Use XFF Values for Policy Based on Source Users
Focus
Focus

Use XFF Values for Policy Based on Source Users

Table of Contents

Use XFF Values for Policy Based on Source Users

If your organization has an HTTP proxy server between users on your network and the firewall, the firewall cannot identify who made a web request because the proxy server address appears to be the source or client IP address. This is an issue because all users behind the proxy get identified as a single user, which prevents you from applying user-based policy.
To address this challenge, configure your firewall to extract the client IP address from an XFF header and match it to an IP-User mapping on a firewall. The firewall then uses the client IP address, matched with a IP-User mapping, to apply the appropriate user- or group-based policy. The Source User field in Traffic, Threat, WildFire Submissions, and URL Filtering logs will display the username to which the client IP address maps. For example, suppose you configure a Security policy rule that only allows members of the IT group to access a proprietary application. If you enable the firewall to map IP addresses to users, then the firewall recognizes if a member outside of the IT group (behind a proxy) attempts to access the application based on their IP address.
When you use XFF headers for User-ID, the firewall uses the client IP address only for user mapping and policy enforcement purposes. This setting does not change how the firewall logs the client IP address in Traffic, Threat, WildFire Submissions, and URL Filtering logs. The Source Address field will contain the IP address for the proxy server that the HTTP traffic first passed through on the way to its destination server. In other words, the logs do not show the client IP address.
To use XFF headers for user-based policy, you’ll need to enable User-ID and configure your firewall to use XFF values for User-ID. If the XFF header contains multiple IP addresses, the firewall uses the first (left-most) IP address for user mapping. The first address corresponds to the IP address or device from which an HTTP/s request originates. If the header contains values other than IP addresses, the firewall cannot perform user mapping.
When you see a log event attributed to a user that the firewall mapped using an IP address extracted from an XFF header, it can be difficult to track down the specific device associated with the event. To help you debug and troubleshoot log events, configure the firewall to record the IP addresses of source users in URL Filtering logs. The URL Filtering logs will record client IP addresses under the X-Forwarded-For IP field.
Then, you can go into the details of the log type you are interested in to find the corresponding URL Filtering log entry with the IP address for the specific user and device that initiated the log event you are investigating. Because URL Filtering logs viewed on the web interface no longer display the X-Forwarded-For IP column, you’ll need to export URL Filtering logs to CSV format to view the XFF data.
  1. Enable the firewall to use XFF values in policies and in the source user fields of logs.
    1. Select DeviceSetupContent-ID and edit the X-Forwarded-For Headers settings.
    2. Select Enabled for User-ID to Use X-Forwarded-For Header for User-ID.
  2. Remove XFF values from outgoing web requests.
    1. Select Strip X-Forwarded-For Header.
    2. Click OK and Commit.
  3. Verify the firewall is populating the source user fields of logs.
    1. Select a log type that has a source user field (for example, MonitorLogsTraffic).
    2. Verify that the Source User column displays the usernames of users who access web applications.