Values for Policies and Logging Source Users
You can configure the firewall to use XFF
values in user-based policies and in the source user fields of logs.
To use XFF values in policies, you must also Enable User-ID.
XFF values doesn’t populate the source IP address values of logs. When
you view the logs, the source field displays the IP address of the
proxy server if one is deployed between the user clients and the
firewall. However, you can configure the firewall to Add XFF Values to URL Filtering Logs so
that you can see user IP addresses in those logs.
ensure that attackers can’t read and exploit the XFF values in web
request packets that exit the firewall to retrieve content from
an external server, you can also configure the firewall to strip
the XFF values from outgoing packets.
These options are not
mutually exclusive: if you configure both, the firewall zeroes out
XFF values only after using them in policies and logs.
Enable the firewall to use XFF values in policies
and in the source user fields of logs.
and edit the X-Forwarded-For
Use X-Forwarded-For Header in User-ID
Remove XFF values from outgoing web requests.
Verify the firewall is populating the source user fields
Select a log type that has a source user
field (for example,
Verify that the Source User column displays the usernames
of users who access the web.