Collect XFF Values for User-ID
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Collect XFF Values for User-ID
When an HTTP proxy sits between users on your
network and your firewall, outgoing web requests from these users
appear to originate from the proxy server. This is because web requests
pass through the proxy before reaching the firewall and the proxy
doesn’t share the client (source) IP address with the firewall.
As a result, the Source Address fields in Traffic, Threat, WildFire
Submissions, and URL Filtering logs show the IP address of the proxy
server. Further, the firewall treats all users behind the proxy
as a single user, preventing it from enforcing policy rules based
on users.
To address this challenge, configure your firewall
to extract client IP addresses from X-Forwarded-For (XFF) request
headers and match them to IP address-to-User mappings. When someone
behind a proxy server sends a web request, the firewall parses the
XFF header for the client IP address. Then, the firewall identifies
who made the request by comparing the client IP address to user
mappings on the firewall. After identifying the user, the firewall
enforces the appropriate policy action. You can find the username
in the Source User field of Traffic, Threat, WildFire Submissions,
and URL Filtering logs.
For example, suppose you configure
a Security policy rule that limits access to a proprietary application
to members of the IT group. A newly remote IT administrator accesses
the application from behind a proxy server. With XFF enabled for User-ID,
the firewall grants the administrator access to the application
because their IP address maps to a username in the IT group. If
the IP address did not correspond to an IT group member, the firewall
would have blocked access to the application.
If the XFF header
contains multiple IP addresses, the firewall uses the first (left-most)
IP address for the user mapping. The first address corresponds to
the IP address from which an HTTP/S request originates. If the XFF
header is not in the following format: X-Forwarded-For: <client>, <proxy1>, <proxy2>,
where each value is an IP address, the firewall cannot match the
client IP address to an IP address-to-User mapping.
When you use
XFF headers for User-ID, the firewall uses the client IP address
only for user mapping and policy enforcement purposes. This configuration
doesn’t impact how the firewall logs the client IP address in Traffic, Threat,
WildFire Submissions, and URL Filtering logs. The Source Address
field shows the IP address for the proxy server that traffic first
passes through on the way to its destination server. The Source
User field shows the username to which a client IP address corresponds.
Enable the X-Forwarded-For option in
a URL Filtering profile that is attached to Security policy rules
that allow access to web-based applications. The X-Forwarded-For
option lets the firewall record client IP addresses in URL Filtering
logs, simplifying the debugging and troubleshooting of log events involving
users behind a proxy server.
- Configure User-ID.This is a prerequisite for enabling the use of XFF values for User-ID and in the Source User field of logs.Enable the firewall to use XFF values in Security policy rules and in the Source User field of logs.
- Select DeviceSetupContent-ID and edit the X-Forwarded-For Headers settings.For Use X-Forwarded-For Header, select Enabled for User-ID.(Optional) Remove XFF values from outgoing web requests.The Strip X-Forwarded-For Header option does not affect the use of XFF headers for User-ID. The firewall removes the XFF header before forwarding HTTP requests to their destination.
- Select Strip X-Forwarded-For Header.Click OK and Commit your changes.Verify the firewall populates the Source User field of logs.
- Select a log type that has a Source User field (for example, MonitorLogsTraffic).Verify that the Source User column displays the usernames of users who access web applications.