Insert Username in HTTP Headers
Table of Contents
Insert Username in HTTP Headers
Configure the firewall to include the domain and username
in the traffic headers to allow other appliances to receive user
identification information.
When you configure a secondary enforcement
appliance with your Palo Alto Networks firewall to enforce user-based policy,
the secondary appliance may not have the IP address-to-username
mapping from the firewall. Transmitting user information to downstream
appliances may require deployment of additional appliances such
as proxies or negatively impact the user’s experience (for example, users
having to log in multiple times). By sharing the user's identity
in the HTTP headers, you can enforce user-based policy without negatively impacting
the user's experience or deploying additional infrastructure.
When
you configure this feature, apply the URL profile to your Security
policy, and commit your changes, the firewall:
- Populates the user and domain values with the format of the primary username in the group mapping for the source user.
- Encodes this information using Base64.
- Adds the Base64-encoded header to the payload.
- Routes the traffic to the downstream appliance.
If
you want to include the username and domain only when the user accesses
specific domains, configure a domain list and the firewall inserts
the header only when a domain in the list matches the Host header
of the HTTP request.
To share user information with downstream
appliances, you must first enable User-ID and configure group mapping.
To
include the username and domain in headers for HTTPS traffic, you
must first create a decryption profile to
decrypt HTTPS traffic.
To
include the username and domain in the header, the firewall requires
the IP address-to-username mapping for the user. If the user is
not mapped, the firewall inserts unknown in
Base64 encoding for both the domain and username in the header.
This feature supports forward-proxy
decryption traffic.
- Create or edit a URL Filtering Profile.The firewall does not insert headers if the action for the URL filtering profile is block for the domain.Create or edit an HTTP header insertion entry using predefined types.You can define up to five headers for each profile.Select Dynamic Fields as the header Type.Add the Domains where you want insert headers. When the user accesses a domain in the list, the firewall inserts the specified header.Add a new Header or select X-Authenticated-User to edit it.Select a header Value format (either ($domain)\($user) or WinNT://($domain)/($user)) or enter your own format using the ($domain) and ($user) dynamic tokens (for example, ($user)@($domain) for UserPrincipalName).Do not use the same dynamic token (either ($user) or ($domain)) more than once per value.Each value can be up to 512 characters. The firewall populates the ($user) and ($domain) dynamic tokens using the primary username in the group mapping profile. For example:
- If the primary username is the sAMAccountName, the value for ($user) is the sAMAccountName and the value for ($domain) is the NetBios domain name.
- If the primary username is the UserPrincipalName, the ($user) the user account name (prefix) and the ($domain) is the Domain Name System (DNS) name.
(Optional) Select Log to enable logging for the header insertion.Apply the URL filtering profile to the security policy rule for HTTP or HTTPS traffic.Select OK twice to confirm the HTTP header configuration.Commit your changes.Verify the firewall includes the username and domain in the HTTP headers.- Use the show user user-ids all command to verify the group mapping is correct.
- Use the show counter global name ctd_header_insert command to view the number of HTTP headers inserted by the firewall.
- If you configured logging in Step 7, check the logs for the inserted Base64 encoded payload (for example, corpexample\testuser would appear in the logs as Y29ycGV4YW1wbGVcdGVzdHVzZXI=).
