Network Security
Use the IP Address in the XFF Header to Troubleshoot Events
Table of Contents
Expand All
|
Collapse All
Network Security Docs
Use the IP Address in the XFF Header to Troubleshoot Events
By default, the firewall does not log the
source address of a client behind a proxy server, even if you are
using this address from the X-Forwarded-For (XFF) header for user
mapping. Therefore, while you can identify the specific user associated
with a log event, you will not be able to identify the source device
that originated the log event easily. To simplify the debugging
and troubleshooting of events for users behind a proxy server, enable
the X-Forwarded-For option in the URL Filtering profile that you
attach to Security rules that allow access to web-based applications.
With this option enabled, the firewall logs the IP address from
the XFF header as the Source address for all traffic that matches
the rule.
URL Filtering logs do not display the X-Forwarded
For IP field. To view X-Forwarded-For IP log events, you must export
the logs to CSV format.
Enabling the firewall
to use the XFF header as the Source address in URL Filtering logs
does not enable user mapping of the source address. To populate
the source user fields, see Use
XFF Values for Policies and Logging Source Users.
- Enable the X-Forwarded-For option in the URL Filtering profile.
- Select ObjectsSecurity ProfilesURL Filtering and select the URL Filtering profile you want to configure or add a new one.You can’t enable XFF logging in the default URL Filtering profile.Select the URL Filtering Settings tab and enable X-Forwarded-For.Click OK to save the profile.Attach the URL Filtering profile to the Security policy rule(s) that enable access to web applications.
- Select PoliciesSecurity and click the rule.Select the Actions tab, set the Profile Type to Profiles, and select the URL Filtering profile you just configured for X-Forwarded-For HTTP Header Logging.Click OK and Commit.Verify the firewall is logging XFF values.The XFF column is not visible in the URL Filtering logs on the firewall.
- Select MonitorLogsURL Filtering.View the XFF values in one of the following ways:
- Click Export to CSV (
- Use the show log url csv-output equal yes CLI command.
Use the XFF field in the URL Filtering log to troubleshoot a log event in another log type.If you notice an event associated with HTTP/HTTPS traffic but cannot identify the source IP address because it is that of the proxy server, you can use the X-Forwarded-For value in a correlated URL Filtering log to help you identify the source address associated with the log event. To do this:- Find an event you want investigate in a Traffic, Threat, or WildFire Submissions log that shows the IP address of the proxy server as the source address.Click the spyglass icon for the log to display its details and look for an associated URL Filtering log at the bottom of the Detailed Log Viewer window.Export the associated URL Filtering log to a CSV file and look for the X-Forwarded For IP column. The IP address in this column represents the IP address of the source user behind the proxy server. Use this IP address to track down the device that triggered the event you are investigating.