If your organization has an HTTP proxy server
between users on your network and the firewall, the firewall cannot
identify who made a web request because the proxy server address
appears to be the source or client IP address. This is an issue
because all users behind the proxy get identified as a single user,
which prevents you from applying user-based policy.
To address
this challenge, configure your firewall to extract the client IP address
from an XFF header and match it to an IP-User mapping on a firewall.
The firewall then uses the client IP address, matched with a IP-User
mapping, to apply the appropriate user- or group-based policy. The
Source User field in Traffic, Threat, WildFire Submissions, and
URL Filtering logs will display the username to which the client
IP address maps. For example, suppose you configure a Security policy
rule that only allows members of the IT group to access a proprietary
application. If you enable the firewall to map IP addresses to users,
then the firewall recognizes if a member outside of the IT group
(behind a proxy) attempts to access the application based on their
IP address.