Use XFF Values for Policy Based on Source Users
Focus
Focus
Network Security

Use XFF Values for Policy Based on Source Users

Table of Contents

Use XFF Values for Policy Based on Source Users

Where Can I Use This?What Do I Need?
  • NGFW (PAN-OS & Panorama Managed)
  • Prisma Access (Managed by Panorama)
Check for any license or role requirements for the products you're using.
You can configure the firewall map the IP address in the XFF header to a username using User-ID so that you can have visibility into and user-based policy control over the web traffic of users behind a proxy server who cannot otherwise be identified. In order to map the IP addresses from the XFF headers to usernames, you must first Enable User-ID.
With this option enabled, the firewall uses the IP address in the XFF header for user mapping purposes only. The source IP address the firewall logs is still that of the proxy server, not that of the source user. When you see a log event attributed to a user that the firewall mapped using and IP address extracted from an XFF header, it can be difficult to track down the specific device associated with the event. To simplify debugging and troubleshooting of events attributed to users behind the proxy server, you must also configure the firewall to populate the X-Forwarded-For column in the URL Filtering log with the IP address in the XFF header so that you can track down the specific user and device associated with an log event that is correlated with the URL Filtering log entry.
The XFF header your proxy server adds must contain the source IP address of the end user who originated the request. If the header contains multiple IP addresses, the firewall uses the first IP address only. If the header contains information other than an IP address, the firewall will not be able to perform user mapping.
Enabling the firewall to use the X-Forwarded-For headers to perform user mapping does not enable the firewall to use the client IP address in the XFF header as the source address in the logs; the logs still display the proxy server IP address as the source address. However, to simplify the debugging and troubleshooting process you can configure the firewall to Add XFF Values to URL Filtering Logs to display the client IP address from the XFF header in the URL Filtering logs.
  1. Enable the firewall to use XFF values in policies and in the source user fields of logs.
    1. Select DeviceSetupContent-ID and edit the X-Forwarded-For Headers settings.
    2. Select Enabled for User-ID to Use X-Forwarded-For Header for User-ID.
  2. Remove XFF values from outgoing web requests.
    1. Select Strip X-Forwarded-For Header.
    2. Click OK and Commit.
  3. Verify the firewall is populating the source user fields of logs.
    1. Select a log type that has a source user field (for example, MonitorLogsTraffic).
    2. Verify that the Source User column displays the usernames of users who access web applications.