USM Anywhere™

Citrix NetScaler Application Firewall

When you configure Citrix NetScaler Application Firewall to send log data to USM Anywhere, you can use the Citrix NetScaler Application Firewall plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Citrix
Device type Application firewall
Connection type Syslog
Vendor link

Citrix NetScaler Application Firewall Integration

Before configuring the log collection, you must have the IP address of the USM Anywhere Sensor.

To configure Citrix NetScaler Application Firewall to send log data to USM Anywhere

  1. Update the /etc/syslog.conf file and add the following line in the file:

    add audit syslogAction sysaction <usm_anywhere_ip> -logLevel ALL -logFacility 3

  2. Run the following command to add syspol1 policy, which uses sysact1 server:

    add audit syslogPolicy syspol1 ns_true sysact1

  3. Run the following command to bind the Application Firewall policy and ensure that it is saved in ns.conf file:

    bind appfw global syspol1 100

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • customfield_0

  • customfield_1

  • customfield_2

  • customfield_3

  • customfield_4

  • device_custom_number_1

  • device_custom_number_2

  • event_action

  • event_description

  • event_name

  • event_ref_id

  • event_severity

  • policy

  • rep_device_rule_id

  • rep_device_type

  • rep_device_vendor

  • rep_device_version

  • request_method

  • request_url

  • source_address

  • source_port


For troubleshooting, refer to the vendor documentation: