You can now dynamically add the user’s domain
and username to the HTTP header for the user’s outgoing traffic
to allow any secondary appliances that you use with your Palo Alto
Networks firewall to receive the user’s information and enforce
To include the username and domain
in the header, the firewall requires the IP address-to-username
mapping for the user. If the user is not mapped, the firewall inserts
both the domain and username in Base64 encoding in the header.
you configure a secondary enforcement appliance with your Palo Alto Networks
firewall to enforce user-based policy, the secondary appliance may
not have the IP address-to-username mapping from the firewall. Transmitting
user information to downstream appliances may require deployment
of additional appliances such as proxies or negatively impact the
user’s experience (for example, users having to log in multiple
times). By sharing the user's identity in the HTTP headers, you
can enforce user-based policy without negatively impacting the user's
experience or deploying additional infrastructure.
configure this feature, apply the URL profile to your security policy, and
commit your changes, the firewall:
Populates the user
and domain values with the format of the primary username in the
group mapping for the source user.
Encodes this information using Base64.
Adds the Base64-encoded header to the payload.
Routes the traffic to the downstream appliance.
you want to include the username and domain only when the user accesses specific
domains, configure a domain list and the firewall inserts the header
only when a domain in the list matches the Host header of the HTTP
The firewall supports header insertion for HTTP/1.x
traffic only. HTTP/2 is not supported.
supports forward-proxy decryption traffic.