Use XFF Values for Policies and Logging Source Users
You can configure the firewall map the IP address in the XFF header to a username using User-ID so that you can have visibility into and user-based policy control over the web traffic of users behind a proxy server who cannot otherwise be identified. In order to map the IP addresses from the XFF headers to usernames, you must first Enable User-ID.
Enabling the firewall to use the X-Forwarded-For headers to perform user mapping does not enable the firewall to use the client IP address in the XFF header as the source address in the logs; the logs still display the proxy server IP address as the source address. However, to simplify the debugging and troubleshooting process you can configure the firewall to Add XFF Values to URL Filtering Logs to display the client IP address from the XFF header in the URL Filtering logs.
To ensure that attackers can’t read and exploit the XFF values in web request packets that exit the firewall to retrieve content from an external server, you can also configure the firewall to strip the XFF values from outgoing packets.
These options are not mutually exclusive: if you configure both, the firewall zeroes out XFF values only after using them in policy enforcement and logging.
- Enable the firewall to use XFF values in policies
and in the source user fields of logs.
- Select DeviceSetupContent-ID and edit the X-Forwarded-For Headers settings.
- Select Use X-Forwarded-For Header in User-ID.
- Remove XFF values from outgoing web requests.
- Select Strip X-Forwarded-For Header.
- Click OK and Commit.
- Verify the firewall is populating the source user fields
- Select a log type that has a source user field (for example, MonitorLogsTraffic).
- Verify that the Source User column displays the usernames of users who access web applications.
Identify Users Connected through a Proxy Server
Identify Users Connected through a Proxy Server If you have a proxy server deployed between the users on your network and the firewall, the firewall ...
Use the IP Address in the XFF Header to Troubleshoot Events
Use the IP Address in the XFF Header to Troubleshoot Events By default, the firewall does not log the source address of a client behind ...
XFF Headers If you have a proxy server deployed between the users on your network and the firewall, the firewall might see the proxy server ...
Device > Setup > Content-ID
Device > Setup > Content-ID Use the Content-ID ™ tab to define settings for URL filtering, data protection, and container pages. Content-ID Settings Description URL ...
HTTP Header Logging
HTTP Header Logging URL filtering provides visibility and control over web traffic on your network. For improved visibility into web content, you can configure the ...
Enable User-ID The user identity, as opposed to an IP address, is an integral component of an effective security infrastructure. Knowing who is using each ...
User Mapping Knowing user and groups names is only one piece of the puzzle. The firewall also needs to know which IP addresses map to ...
Threat Log Fields
Threat Log Fields Format : FUTURE_USE, Receive Time, Serial Number, Type, Threat/Content Type, FUTURE_USE, Generated Time, Source Address, Destination Address, NAT Source IP, NAT Destination ...
URL Filtering Settings
URL Filtering Settings Select Objects Security Profiles URL Filtering URL Filtering Settings to enforce safe search settings, and to enable logging of HTTP headers. URL ...