Focus

Use the IP Address in the XFF Header to Troubleshoot Events

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Use XFF IP Address Values in Security Policy and Logging

Policy-Based Forwarding

Use the IP Address in the XFF Header to Troubleshoot Events

By default, the firewall records the IP address of a proxy server between users on your network and your firewalls as the Source Address in URL Filtering, Traffic, Threat, or WildFire Submissions logs. However, if you need to investigate a log event, knowing the specific user that initiated an HTTP/S request and the proxy server IP address may be insufficient. To simplify the process of debugging and troubleshooting log events, you can configure your firewall to log the client IP address in the X-Forwarded-For (XFF) HTTP header in various logs.

Logging the original client IP address enables you to identify the device that corresponds to the event you want to investigate. Specifically, you can open the detailed log view for a Traffic, Threat, or Wildfire Submissions event and locate the related URL Filtering log. You can use the recorded XFF IP address to center your investigation on the specific device that triggered the event in question. For example, you notice malicious traffic in a Threat log. To begin your investigation, you could find the URL Filtering log associated with the Threat log and identify the infected client.

Before you can use the client IP address to troubleshoot events, you’ll need to enable the X-Forwarded-For option in a URL Filtering profile. Then, attach the URL Filtering profile to Security policy rules that allow access to web-based applications. The proxy server remains as the Source Address for all traffic that matches these rules.

URL Filtering logs do not display the X-Forwarded-For IP column on the web interface. To view recorded X-Forwarded-For IP addresses, you must export the logs to comma-separated value (CSV) files.

Enabling the X-Forwarded-For option in a URL Filtering profile does not enable user mapping of the source address. To populate the Source User fields with the username of the person who originated an HTTP request, you need to configure the firewall to use XFF values for User-ID purposes.

Enable the X-Forwarded-For option in a URL Filtering profile.
1. Select ObjectsSecurity ProfilesURL Filtering and select the URL Filtering profile you want to configure or add a new one.
  
  You cannot enable XFF logging in the default URL Filtering profile.
2. On the URL Filtering Settings tab, select X-Forwarded-For.
3. Click OK to save the profile.
Attach the URL Filtering profile to the Security policy rule(s) that enable access to web applications.
1. Select PoliciesSecurity and click the rule.
2. On the Actions tab, set the Profile Type to Profiles. Then, select the URL Filtering profile you configured earlier for X-Forwarded-For HTTP Header Logging.
3. Click OK and Commit your changes.
Verify the firewall is logging XFF values.

The XFF column is not visible in the URL Filtering logs on the firewall.
1. Select MonitorLogsURL Filtering.
2. View the XFF values in one of the following ways:
  Click Export to CSV (
  
  ) to export the URL Filtering log to a comma-separated value file. When the download is complete, click Download file to save a copy of the file to your local device.
  Use the show log url csv-output equal yes CLI command.
Use the XFF field in the URL Filtering log to troubleshoot a log event in another log type.
If you notice an event associated with HTTP/HTTPS traffic but cannot identify the source IP address because it is that of the proxy server, you can use the X-Forwarded-For value in a correlated URL Filtering log to help you identify the source address associated with the log event. To do this:
1. Find an event you want investigate in a Traffic, Threat, or WildFire Submissions log that shows the IP address of the proxy server as the source address.
2. Click the spyglass icon for the log to display its details and look for an associated URL Filtering log at the bottom of the Detailed Log Viewer window.
3. Export the associated URL Filtering log to a CSV file and look for the X-Forwarded For IP column. The IP address in this column represents the IP address of the source user behind the proxy server. Use this IP address to track down the device that triggered the event you are investigating.

Use XFF IP Address Values in Security Policy and Logging

Policy-Based Forwarding

Next-Generation Firewall Docs

Use the IP Address in the XFF Header to Troubleshoot Events

Next-Generation Firewall Docs

Use the IP Address in the XFF Header to Troubleshoot Events

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner