Include Username in HTTP Header Insertion Entries
Expand all | Collapse all
Include Username in HTTP Header Insertion Entries
You can now dynamically add the user’s domain
and username to the HTTP header for the user’s outgoing traffic
to allow any secondary appliances that you use with your Palo Alto
Networks firewall to receive the user’s information and enforce
user-based policy.
To include the username and domain
in the header, the firewall requires the IP address-to-username
mapping for the user. If the user is not mapped, the firewall inserts
unknown
for
both the domain and username in Base64 encoding in the header.
When
you configure a secondary enforcement appliance with your Palo Alto Networks
firewall to enforce user-based policy, the secondary appliance may
not have the IP address-to-username mapping from the firewall. Transmitting
user information to downstream appliances may require deployment
of additional appliances such as proxies or negatively impact the
user’s experience (for example, users having to log in multiple
times). By sharing the user's identity in the HTTP headers, you
can enforce user-based policy without negatively impacting the user's
experience or deploying additional infrastructure.
When you
configure this feature, apply the URL profile to your security policy, and
commit your changes, the firewall:
Populates the user
and domain values with the format of the
primary username in the
group mapping for the source user.
Encodes this information using Base64.
Adds the Base64-encoded header to the payload.
Routes the traffic to the downstream appliance.
If
you want to include the username and domain only when the user accesses specific
domains, configure a domain list and the firewall inserts the header
only when a domain in the list matches the Host header of the HTTP
request.
The firewall supports header insertion for HTTP/1.x
traffic only. HTTP/2 is not supported.
This feature
supports forward-proxy decryption traffic.
Enable User-ID if it is
not already enabled.
(Optional) To include the username and domain in headers
for HTTPS traffic, create a
decryption profile to
decrypt HTTPS traffic.
Create or edit a
URL
Filtering Profile
.
The firewall does not insert headers if the action for
the URL filtering profile is
block
for the
domain.
Define the format for the headers.
You can define up to five headers for each profile.
Select
HTTP Header Insertion
and
Add
a
new header type.
Enter a
Name
(up to 100 characters) for
the header.
Select
Dynamic Fields
as the
header
Type
.
Add
the
Domains
where
you want insert headers. When the user accesses a domain in the
list, the firewall inserts the specified header.
Each domain name can be up to 254 characters and you can
identify a maximum of 50 domains for each entry. The domain list
supports wildcards (for example,
*.example.com
);
however, as a best practice, nesting wildcards (for example,
*.*.*
is
not recommended. Do not overlap domains within the same URL profile.
Add
a new
Header
or
select
X-Authenticated-User
to edit it.
Select a header
Value
format
(either
($domain)\($user)
or
WinNT://($domain)/($user)
)
or enter your own format using the
($domain)
and
($user)
dynamic
tokens (for example,
($user)@($domain)
for UserPrincipalName).
Do not use the same dynamic token (either
($user)
or
($domain)
)
more than once per value.
Each value can be up to 512 characters.
The firewall populates the
($user)
and
($domain)
dynamic tokens
using the primary username in the group mapping profile. For example:
If the primary username is the sAMAccountName, the value for
($user)
is
the sAMAccountName and the value for
($domain)
is
the NetBios domain name.
If the primary username is the UserPrincipalName, the
($user)
the
user account name (prefix) and the
($domain)
is
the Domain Name System (DNS) name.
(Optional) Select
Log
to enable
logging for the header insertion.
Allowed traffic is not logged, so header insertions are not
logged for allowed traffic.
Select
OK
twice to confirm
the HTTP header configuration.
Apply the URL filtering profile to the security policy
rule for HTTP or HTTPS traffic.
Select and select a rule
to which to apply the URL filtering profile that you justenabled
for header insertion.
On the
Actions
tab, select
the URL Filtering profile.
Click
OK
to save the security
policy rule.
To verify the firewall includes the username and domain
in the HTTP header:
Use the
show user user-ids all
command
to verify the group mapping is correct.
Use the
show counter global name ctd_header_insert
command
to view the number of HTTP headers inserted by the firewall.
If you configured logging in Step 3.7, check the
logs for the inserted
Base64 encoded payload (for example,
corpexample\testuser
would
appear in the logs as
Y29ycGV4YW1wbGVcdGVzdHVzZXI=
).