Use XFF Values for Policies and Logging Source Users

You can configure the firewall to use XFF values in user-based policies and in the source user fields of logs. To use XFF values in policies, you must also Enable User-ID.
Logging XFF values doesn’t populate the source IP address values of logs. When you view the logs, the source field displays the IP address of the proxy server if one is deployed between the user clients and the firewall. However, you can configure the firewall to Add XFF Values to URL Filtering Logs so that you can see user IP addresses in those logs.
To ensure that attackers can’t read and exploit the XFF values in web request packets that exit the firewall to retrieve content from an external server, you can also configure the firewall to strip the XFF values from outgoing packets.
These options are not mutually exclusive: if you configure both, the firewall zeroes out XFF values only after using them in policies and logs.
  1. Enable the firewall to use XFF values in policies and in the source user fields of logs.
    1. Select
      Device
      Setup
      Content-ID
      and edit the X-Forwarded-For Headers settings.
    2. Select
      Use X-Forwarded-For Header in User-ID
      .
  2. Remove XFF values from outgoing web requests.
    1. Select
      Strip X-Forwarded-For Header
      .
    2. Click
      OK
      and
      Commit
      .
  3. Verify the firewall is populating the source user fields of logs.
    1. Select a log type that has a source user field (for example,
      Monitor
      Logs
      Traffic
      ).
    2. Verify that the Source User column displays the usernames of users who access the web.

Related Documentation