Use XFF Values for Policy Based on Source Users
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Use XFF Values for Policy Based on Source Users
You can configure the firewall map the IP
address in the XFF header to a username using User-ID so that you
can have visibility into and user-based policy control over the
web traffic of users behind a proxy server who cannot otherwise
be identified. In order to map the IP addresses from the XFF headers
to usernames, you must first Enable
User-ID.
With this option enabled, the firewall uses
the IP address in the XFF header for user mapping purposes only.
The source IP address the firewall logs is still that of the proxy
server, not that of the source user. When you see a log event attributed
to a user that the firewall mapped using and IP address extracted
from an XFF header, it can be difficult to track down the specific
device associated with the event. To simplify debugging and troubleshooting
of events attributed to users behind the proxy server, you must
also configure the firewall to populate the X-Forwarded-For column
in the URL Filtering log with the IP address in the XFF header so
that you can track down the specific user and device associated
with an log event that is correlated with the URL Filtering log
entry.
The XFF header your proxy server adds must contain
the source IP address of the end user who originated the request.
If the header contains multiple IP addresses, the firewall uses
the first IP address only. If the header contains information other
than an IP address, the firewall will not be able to perform user
mapping.
Enabling
the firewall to use the X-Forwarded-For headers to perform user
mapping does not enable the firewall to use the client IP address
in the XFF header as the source address in the logs; the logs still
display the proxy server IP address as the source address. However,
to simplify the debugging and troubleshooting process you can configure
the firewall to Add
XFF Values to URL Filtering Logs to display the client IP
address from the XFF header in the URL Filtering logs.
- Enable the firewall to use XFF values in policies and in the source user fields of logs.
- Select DeviceSetupContent-ID and edit the X-Forwarded-For Headers settings.Select Enabled for User-ID to Use X-Forwarded-For Header for User-ID.Remove XFF values from outgoing web requests.
- Select Strip X-Forwarded-For Header.Click OK and Commit.Verify the firewall is populating the source user fields of logs.
- Select a log type that has a source user field (for example, MonitorLogsTraffic).Verify that the Source User column displays the usernames of users who access web applications.