If your organization has an HTTP proxy server between users on your network and the firewall, the firewall cannot identify who made a web request because the proxy server address appears to be the source or client IP address. This is an issue because all users behind the proxy get identified as a single user, which prevents you from applying user-based policy.

To address this challenge, configure your firewall to extract the client IP address from an XFF header and match it to an IP-User mapping on a firewall. The firewall then uses the client IP address, matched with a IP-User mapping, to apply the appropriate user- or group-based policy. The Source User field in Traffic, Threat, WildFire Submissions, and URL Filtering logs will display the username to which the client IP address maps. For example, suppose you configure a Security policy rule that only allows members of the IT group to access a proprietary application. If you enable the firewall to map IP addresses to users, then the firewall recognizes if a member outside of the IT group (behind a proxy) attempts to access the application based on their IP address.

To use XFF headers for user-based policy, you’ll need to enable User-ID and configure your firewall to use XFF values for User-ID. If the XFF header contains multiple IP addresses, the firewall uses the first (left-most) IP address for user mapping. The first address corresponds to the IP address or device from which an HTTP/s request originates. If the header contains values other than IP addresses, the firewall cannot perform user mapping.