Use XFF Values for Policy Based on Source Users
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Use XFF Values for Policy Based on Source Users
If your organization has an HTTP proxy server
between users on your network and the firewall, the firewall cannot
identify who made a web request because the proxy server address
appears to be the source or client IP address. This is an issue
because all users behind the proxy get identified as a single user,
which prevents you from applying user-based policy.
To address
this challenge, configure your firewall to extract the client IP address
from an XFF header and match it to an IP-User mapping on a firewall.
The firewall then uses the client IP address, matched with a IP-User
mapping, to apply the appropriate user- or group-based policy. The
Source User field in Traffic, Threat, WildFire Submissions, and
URL Filtering logs will display the username to which the client
IP address maps. For example, suppose you configure a Security policy
rule that only allows members of the IT group to access a proprietary
application. If you enable the firewall to map IP addresses to users,
then the firewall recognizes if a member outside of the IT group
(behind a proxy) attempts to access the application based on their
IP address.
When you use
XFF headers for User-ID, the firewall uses the client IP address
only for user mapping and policy enforcement purposes. This setting
does not change how the firewall logs the client IP address in Traffic,
Threat, WildFire Submissions, and URL Filtering logs. The Source
Address field will contain the IP address for the proxy server that
the HTTP traffic first passed through on the way to its destination
server. In other words, the logs do not show the client IP address.
To
use XFF headers for user-based policy, you’ll need to enable User-ID and configure
your firewall to use XFF values for User-ID. If the XFF header contains
multiple IP addresses, the firewall uses the first (left-most) IP address
for user mapping. The first address corresponds to the IP address
or device from which an HTTP/s request originates. If the header
contains values other than IP addresses, the firewall cannot perform
user mapping.
When you see a log event
attributed to a user that the firewall mapped using an IP address
extracted from an XFF header, it can be difficult to track down
the specific device associated with the event. To help you debug
and troubleshoot log events, configure the firewall to record
the IP addresses of source users in URL Filtering logs. The
URL Filtering logs will record client IP addresses under the X-Forwarded-For
IP field.
Then, you can go into the details of the log type
you are interested in to find the corresponding URL Filtering log
entry with the IP address for the specific user and device that
initiated the log event you are investigating. Because URL Filtering logs
viewed on the web interface no longer display the X-Forwarded-For
IP column, you’ll need to export URL Filtering logs to CSV format
to view the XFF data.
- Enable the firewall to use XFF values in policies and in the source user fields of logs.
- Select DeviceSetupContent-ID and edit the X-Forwarded-For Headers settings.Select Enabled for User-ID to Use X-Forwarded-For Header for User-ID.Remove XFF values from outgoing web requests.
- Select Strip X-Forwarded-For Header.Click OK and Commit.Verify the firewall is populating the source user fields of logs.
- Select a log type that has a source user field (for example, MonitorLogsTraffic).Verify that the Source User column displays the usernames of users who access web applications.