1. Home
    2. PAN-OS
    3. PAN-OS® New Features Guide
    4. User-ID Features
    5. Include Username in HTTP Header Insertion Entries

    Include Username in HTTP Header Insertion Entries

    You can now dynamically add the user’s domain and username to the HTTP header for the user’s outgoing traffic to allow any secondary appliances that you use with your Palo Alto Networks firewall to receive the user’s information and enforce user-based policy.
    To include the username and domain in the header, the firewall requires the IP address-to-username mapping for the user. If the user is not mapped, the firewall inserts
    unknown
     for both the domain and username in Base64 encoding in the header.
    When you configure a secondary enforcement appliance with your Palo Alto Networks firewall to enforce user-based policy, the secondary appliance may not have the IP address-to-username mapping from the firewall. Transmitting user information to downstream appliances may require deployment of additional appliances such as proxies or negatively impact the user’s experience (for example, users having to log in multiple times). By sharing the user's identity in the HTTP headers, you can enforce user-based policy without negatively impacting the user's experience or deploying additional infrastructure.
    When you configure this feature, apply the URL profile to your security policy, and commit your changes, the firewall:
    1. Populates the user and domain values with the format of the primary username in the group mapping for the source user.
    2. Encodes this information using Base64.
    3. Adds the Base64-encoded header to the payload.
    4. Routes the traffic to the downstream appliance.
    If you want to include the username and domain only when the user accesses specific domains, configure a domain list and the firewall inserts the header only when a domain in the list matches the Host header of the HTTP request.
    The firewall supports header insertion for HTTP/1.x traffic only. HTTP/2 is not supported.
    This feature supports forward-proxy decryption traffic.
    1. Enable User-ID if it is not already enabled.
    2. Configure group mapping to map users to groups.
    3. (Optional) To include the username and domain in headers for HTTPS traffic, create a decryption profile to decrypt HTTPS traffic.
    4. Create or edit a
      URL Filtering Profile
      .
      The firewall does not insert headers if the action for the URL filtering profile is
      block
       for the domain.
    5. Define the format for the headers.
      You can define up to five headers for each profile.
      1. Select
        HTTP Header Insertion
         and
        Add
         a new header type.
      2. Enter a
        Name
         (up to 100 characters) for the header.
      3. Select
        Dynamic Fields
         as the header
        Type
        .
      4. Add
         the
        Domains
         where you want insert headers. When the user accesses a domain in the list, the firewall inserts the specified header.
        Each domain name can be up to 254 characters and you can identify a maximum of 50 domains for each entry. The domain list supports wildcards (for example,
        *.example.com
        ); however, as a best practice, nesting wildcards (for example,
        *.*.*
         is not recommended. Do not overlap domains within the same URL profile.
      5. Add
         a new
        Header
         or select
        X-Authenticated-User
         to edit it.
      6. Select a header
        Value
         format (either
        ($domain)\($user)
         or
        WinNT://($domain)/($user)
        ) or enter your own format using the
        ($domain)
         and
        ($user)
         dynamic tokens (for example,
        ($user)@($domain)
         for UserPrincipalName).
        Do not use the same dynamic token (either
        ($user)
         or
        ($domain)
        ) more than once per value.
        Each value can be up to 512 characters. The firewall populates the
        ($user)
         and
        ($domain)
         dynamic tokens using the primary username in the group mapping profile. For example:
        • If the primary username is the sAMAccountName, the value for
          ($user)
           is the sAMAccountName and the value for
          ($domain)
           is the NetBios domain name.
        • If the primary username is the UserPrincipalName, the
          ($user)
           the user account name (prefix) and the
          ($domain)
           is the Domain Name System (DNS) name.
      7. (Optional) Select
        Log
         to enable logging for the header insertion.
        Allowed traffic is not logged, so header insertions are not logged for allowed traffic.
      8. Select
        OK
         twice to confirm the HTTP header configuration.
    6. Apply the URL filtering profile to the security policy rule for HTTP or HTTPS traffic.
      1. Select
        Policies
        Security
         and select a rule to which to apply the URL filtering profile that you justenabled for header insertion.
      2. On the
        Actions
         tab, select the URL Filtering profile.
      3. Click
        OK
         to save the security policy rule.
    7. Commit
       your changes.
    8. To verify the firewall includes the username and domain in the HTTP header:
      • Use the
        show user user-ids all
         command to verify the group mapping is correct.
      • Use the
        show counter global name ctd_header_insert
         command to view the number of HTTP headers inserted by the firewall.
      • If you configured logging in Step 3.7, check the logs for the inserted Base64 encoded payload (for example,
        corpexample\testuser
         would appear in the logs as
        Y29ycGV4YW1wbGVcdGVzdHVzZXI=
        ).

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2021 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo