If you have a proxy server deployed between the users
on your network and the firewall, the firewall might see the proxy
server IP address as the source IP address in HTTP/HTTPS traffic
that the proxy forwards rather than the IP address of the client
that requested the content. In many cases, the proxy server adds
an X-Forwarded-For (XFF) header to HTTP requests that include the
actual IPv4 or IPv6 address of the client that requested the content
or from whom the request originated. In such cases, you can configure
the firewall to extract the end user IP address from the XFF so
that User-ID can map that IP address to the username of the end
user. This enables you enforce user-based policy to safely enable
access to web-based applications for your users behind a proxy server.
In addition, if User-ID is able to map the XFF IP address to a username,
the firewall displays that username as the Source user in Traffic,
Threat, WildFire Submissions, and URL Filtering logs for visibility
into the web activity of users behind the proxy.
With this option enabled, the firewall uses the IP address in
the XFF header for user mapping purposes only. The source IP address
the firewall logs is still that of the proxy server, not that of
the source user. When you see a log event attributed to a user that
the firewall mapped using and IP address extracted from an XFF header,
it can be difficult to track down the specific device associated
with the event. To simplify debugging and troubleshooting of events
attributed to users behind the proxy server, you must also configure
the firewall to populate the X-Forwarded-For column in the URL Filtering
log with the IP address in the XFF header so that you can track
down the specific user and device associated with an log event that
is correlated with the URL Filtering log entry.
