Collect XFF Values for User-ID
Focus
Focus

Collect XFF Values for User-ID

Table of Contents

Collect XFF Values for User-ID

When an HTTP proxy sits between users on your network and your firewall, outgoing web requests from these users appear to originate from the proxy server. This is because web requests pass through the proxy before reaching the firewall and the proxy doesn’t share the client (source) IP address with the firewall. As a result, the Source Address fields in Traffic, Threat, WildFire Submissions, and URL Filtering logs show the IP address of the proxy server. Further, the firewall treats all users behind the proxy as a single user, preventing it from enforcing policy rules based on users.
To address this challenge, configure your firewall to extract client IP addresses from X-Forwarded-For (XFF) request headers and match them to IP address-to-User mappings. When someone behind a proxy server sends a web request, the firewall parses the XFF header for the client IP address. Then, the firewall identifies who made the request by comparing the client IP address to user mappings on the firewall. After identifying the user, the firewall enforces the appropriate policy action. You can find the username in the Source User field of Traffic, Threat, WildFire Submissions, and URL Filtering logs.
For example, suppose you configure a Security policy rule that limits access to a proprietary application to members of the IT group. A newly remote IT administrator accesses the application from behind a proxy server. With XFF enabled for User-ID, the firewall grants the administrator access to the application because their IP address maps to a username in the IT group. If the IP address did not correspond to an IT group member, the firewall would have blocked access to the application.
If the XFF header contains multiple IP addresses, the firewall uses the first (left-most) IP address for the user mapping. The first address corresponds to the IP address from which an HTTP/S request originates. If the XFF header is not in the following format: X-Forwarded-For: <client>, <proxy1>, <proxy2>, where each value is an IP address, the firewall cannot match the client IP address to an IP address-to-User mapping.
When you use XFF headers for User-ID, the firewall uses the client IP address only for user mapping and policy enforcement purposes. This configuration doesn’t impact how the firewall logs the client IP address in Traffic, Threat, WildFire Submissions, and URL Filtering logs. The Source Address field shows the IP address for the proxy server that traffic first passes through on the way to its destination server. The Source User field shows the username to which a client IP address corresponds.
Enable the X-Forwarded-For option in a URL Filtering profile that is attached to Security policy rules that allow access to web-based applications. The X-Forwarded-For option lets the firewall record client IP addresses in URL Filtering logs, simplifying the debugging and troubleshooting of log events involving users behind a proxy server.
  1. Configure User-ID.
    This is a prerequisite for enabling the use of XFF values for User-ID and in the Source User field of logs.
  2. Enable the firewall to use XFF values in Security policy rules and in the Source User field of logs.
    1. Select DeviceSetupContent-ID and edit the X-Forwarded-For Headers settings.
    2. For Use X-Forwarded-For Header, select Enabled for User-ID.
  3. (Optional) Remove XFF values from outgoing web requests.
    The Strip X-Forwarded-For Header option does not affect the use of XFF headers for User-ID. The firewall removes the XFF header before forwarding HTTP requests to their destination.
    1. Select Strip X-Forwarded-For Header.
    2. Click OK and Commit your changes.
  4. Verify the firewall populates the Source User field of logs.
    1. Select a log type that has a Source User field (for example, MonitorLogsTraffic).
    2. Verify that the Source User column displays the usernames of users who access web applications.