1. Home
    2. PAN-OS
    3. PAN-OS® Administrator’s Guide
    4. Policy
    5. Identify Users Connected through a Proxy Server
    6. Use the IP Address in the XFF Header to Troubleshoot Events

    Use the IP Address in the XFF Header to Troubleshoot Events

    By default, the firewall does not log the source address of a client behind a proxy server, even if you are using this address from the X-Forwarded-For (XFF) header for user mapping. Therefore, while you can identify the specific user associated with a log event, you will not be able to easily identify the source device that originated the log event. To simplify the debugging and troubleshooting of events for users behind a proxy server, you must enable the X-Forwarded-For option within HTTP Header Logging in the URL Filtering profile that you attach to security policy rules that allow access to web-based applications. With this option enabled, the firewall logs the IP address from the XFF header as the Source address for all traffic that matches the rule.
    Enabling the firewall to use the XFF header as the Source address in URL Filtering logs does not enable user mapping of the source address. To populate the source user fields, see Use XFF Values for Policies and Logging Source Users.
    1. Enable the X-Forwarded-For option within HTTP Header Logging in the URL Filtering profile.
      1. Select
        Objects
        Security Profiles
        URL Filtering
         and select the URL Filtering profile you want to configure, or add a new one.
        You can’t enable XFF logging in the default URL Filtering profile.
      2. Select the
        Settings
         tab and select
        X-Forwarded-For
        .
      3. Click
        OK
         to save the profile.
    2. Attach the URL Filtering profile to the security policy rule(s) that enable access to web applications.
      1. Select
        Policies
        Security
         and click the rule.
      2. Select the
        Actions
         tab, set the
        Profile Type
         to
        Profiles
        , and select the
        URL Filtering
         profile you just configured for X-Forwarded-For HTTP Header Logging.
      3. Click
        OK
         and
        Commit
        .
    3. Verify the firewall is logging XFF values.
      1. Select
        Monitor
        Logs
        URL Filtering
        .
      2. View the XFF values in one of the following ways:
        • To display the XFF value for a single URL Filtering log—Click the spyglass icon for the log to displays its details. The HTTP Headers section displays the X-Forwarded-For value.
        • To display the XFF values for all URL Filtering logs—Open the drop-down in any column header, select
          Columns
          , and select
          X-Forwarded-For
          . The page then displays an X-Forwarded-For column.
    4. Use the XFF field in the URL Filtering log to troubleshoot a log event in another log type.
      Although only the URL Filtering logs display the IP address of the source user in the X-Forwarded-For column of the logs, if you notice an event associated with HTTP/HTTPS traffic but that you cannot identify the source IP address because it is that of the proxy server, you can use the X-Forwarded-For value in a correlated URL Filtering log to help you identify the source address associated with the log event. To do this:
      1. Find an event you want investigate in a Traffic, Threat, or WildFire Submissions logs that is showing the IP address of the proxy server as the source address.
      2. Click the spyglass icon for the log to display its details and look for an associated URL Filtering log at the bottom of the Detailed Log Viewer window.
      3. Select the header row and then select
        X-Forwarded-For
         from the
        Columns
         drop-down to display this value. The IP address in this column of the X-Forwarded-For column represents the IP address of the source user behind the proxy server. Use this IP address to track down the device that triggered the event you are investigating.

    Related Documentation

    Use XFF Values for Policies and Logging Source Users

    Use XFF Values for Policies and Logging Source Users You can configure the firewall map the IP address in the XFF header to a username ...

    Identify Users Connected Through a Proxy Server

    Identify Users Connected through a Proxy Server If you have a proxy server deployed between the users on your network and the firewall, the firewall ...

    HTTP Header Logging

    HTTP Header Logging URL filtering provides visibility and control over web traffic on your network. For improved visibility into web content, you can configure the ...

    XFF Headers

    XFF Headers If you have a proxy server deployed between the users on your network and the firewall, the firewall might see the proxy server ...

    Device > Setup > Content-ID

    Device > Setup > Content-ID Use the Content-ID ™ tab to define settings for URL filtering, data protection, and container pages. Content-ID Settings Description URL ...

    URL Filtering Settings

    URL Filtering Settings Select Objects Security Profiles URL Filtering URL Filtering Settings to enforce safe search settings, and to enable logging of HTTP headers. URL ...

    Configure URL Filtering

    Configure URL Filtering After you Determine URL Filtering Policy Requirements , you should have a basic understanding of what types of websites and website categories ...

    Threat Log Fields

    Threat Log Fields Format : FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source IP, Destination IP, NAT Source IP, NAT Destination ...

    Enable User-ID

    Enable User-ID The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each ...

    Log Types

    Log Types The firewall displays all logs so that role-based administration permissions are respected. Only the information that you are permitted to see is visible ...

    © 2019 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo