Use the IP Address in the XFF Header to Troubleshoot Events
By default, the firewall does not log the
source address of a client behind a proxy server, even if you are
using this address from the X-Forwarded-For (XFF) header for user
mapping. Therefore, while you can identify the specific user associated
with a log event, you will not be able to easily identify the source
device that originated the log event. To simplify the debugging
and troubleshooting of events for users behind a proxy server, you
must enable the X-Forwarded-For option within HTTP Header Logging
in the URL Filtering profile that you attach to security policy
rules that allow access to web-based applications. With this option
enabled, the firewall logs the IP address from the XFF header as
the Source address for all traffic that matches the rule.
Enable the X-Forwarded-For option within HTTP
Header Logging in the URL Filtering profile.
select the URL Filtering profile you want to configure, or add a
You can’t enable XFF logging in the default URL Filtering
to save the profile.
Attach the URL Filtering profile to the security policy
rule(s) that enable access to web applications.
and click the rule.
and select the
just configured for X-Forwarded-For HTTP Header Logging.
Verify the firewall is logging XFF values.
View the XFF values in one of the following ways:
To display the XFF value for a single URL Filtering
log—Click the spyglass icon for the log to displays its details.
The HTTP Headers section displays the X-Forwarded-For value.
To display the XFF values for all URL Filtering logs—Open
the drop-down in any column header, select
. The page then
displays an X-Forwarded-For column.
Use the XFF field in the URL Filtering log to troubleshoot
a log event in another log type.
Although only the URL Filtering logs display the IP address
of the source user in the X-Forwarded-For column of the logs, if
you notice an event associated with HTTP/HTTPS traffic but that
you cannot identify the source IP address because it is that of
the proxy server, you can use the X-Forwarded-For value in a correlated
URL Filtering log to help you identify the source address associated
with the log event. To do this:
Find an event you want investigate in a
Traffic, Threat, or WildFire Submissions logs that is showing the
IP address of the proxy server as the source address.
Click the spyglass icon for the log to display its
details and look for an associated URL Filtering log at the bottom
of the Detailed Log Viewer window.
Select the header row and then select
drop-down to display this value.
The IP address in this column of the X-Forwarded-For column represents
the IP address of the source user behind the proxy server. Use this
IP address to track down the device that triggered the event you