Use the IP Address in the XFF Header to Troubleshoot Events
Focus
Focus

Use the IP Address in the XFF Header to Troubleshoot Events

Table of Contents

Use the IP Address in the XFF Header to Troubleshoot Events

By default, the firewall records the IP address of a proxy server between users on your network and your firewalls as the Source Address in URL Filtering, Traffic, Threat, or WildFire Submissions logs. However, if you need to investigate a log event, knowing the specific user that initiated an HTTP/S request and the proxy server IP address may be insufficient. To simplify the process of debugging and troubleshooting log events, you can configure your firewall to log the client IP address in the X-Forwarded-For (XFF) HTTP header in various logs.
Logging the original client IP address enables you to identify the device that corresponds to the event you want to investigate. Specifically, you can open the detailed log view for a Traffic, Threat, or Wildfire Submissions event and locate the related URL Filtering log. You can use the recorded XFF IP address to center your investigation on the specific device that triggered the event in question. For example, you notice malicious traffic in a Threat log. To begin your investigation, you could find the URL Filtering log associated with the Threat log and identify the infected client.
Before you can use the client IP address to troubleshoot events, you’ll need to enable the X-Forwarded-For option in a URL Filtering profile. Then, attach the URL Filtering profile to Security policy rules that allow access to web-based applications. The proxy server remains as the Source Address for all traffic that matches these rules.
URL Filtering logs do not display the X-Forwarded-For IP column on the web interface. To view recorded X-Forwarded-For IP addresses, you must export the logs to comma-separated value (CSV) files.
Enabling the X-Forwarded-For option in a URL Filtering profile does not enable user mapping of the source address. To populate the Source User fields with the username of the person who originated an HTTP request, you need to configure the firewall to use XFF values for User-ID purposes.
  1. Enable the X-Forwarded-For option in a URL Filtering profile.
    1. Select
      Objects
      Security Profiles
      URL Filtering
      and select the URL Filtering profile you want to configure or add a new one.
      You cannot enable XFF logging in the default URL Filtering profile.
    2. On the
      URL Filtering Settings
      tab, select
      X-Forwarded-For
      .
    3. Click
      OK
      to save the profile.
  2. Attach the URL Filtering profile to the Security policy rule(s) that enable access to web applications.
    1. Select
      Policies
      Security
      and click the rule.
    2. On the
      Actions
      tab, set the
      Profile Type
      to
      Profiles
      . Then, select the
      URL Filtering
      profile you configured earlier for X-Forwarded-For HTTP Header Logging.
    3. Click
      OK
      and
      Commit
      your changes.
  3. Verify the firewall is logging XFF values.
    The XFF column is not visible in the URL Filtering logs on the firewall.
    1. Select
      Monitor
      Logs
      URL Filtering
      .
    2. View the XFF values in one of the following ways:
      • Click Export to CSV (
        ) to export the URL Filtering log to a comma-separated value file. When the download is complete, click
        Download file
        to save a copy of the file to your local device.
      • Use the
        show log url csv-output equal yes
        CLI command.
  4. Use the XFF field in the URL Filtering log to troubleshoot a log event in another log type.
    If you notice an event associated with HTTP/HTTPS traffic but cannot identify the source IP address because it is that of the proxy server, you can use the X-Forwarded-For value in a correlated URL Filtering log to help you identify the source address associated with the log event. To do this:
    1. Find an event you want investigate in a Traffic, Threat, or WildFire Submissions log that shows the IP address of the proxy server as the source address.
    2. Click the spyglass icon for the log to display its details and look for an associated URL Filtering log at the bottom of the Detailed Log Viewer window.
    3. Export the associated URL Filtering log to a CSV file and look for the X-Forwarded For IP column. The IP address in this column represents the IP address of the source user behind the proxy server. Use this IP address to track down the device that triggered the event you are investigating.

Recommended For You