You can configure the firewall map the IP
address in the XFF header to a username using User-ID so that you
can have visibility into and user-based policy control over the
web traffic of users behind a proxy server who cannot otherwise
be identified. In order to map the IP addresses from the XFF headers
to usernames, you must first
Enable
User-ID.
Enabling the firewall to use the X-Forwarded-For
headers to perform user mapping does not enable the firewall to
use the client IP address in the XFF header as the source address
in the logs; the logs still display the proxy server IP address
as the source address. However, to simplify the debugging and troubleshooting
process you can configure the firewall to
Add
XFF Values to URL Filtering Logs to display the client IP
address from the XFF header in the URL Filtering logs.
To
ensure that attackers can’t read and exploit the XFF values in web
request packets that exit the firewall to retrieve content from
an external server, you can also configure the firewall to strip
the XFF values from outgoing packets.
These options are not
mutually exclusive: if you configure both, the firewall zeroes out
XFF values only after using them in policy enforcement and logging.