Configure the firewall to include the domain and username
in the traffic headers to allow other appliances to receive user
identification information.
When you configure a secondary enforcement
appliance with your Palo Alto Networks firewall to enforce user-based
policy, the secondary appliance may not have the IP address-to-username
mapping from the firewall. Transmitting user information to downstream
appliances may require deployment of additional appliances such
as proxies or negatively impact the user’s experience (for example,
users having to log in multiple times). By sharing the user's identity
in the HTTP headers, you can enforce user-based policy without negatively
impacting the user's experience or deploying additional infrastructure.
When
you configure this feature, apply the URL profile to your Security
policy, and commit your changes, the firewall:
- Populates
the user and domain values with the format of the primary username in the
group mapping for the source user.
- Encodes this information using Base64.
- Adds the Base64-encoded header to the payload.
Routes the traffic to the downstream appliance.
If
you want to include the username and domain only when the user accesses specific
domains, configure a domain list and the firewall inserts the header
only when a domain in the list matches the Host header of the HTTP
request.
To share user information with downstream appliances,
you must first
enable User-ID and configure
group mapping.
To include
the username and domain in the header, the firewall requires the
IP address-to-username mapping for the user. If the user is not
mapped, the firewall inserts unknown in
Base64 encoding for both the domain and username in the header.
To
include the username and domain in headers for HTTPS traffic, you
must first create a
decryption profile to
decrypt HTTPS traffic.
This feature supports forward-proxy
decryption traffic.