Use XFF Values for Policies and Logging Source Users
You can configure the firewall map the IP
address in the XFF header to a username using User-ID so that you
can have visibility into and user-based policy control over the
web traffic of users behind a proxy server who cannot otherwise
be identified. In order to map the IP addresses from the XFF headers
to usernames, you must first Enable
Enabling the firewall to use the X-Forwarded-For
headers to perform user mapping does not enable the firewall to
use the client IP address in the XFF header as the source address
in the logs; the logs still display the proxy server IP address
as the source address. However, to simplify the debugging and troubleshooting
process you can configure the firewall to Use
the IP Address in the XFF Header to Troubleshoot Events to
display the client IP address from the XFF header in the URL Filtering
To ensure that attackers can’t read and exploit
the XFF values in web request packets that exit the firewall to
retrieve content from an external server, you can also configure
the firewall to strip the XFF values from outgoing packets.
options are not mutually exclusive: if you configure both, the firewall
zeroes out XFF values only after using them in policy enforcement
Enable the firewall to use XFF values in policies
and in the source user fields of logs.
edit the X-Forwarded-For Headers settings.
Use X-Forwarded-For Header in User-ID
Remove XFF values from outgoing web requests.
Verify the firewall is populating the source user fields
Select a log type that has a source user
field (for example,
Verify that the Source User column displays the usernames
of users who access the web.