USM Anywhere™

Forcepoint Triton AP-Web

When you configure Forcepoint (formerly Websense) Triton AP-Web integration to send log data to USM Anywhere, you can use the Forcepoint Triton AP-Web plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Raytheon
Device type Switch
Connection type syslog
Vendor link 

Integrating Forcepoint Triton AP-Web Switch

Before you configure the integration, you must have

  • IP Address of the USM Anywhere sensor
  • an instance of Forcepoint Multiplexer for each Forcepoint Policy Server in your network
  • syslog accessibility for the USM Anywhere sensor

To configure Forcepoint Triton AP-Web Switch to forward log data through syslog to USM Anywhere

  1. Log onto the web module of the TRITON Manager to activate and configure SIEM integration.

  2. Perform this procedure for each Policy Server instance in your deployment

    1. Go to Settings > General2 > SIEM Integration and select Enable SIEM integration for this Policy Server.

    2. Provide the IP address of the USM Anywhere Sensor.
    3. Specify either UDP or TCP for the Transport protocol.
    4. Enter port number 514 for UDP, or 601 for TCP.
    5. Select syslog/CEF (ArcSight) as the SIEM format to use.

      This determines the syntax of the string used to pass log data to the integration.

  3. Click OK to cache your changes.
  4. Click Save and Deploy.

After the changes have been committed, Forcepoint Multiplexer connects to Filtering Service and distributes the log data to both Log Server and the USM Anywhere Sensor.

Plugin Enablement

For plugin enablement information, see Adding AlienApps to an Asset.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • application_protocol

  • audit_reason

  • bytes_in

  • bytes_out

  • content_category

  • destination_address

  • destination_hostname

  • destination_port

  • destination_translated_port

  • device_custom_number_1

  • device_custom_number_2

  • event_action

  • event_name

  • event_receipt_time

  • event_severity

  • policy

  • rep_device_address

  • rep_device_rule_id

  • rep_device_type

  • rep_device_vendor

  • rep_device_version

  • request_content_type

  • request_method

  • request_url

  • request_user_agent

  • source_address

  • source_port

  • source_username

  • transient


For troubleshooting, refer to the vendor documentation: