Documentation Center
AlienVault® USM Anywhere™

F5 FirePass Big-IP

When you configure F5 FirePass Big-IP to send log data to USM Anywhere, you can use the F5 FirePass Big-IP plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor F5
Device Type VPN Concentrator
Connection Type Syslog

Integrating FirePass Big-IP

Before you configure the F5 FirePass Big-IP integration, you must have the IP Address of the USM Anywhere Sensor.

To configure FirePass Big-IP to send log data to USM Anywhere

  1. Log into the F5 Web Interface.
  2. Navigate to Device Management > Maintenance > Logs.
  3. In the System Logs section, select Enable Remote Log Server.
  4. Select Enabled Extended System Logs.
  5. Enter the IP address of a USM Anywhere Sensor in the Remote Host field.
  6. Select Apply System Log Changes.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_0
  • customfield_1
  • customfield_2
  • customfield_3
  • customfield_4
  • customfield_5
  • customfield_6
  • customfield_7
  • customheader_0
  • customheader_1
  • customheader_2
  • customheader_3
  • customheader_4
  • customheader_5
  • customheader_6
  • customheader_7
  • destination_address
  • destination_port
  • destination_username
  • event_description
  • event_name
  • event_outcome
  • event_severity
  • malware_variant
  • rep_device_rule_id
  • request_method
  • request_url
  • request_user_agent
  • session
  • source_address
  • source_port
  • source_process
  • source_process_id
  • source_username
  • timestamp_occured
  • transport_protocol

Status Code

  • Level, HTTP Classifier
  • Geographic Location
  • Number of Attempts, Operation Mode
  • Route Domain
  • Drop counter
  • Prevention State
  • Web scraping attack type


For troubleshooting, refer to the vendor documentation: