USM Anywhere™

Barracuda NextGen Firewalls

When you configure Barracuda NextGen Firewalls to send log data to USM Anywhere, you can use the Barracuda NextGen Firewall plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin:

Plugin Information
Device Details
Vendor Barracuda
Device Type Firewall
Connection Type Syslog

Integrating Barracuda NextGen Firewalls

To configure Barracuda NextGen Firewalls to forward log data over Syslog to USM Anywhere

  1. Go to the LOGS > Log Streaming.

  2. In the Stream target field, type the hostname or IP address of your USM Anywhere Sensor.

    Note: Only one target can be defined.

  3. In Protocol / Port, enter

    • port 514 if you're using UDP
    • port 601 if you're using TCP
  4. Select the log streams you want to enable.

  5. Click Save Changes.

  6. Verify that a connection exists between the device and the USM Anywhere Sensor.

    • Go to BASIC > Recent Connections.
    • Filter the list of connections for the Protocol, Service, and Destination IP of your USM Anywhere Sensor.

Plugin Enablement

The Barracuda Next Gen (NG) Firewall plugin automatically processes all messages when the raw message contains "box_Firewall_Activity".

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application
  • application_protocol
  • base_event_count
  • bytes_in
  • bytes_out
  • content_category
  • customfield_0
  • customfield_1
  • customheader_0
  • customheader_1
  • destination_address
  • destination_nat_address
  • destination_port
  • destination_service_name
  • device_inbound_interface
  • duration
  • event_category
  • event_description
  • event_name
  • event_severity
  • packets_received
  • packets_sent
  • rep_device_model
  • rep_device_outbound_interface
  • rep_device_rule_id
  • source_address
  • source_mac
  • source_nat_address
  • source_port
  • source_username
  • timestamp_occured
  • timestamp_received
  • transport_protocol

Additional Resources and Troubleshooting

For troubleshooting, refer to the vendor documentation: