Create Custom HTTP Header Insertion Entries

Create custom HTTP Header Insertion rules for your Palo Alto Networks® firewall.
  1. If there are no upstream devices already decrypting HTTPS traffic, configure Decryption using Configure SSL Forward ProxyDecryption.
    1. Add
      a Custom URL Category for the SaaS application you are managing (
      Objects
      Custom Objects
      URL Category
      ).
    2. Specify a
      Name
      for the category.
    3. Add
      the domains specific to the SaaS application you are managing.
    4. Create a Decryption Policy Rule and, as you follow this procedure, configure the following:
      • In the
        Service/URL Category
        tab,
        Add
        the
        URL Category
        that you created in the previous step.
      • In the
        Options
        tab, make sure the
        Action
        is set to
        Decrypt
        and that the
        Type
        is set to
        SSL Forward Proxy
        .
  2. Edit or create a URL filtering profile.
  3. Select
    HTTP Header Insertion
    in the
    URL Filtering Profile
    dialog.
  4. Add
    an entry.
    1. Specify a
      Name
      for this entry.
    2. Select
      Custom
      as the
      Type
      .
    3. Add
      domains to the
      Domains
      list.
      You can add up to 50 domains and each domain name can have up to 256 characters; wildcards are supported (for example, *.example.com).
      HTTP header insertion occurs when a domain in this list matches the domain in the Host header of the HTTP request.
    4. Add
      headers to the
      Headers
      list.
      You can add up to 5 headers and each header can have up to 100 characters but cannot contain any spaces.
    5. For each header
      Value
      .
    6. (
      Optional
      ) Select
      Log
      to enable logging of insertion activity for the headers.
    7. Click
      OK
      to save your changes.
  5. Add
    or edit a Security Policy rule (
    Policies
    Security
    ) Security Policythat allows users to access the SaaS application for which you are configuring this header insertion rule.
    1. Choose the URL filtering profile (
      Actions
      URL Filtering
      ) that you edited or created in Step 2.
    2. Click
      OK
      to save and then
      Commit
      your changes.
  6. Verify that access to the SaaS application is working in the way you expect. From an endpoint that is connected to your network:
    1. Try to access an account or content that you expect to be able to access. If you cannot access the SaaS account or content, then the configuration is not working.
    2. Try to access an account or content that you expect will be blocked. If you can access the SaaS account or content, then the configuration is not working.
    3. If both of the previous steps work as expected, then you can View Logs (if you configured logging in step 4.6) and you should see the recorded HTTP header insertion activity.

Related Documentation