possible values: ON, OFF Default value: OFF
enabled Enabled or disabled white-list binding.
Possible values: ON, OFF Default value: OFF
rateLimit Rate-limit binding. Maximum 30 bindings can be configured per profile for rate-limit detection. For SOURCE_IP type, only one binding can be configured, and for URL type, only one binding is allowed per URL, and for SESSION type, only one binding is allowed for a cookie name. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.
type Rate-limiting type Following rate-limiting types are allowed: *SOURCE_IP - Rate-limiting based on the client IP. *SESSION - Rate-limiting based on the configured cookie name. *URL - Rate-limiting based on the configured URL. *GEOLOCATION - Rate-limiting based on the configured country name.
Possible values: SESSION, SOURCE_IP, URL, GEOLOCATION, JA3_FINGERPRINT
url URL for the resource based rate-limiting.
cookieName Cookie name which is used to identify the session for session rate-limiting.
countryCode Country name which is used for geolocation rate-limiting.
Possible values: AF, AX, AL, DZ, AS, AD, AO, AI, AQ, AG, AR, AM, AW, AU, AT, AZ, BS, BH, BD, BB, BY, BE, BZ, BJ, BM, BT, BO, BQ, BA, BW, BR, IO, BN, BG, BF, BI, KH, CM, CA, CV, KY, CF, TD, CL, CN, CX, CC, CO, KM, CG, CD, CK, CR, CI, HR, CU, CW, CY, CZ, DK, DJ, DM, DO, EC, EG, SV, GQ, ER, EE, ET, FK, FO, FJ, FI, FR, GF, PF, TF, GA, GM, GE, DE, GH, GI, GR, GL, GD, GP, GU, GT, GG, GN, GW, GY, HT, HM, VA, HN, HK, HU, IS, IN, ID, IR, IQ, IE, IM, IL, IT, JM, JP, JE, JO, KZ, KE, KI, XK, KW, KG, LA, LV, LB, LS, LR, LY, LI, LT, LU, MO, MK, MG, MW, MY, MV, ML, MT, MH, MQ, MR, MU, YT, MX, FM, MD, MC, MN, ME, MS, MA, MZ, MM, NA, NR, NP, NL, NC, NZ, NI, NE, NG, NU, NF, KP, MP, NO, OM, PK, PW, PS, PA, PG, PY, PE, PH, PN, PL, PT, PR, QA, RE, RO, RU, RW, BL, SH, KN, LC, MF, PM, VC, WS, SM, ST, SA, SN, RS, SC, SL, SG, SX, SK, SI, SB, SO, SZA, GS, KR, SS, ES, LK, SD, SR, SJ, SZ, SE, CH, SY, TW, TJ, TZ, TH, TL, TG, TK, TO, TT, TN, TR, TM, TC, TV, UG, UA, AE, GB, US, UM, UY, UZ, VU, VE, VN, VG, VI, WF, EH, YE, ZM, ZW
rate Maximum number of requests that are allowed in this session in the given period time. Default value: 1 Minimum value: 1
timeSlice Time interval during which requests are tracked to check if they cross the given rate. Default value: 1000 Minimum value: 10
limitType Rate-Limiting traffic Type
Possible values: BURSTY, SMOOTH Default value: BURSTY
condition Expression to be used in a rate-limiting condition. This expression result must be a boolean value.
action One or more actions to be taken when the current rate becomes more than the configured rate. Only LOG action can be combined with DROP, REDIRECT, RESPOND_STATUS_TOO_MANY_REQUESTS or RESET action. Default value: NONE
enabled Enable or disable rate-limit binding.
Possible values: ON, OFF Default value: OFF
ipReputation IP reputation binding. For each category, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with the new values.
category IP Repuation category. Following IP Reuputation categories are allowed: *IP_BASED - This category checks whether client IP is malicious or not. *BOTNET - This category includes Botnet C&C channels, and infected zombie machines controlled by Bot master. *SPAM_SOURCES - This category includes tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities. *SCANNERS - This category includes all reconnaissance such as probes, host scan, domain scan, and password brute force attack. *DOS - This category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection. *REPUTATION - This category denies access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Webroot Reputation Index score. Enabling this category will prevent access from sources identified to contact malware distribution points. *PHISHING - This category includes IP addresses hosting phishing sites and other kinds of fraud activities such as ad click fraud or gaming fraud. *PROXY - This category includes IP addresses providing proxy services. *NETWORK - IPs providing proxy and anonymization services including The Onion Router aka TOR or darknet. *MOBILE_THREATS - This category checks client IP with the list of IPs harmful for mobile devices. *WINDOWS_EXPLOITS - This category includes active IP address offering or distributig malware, shell code, rootkits, worms or viruses. *WEB_ATTACKS - This category includes cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force attack. *TOR_PROXY - This category includes IP address acting as exit nodes for the Tor Network. *CLOUD - This category checks client IP with list of public cloud IPs. *CLOUD_AWS - This category checks client IP with list of public cloud IPs from Amazon Web Services. *CLOUD_GCP - This category checks client IP with list of public cloud IPs from Google Cloud Platform. *CLOUD_AZURE - This category checks client IP with list of public cloud IPs from Azure. *CLOUD_ORACLE - This category checks client IP with list of public cloud IPs from Oracle. *CLOUD_IBM - This category checks client IP with list of public cloud IPs from IBM. *CLOUD_SALESFORCE - This category checks client IP with list of public cloud IPs from Salesforce.
Possible values: IP, BOTNETS, SPAM_SOURCES, SCANNERS, DOS, REPUTATION, PHISHING, PROXY, NETWORK, MOBILE_THREATS, WINDOWS_EXPLOITS, WEB_ATTACKS, TOR_PROXY, CLOUD, CLOUD_AWS, CLOUD_GCP, CLOUD_AZURE, CLOUD_ORACLE, CLOUD_IBM, CLOUD_SALESFORCE
enabled Enabled or disabled IP-repuation binding.
Possible values: ON, OFF Default value: OFF
action One or more actions to be taken if bot is detected based on this IP Reputation binding. Only LOG action can be combinded with DROP, RESET, REDIRECT or MITIGATION action. Default value: NONE
captchaResource Captcha action binding. For each URL, only one binding is allowed. To update the values of an existing URL binding, user has to first unbind that binding, and then needs to bind the URL again with new values. Maximum 30 bindings can be configured per profile.
url URL for which the Captcha action, if configured under IP reputation, TPS or device fingerprint, need to be applied.
waitTime Wait time in seconds for which ADC needs to wait for the Captcha response. This is to avoid DOS attacks. Default value: 15 Minimum value: 10 Maximum value: 60
gracePeriod Time (in seconds) duration for which no new captcha challenge is sent after current captcha challenge has been answered successfully. Default value: 900 Minimum value: 60 Maximum value: 900
mutePeriod Time (in seconds) duration for which client which failed captcha need to wait until allowed to try again. The requests from this client are silently dropped during the mute period. Default value: 300 Minimum value: 60 Maximum value: 900
requestSizeLimit Length of body request (in Bytes) up to (equal or less than) which captcha challenge will be provided to client. Above this length threshold the request will be dropped. This is to avoid DOS and DDOS attacks. Default value: 8000 Minimum value: 10 Maximum value: 30000
retryAttempts Number of times client can retry solving the captcha. Default value: 3 Minimum value: 1 Maximum value: 10
action One or more actions to be taken when client fails captcha challenge. Only, log action can be configured with DROP, REDIRECT or RESET action. Default value: NONE
enabled Enable or disable the captcha binding.
Possible values: ON, OFF Default value: OFF
tps TPS binding. For each type only binding can be configured. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.
type Type of TPS binding.
Possible values: SOURCE_IP, GEOLOCATION, REQUEST_URL, Host
threshold Maximum number of requests that are allowed from (or to) a IP, Geolocation, URL or Host in 1 second time interval. Minimum value: 1
percentage Maximum percentage increase in the requests from (or to) a IP, Geolocation, URL or Host in 30 minutes interval. Minimum value: 10
action One to more actions to be taken if bot is detected based on this TPS binding. Only LOG action can be combined with DROP, RESET, REDIRECT, or MITIGIATION action. Default value: NONE
enabled Enabled or disabled TPS binding.
Possible values: ON, OFF Default value: ON
trapInsertionURL Bind the trap URL for the configured request URLs. Maximum 30 bindings can be configured per profile.
url Request URL regex pattern for which Trap URL is inserted.
enabled Enable or disable the request URL pattern.
Possible values: ON, OFF Default value: OFF
logExpression Log expression binding.
name Name of the log expression object.
expression Expression whose result to be logged when violation happened on the bot profile.
enabled Enable or disable the log expression binding.
Possible values: ON, OFF Default value: OFF
KMDetectionExpr Keyboard-mouse based detection binding. For each name, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, then needs to bind again with new vlaues. Maximum 30 bindings can be configured per profile.
name Name of the keyboard-mouse expression object.
expression JavaScript file for keyboard-mouse detection, would be inserted if the result of the expression is true.
enabled Enable or disable the keyboard-mouse based binding.
Possible values: ON, OFF Default value: OFF
logMessage Message to be logged for this binding.
comment Any comments about this binding.
rm bot profile
Removes the specified bot management profile.
Synopsis
rm bot profile
Arguments
name Name of the profile.
unbind bot profile
Unbind the specified bot detection mechanism to the specified profile.
Synopsis
unbind bot profile
Arguments
name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).
blackList Blacklist binding. Maximum 32 bindings can be configured per profile for Blacklist detection.
value Value of the bot black-list entry.
whiteList Whitelist binding. Maximum 32 bindings can be configured per profile for Whitelist detection.
value Value of bot white-list entry.
rateLimit Rate-limit binding. Maximum 30 bindings can be configured per profile for rate-limit detection. For SOURCE_IP type, only one binding can be configured, and for URL type, only one binding is allowed per URL, and for SESSION type, only one binding is allowed for a cookie name. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.
type Rate-limiting type Following rate-limiting types are allowed: *SOURCE_IP - Rate-limiting based on the client IP. *SESSION - Rate-limiting based on the configured cookie name. *URL - Rate-limiting based on the configured URL. *GEOLOCATION - Rate-limiting based on the configured country name.
Possible values: SESSION, SOURCE_IP, URL, GEOLOCATION, JA3_FINGERPRINT
url URL for the resource based rate-limiting.
cookieName Cookie name which is used to identify the session for session rate-limiting.
countryCode Country name which is used for geolocation rate-limiting.
Possible values: AF, AX, AL, DZ, AS, AD, AO, AI, AQ, AG, AR, AM, AW, AU, AT, AZ, BS, BH, BD, BB, BY, BE, BZ, BJ, BM, BT, BO, BQ, BA, BW, BR, IO, BN, BG, BF, BI, KH, CM, CA, CV, KY, CF, TD, CL, CN, CX, CC, CO, KM, CG, CD, CK, CR, CI, HR, CU, CW, CY, CZ, DK, DJ, DM, DO, EC, EG, SV, GQ, ER, EE, ET, FK, FO, FJ, FI, FR, GF, PF, TF, GA, GM, GE, DE, GH, GI, GR, GL, GD, GP, GU, GT, GG, GN, GW, GY, HT, HM, VA, HN, HK, HU, IS, IN, ID, IR, IQ, IE, IM, IL, IT, JM, JP, JE, JO, KZ, KE, KI, XK, KW, KG, LA, LV, LB, LS, LR, LY, LI, LT, LU, MO, MK, MG, MW, MY, MV, ML, MT, MH, MQ, MR, MU, YT, MX, FM, MD, MC, MN, ME, MS, MA, MZ, MM, NA, NR, NP, NL, NC, NZ, NI, NE, NG, NU, NF, KP, MP, NO, OM, PK, PW, PS, PA, PG, PY, PE, PH, PN, PL, PT, PR, QA, RE, RO, RU, RW, BL, SH, KN, LC, MF, PM, VC, WS, SM, ST, SA, SN, RS, SC, SL, SG, SX, SK, SI, SB, SO, SZA, GS, KR, SS, ES, LK, SD, SR, SJ, SZ, SE, CH, SY, TW, TJ, TZ, TH, TL, TG, TK, TO, TT, TN, TR, TM, TC, TV, UG, UA, AE, GB, US, UM, UY, UZ, VU, VE, VN, VG, VI, WF, EH, YE, ZM, ZW
condition Expression to be used in a rate-limiting condition. This expression result must be a boolean value.
ipReputation IP reputation binding. For each category, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with the new values.
category IP Repuation category. Following IP Reuputation categories are allowed: *IP_BASED - This category checks whether client IP is malicious or not. *BOTNET - This category includes Botnet C&C channels, and infected zombie machines controlled by Bot master. *SPAM_SOURCES - This category includes tunneling spam messages through a proxy, anomalous SMTP activities, and forum spam activities. *SCANNERS - This category includes all reconnaissance such as probes, host scan, domain scan, and password brute force attack. *DOS - This category includes DOS, DDOS, anomalous sync flood, and anomalous traffic detection. *REPUTATION - This category denies access from IP addresses currently known to be infected with malware. This category also includes IPs with average low Webroot Reputation Index score. Enabling this category will prevent access from sources identified to contact malware distribution points. *PHISHING - This category includes IP addresses hosting phishing sites and other kinds of fraud activities such as ad click fraud or gaming fraud. *PROXY - This category includes IP addresses providing proxy services. *NETWORK - IPs providing proxy and anonymization services including The Onion Router aka TOR or darknet. *MOBILE_THREATS - This category checks client IP with the list of IPs harmful for mobile devices. *WINDOWS_EXPLOITS - This category includes active IP address offering or distributig malware, shell code, rootkits, worms or viruses. *WEB_ATTACKS - This category includes cross site scripting, iFrame injection, SQL injection, cross domain injection or domain password brute force attack. *TOR_PROXY - This category includes IP address acting as exit nodes for the Tor Network. *CLOUD - This category checks client IP with list of public cloud IPs. *CLOUD_AWS - This category checks client IP with list of public cloud IPs from Amazon Web Services. *CLOUD_GCP - This category checks client IP with list of public cloud IPs from Google Cloud Platform. *CLOUD_AZURE - This category checks client IP with list of public cloud IPs from Azure. *CLOUD_ORACLE - This category checks client IP with list of public cloud IPs from Oracle. *CLOUD_IBM - This category checks client IP with list of public cloud IPs from IBM. *CLOUD_SALESFORCE - This category checks client IP with list of public cloud IPs from Salesforce.
Possible values: IP, BOTNETS, SPAM_SOURCES, SCANNERS, DOS, REPUTATION, PHISHING, PROXY, NETWORK, MOBILE_THREATS, WINDOWS_EXPLOITS, WEB_ATTACKS, TOR_PROXY, CLOUD, CLOUD_AWS, CLOUD_GCP, CLOUD_AZURE, CLOUD_ORACLE, CLOUD_IBM, CLOUD_SALESFORCE
captchaResource Captcha action binding. For each URL, only one binding is allowed. To update the values of an existing URL binding, user has to first unbind that binding, and then needs to bind the URL again with new values. Maximum 30 bindings can be configured per profile.
url URL for which the Captcha action, if configured under IP reputation, TPS or device fingerprint, need to be applied.
tps TPS binding. For each type only binding can be configured. To update the values of an existing binding, user has to first unbind that binding, and then needs to bind again with new values.
type Type of TPS binding.
Possible values: SOURCE_IP, GEOLOCATION, REQUEST_URL, Host
trapInsertionURL Bind the trap URL for the configured request URLs. Maximum 30 bindings can be configured per profile.
url Request URL regex pattern for which Trap URL is inserted.
logExpression Log expression binding.
name Name of the log expression object.
KMDetectionExpr Keyboard-mouse based detection binding. For each name, only one binding is allowed. To update the values of an existing binding, user has to first unbind that binding, then needs to bind again with new vlaues. Maximum 30 bindings can be configured per profile.
name Name of the keyboard-mouse expression object.
stat bot profile
Displays statistics for the specified bot profile. If no profile is specified, displays abbreviated statistics for all the profiles.
Synopsis
stat bot profile [
Arguments
name Name of the bot profile.
detail Specifies detailed output (including more statistics). The output can be quite voluminous. Without this argument, the output will show only a summary.
fullValues Specifies that numbers and strings should be displayed in their full form. Without this option, long strings are shortened and large numbers are abbreviated
ntimes The number of times, in intervals of seven seconds, the statistics should be displayed. Default value: 1 Minimum value: 0
logFile The name of the log file to be used as input.
clearstats Clear the statsistics / counters
Possible values: basic, full
Output
count devno stateflag
Counters
requests (reqs) HTTP/HTTPS requests sent to your protected web servers via the Bot profile.
Request Bytes (reqBytes) Number of bytes transfered for requests
responses (resps) HTTP/HTTPS responses sent by your protected web servers via the Bot profile.
Response Bytes (resBytes) Number of bytes transfered for responses
total logs profile (botLogProfile) Total number of logs by the Bot profile.
total drop profile (botDropProfile) Total number of drops by the Bot profile.
total redirect profile (botRedirectProfile) Total number of redirects by the Bot profile.
total reset profile (botResetProfile) Total number of resets by the Bot profile.
Device Fingerprint (deviceFingerPrintProfile) Number of device fingerprint violations seen by the Bot profile.
Device Fingerprint Logs (deviceFingerPrintLogProfile) Number of device fingerprint violations logged by the Bot profile.
Device Fingerprint Drop (deviceFingerPrintDropProfile) Number of device fingerprint violations dropped by the Bot profile.
Device Fingerprint Redirect (deviceFingerPrintRedirectProfile) Number of device fingerprint violations requests redirected by the Bot profile to a different Web page or web server.
Device Fingerprint Captcha (deviceFingerPrintCaptchaProfile) Number of device fingerprint violation requests for which CAPTCHA challenge was sent due to Bot profile.
Device Fingerprint Reset (deviceFingerPrintResetProfile) Number of device fingerprint violations reset by the Bot profile.
IP Reputation (ipRepProfile) Number of ip reputation violations seen by the Bot profile.
IP Reputation Logs (ipRepLogProfile) Number of ip reputation violations logged by the Bot Profile.
IP Reputation Drop (ipRepDropProfile) Number of ip reputation violations dropped by the Bot profile.
IP Reputation Redirect (ipRepRedirectProfile) Number of ip reputation violations requests redirected by the Bot profile to a different Web page or web server.
IP Reputation Captcha (ipRepCaptchaProfile) Number of ip reputation violation requests for which CAPTCHA challenge was sent due to Bot profile.
IP Reputation Reset (ipRepResetProfile) Number of ip reputation violations reset by the Bot profile.
White List (whiteListProfile) Number of white list violations seen by the Bot profile.
White List Logs (whiteListLogProfile) Number of white list violations logged by the Bot profile.
Black List (blackListProfile) Number of black list violations seen by the Bot profile.
Black List Logs (blackListLogProfile) Number of black list violations logged by the Bot profile.
Black List Drop (blackListDropProfile) Number of black list violations dropped by the Bot profile.
Black List Reset (blackListResetProfile) Number of black list violations reset by the Bot profile.
Black List Redirect (blackListRedirectProfile) Number of black list violations redirected by the Bot profile to a different Web page or web server.
Rate Limit (rateLimitProfile) Number of rate limiting violations seen by the Bot profile.
Rate Limit Logs (rateLimitLogProfile) Number of rate limiting violations logged by the Bot profile.
Rate Limit Drop (rateLimitDropProfile) Number of rate limiting violations dropped by the Bot profile.
Rate Limit Redirect (rateLimitRedirectProfile) Number of rate limiting violations requests redirected by the Bot profile to a different Web page or web server.
Rate Limit Exceeded Response (rateLimitExceededResponseProfile) Number of rate limiting violations requests responded resulted in too many requests response by the Bot profile.
Rate Limit Reset (rateLimitResetProfile) Number of rate limiting violations reset by the Bot profile.
Static Signature (staticSignnatureProfile) Number of static signatutre violations seen by the Bot profile.
Static Signature Logs (staticSignnatureLogProfile) Number of static signatutre violations logged by the Bot profile.
Static Signature Drop (staticSignnatureDropProfile) Number of static signatutre violations dropped by the Bot profile.
Static Signature Redirect (staticSignnatureRedirectProfile) Number of static signatutre violations redirected by the Bot profile to a different Web page or web server.
Static Signature Reset (staticSignnatureResetProfile) Number of static signatutre violations reset by the Bot profile to a different Web page or web server.
TPS (tpsProfile) Number of tps violations seen by the Bot profile.
Tps Logs (tpsLogProfile) Number of tps violations logged by the Bot profile.
Tps Drop (tpsDropProfile) Number of tps violations dropped by the Bot profile.
Tps Redirect (tpsRedirectProfile) Number of tps violations requests redirected by the Bot profile to a different Web page or web server.
Tps Reset (tpsResetProfile) Number of tps violations reset by the Bot profile.
Tps Captcha (tpsCaptchaProfile) Number of tps violation requests for which CAPTCHA challenge was sent due to Bot profile.
Captcha (captchaProfile) Number of Captcha challenge failures seen by the Bot profile.
Captcha Log (captchaLogProfile) Number of Captcha challenge failures logged by the Bot profile.
Captcha Drop (captchaDropProfile) Number of Captcha challenge failures dropped by the Bot profile.
Captcha Redirect (captchaRedirectProfile) Number of Captcha challenge failures redirected by the Bot profile.
Captcha Reset (captchaResetProfile) Number of Captcha challenge failures reset by the Bot profile.
Trap (trapProfile) Number of trap violations seen by the Bot profile.
Trap Logs (trapLogProfile) Number of trap violations logged by the Bot profile.
Trap Drop (trapDropProfile) Number of trap violations dropped by the Bot profile.
Trap Redirect (trapRedirectProfile) Number of trap violations requests redirected by the Bot profile to a different Web page or web server.
Trap Reset (trapResetProfile) Number of trap violations reset by the Bot profile.
Bot whitelist enabled (botCfgWhitelistProfile) Whitelist enabled under bot profile.
Bot blacklist enabled (botCfgBlacklistProfile) Blacklist enabled under bot profile.
Bot IP Reputation enabled (botCfgIpRepProfile) IP Reputation enabled under bot profile.
Bot Ratelimit enabled (botCfgRatelimitProfile) Ratelimit enabled under bot profile.
Bot Signatures enabled (botCfgSignatureProfile) Static Signatures enabled under bot profile.
Bot device fingerprint enabled (botCfgDFPProfile) Device Fingerprint enabled under bot profile.
Bot TPS enabled (botCfgTpsProfile) TPS enabled under bot profile.
Bot Trap enabled (botCfgTrapProfile) Bot Trap enabled under bot profile.
Keyboard Mouse Detection enabled (botCfgKMDetectionProfile) Keyboard mouse detection enabled under bot profile.
Example
stat bot profile
Related Commands
add bot profile
Creates bot profile, which has configuration options for bot management. (A profile is equivalent to an action in other Citrix ADC features.)
Synopsis
add bot profile
Arguments
name Name for the profile. Must begin with a letter, number, or the underscore character (), and must contain only letters, numbers, and the hyphen (-), period (.), pound (#), space ( ), at (@), equals (=), colon (:), and underscore () characters. Cannot be changed after the profile is added.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my profile” or ‘my profile’).
signature Name of object containing bot static signature details.
errorURL URL that Bot protection uses as the Error URL. Default value: NS_S_BOT_DEFAULT_ERRORURL
trapURL URL that Bot protection uses as the Trap URL. Default value: NS_S_BOT_DEFAULT_TRAPURL
comment Any comments about the purpose of profile, or other useful information about the profile. Default value: NS_S_BOT_DEFAULT_PROFILE_COMMENTS
whiteList Enable white-list bot detection.
Possible values: ON, OFF Default value: OFF
blackList Enable black-list bot detection.
Possible values: ON, OFF Default value: OFF
rateLimit Enable rate-limit bot detection.
Possible values: ON, OFF Default value: OFF
deviceFingerprint Enable device-fingerprint bot detection
Possible values: ON, OFF Default value: OFF
deviceFingerprintAction Action to be taken for device-fingerprint based bot detection. Default value: NONE
ipReputation Enable IP-reputation bot detection.
Possible values: ON, OFF Default value: OFF
trap Enable trap bot detection.
Possible values: ON, OFF Default value: OFF
trapAction Action to be taken for bot trap based bot detection. Default value: NONE
signatureNoUserAgentHeaderAction Actions to be taken if no User-Agent header in the request (Applicable if Signature check is enabled). Default value: DROP
signatureMultipleUserAgentHeaderAction Actions to be taken if multiple User-Agent headers are seen in a request (Applicable if Signature check is enabled). Log action should be combined with other actions Default value: CHECKLAST
tps Enable TPS.
Possible values: ON, OFF Default value: OFF
deviceFingerprintMobile Enabling bot device fingerprint protection for mobile clients Default value: NONE
headlessBrowserDetection Enable Headless Browser detection.
Possible values: ON, OFF Default value: OFF
clientIpExpression Expression to get the client IP.
KMJavaScriptName Name of the JavaScript file that the Bot Management feature will insert in the response for keyboard-mouse based detection. Must begin with a letter, number, or the underscore character (_), and must contain only letters, numbers, and the hyphen (-), period (.) hash (#), space ( ), at (@), equals (=), colon (:), and underscore characters.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my javascript file name” or ‘my javascript file name’). Default value: NS_S_BOT_DEFAULT_KM_JS_NAME
KMDetection Enable keyboard-mouse based bot detection.
Possible values: ON, OFF Default value: OFF
KMEventsPostBodyLimit Size of the KM data send by the browser, needs to be processed on ADC Default value: NS_BOT_DEFAULT_KM_POST_BODY_LIMIT Minimum value: 1 Maximum value: 204800
verboseLogLevel Bot verbose Logging. Based on the log level, ADC will log additional information whenever client is detected as a bot.
Possible values: NONE, HTTP_FULL_HEADER Default value: NONE
spoofedReqAction Actions to be taken on a spoofed request (A request spoofing good bot user agent string). Default value: BOT_ACTION_LOG_DROP
dfpRequestLimit Number of requests to allow without bot session cookie if device fingerprint is enabled Minimum value: 1
sessionCookieName Name of the SessionCookie that the Bot Management feature uses for tracking. Must begin with a letter or number, and can consist of from 1 to 31 letters, numbers, and the hyphen (-) and underscore (_) symbols.
The following requirement applies only to the Citrix ADC CLI: If the name includes one or more spaces, enclose the name in double or single quotation marks (for example, “my cookie name” or ‘my cookie name’).
sessionTimeout Timeout, in seconds, after which a user session is terminated. Minimum value: 1 Maximum value: 65535
unset bot profile
Use this command to remove bot profile settings.Refer to the set bot profile command for meanings of the arguments.
Synopsis
unset bot profile