How to identify users connecting through proxy and restrict access through security policy

How to identify users connecting through proxy and restrict access through security policy

45638
Created On 09/25/18 19:49 PM - Last Modified 01/28/24 04:44 AM


Symptom


 

Consider a proxy server deployed between users on a network and firewall. In such a case, the firewall shows the proxy server's IP address as the source IP address in the traffic logs. Hence, restricting access based on actual user and determining actual user from traffic logs is not possible.

This article focuses on providing a solution to this issue.

Note: This is applicable to PAN-OS 7.0 and later.


Diagnosis

Prerequisites:

  1. Proxy server should add X-Forwarded-For (XFF) header containing actual IP of client when forwarding to firewall
  2. Configure User-Identification on the firewall to gather ip-user-mapping
  3. Enable XFF identification for User-ID. To learn more about this, please click here.


 

    Environment


    • PAN-OS Firewall

    Resolution


    Setup:

    Proxy server (192.168.30.103)  ---- PA Firewall ----- Internet

     

    Configure security policies on firewall as shown in order:

    Security Policies.png

     

    Details:

    Allow DNS - Required to allow DNS queries before actual connection

    Allow Handshake - Required to allow TCP 3-way handshake because XFF would be in HTTP GET packet, which would follow the 3-way handshake. Hence, user mapping could be determined only after the initial handshake. Following are traffic logs for the initial 3-way handshake:

    Initial Handshake.png

    Note: This policy has URL filtering profile applied to allow only an initial 3-way handshake and no web-browsing. After the 3-way handshake, further action is determined by user-specific policies:

     

     

    XFF - Required for restricting user-based access (application can be changed to specific web-browsing [since XFF is in HTTP] or combined with other user-based policy as required. Also, a URL filtering profile could be applied for more restrictions on traffic.

     

    After HTTP GET packets come on the firewall from a proxy server, the firewall checks the ip-user-mapping table to find  and apply policies based on the source user.

    GET Packet:

    XFF packet-1.pngUser Mapping:

    User mapping.png

     

    Policy Shift:

    Policy Shift.png

     

    Additional notes:

    - For HTTPS, complete SSL handshake needs to be allowed (as Allow Handshake but no URL filtering) and SSL decryption needs to be enabled to read XFF header and check user-mapping

    - If there is no user mapping for the IP in XFF, Source User would be blank in traffic logs and user based policies will not come into action

    - If you enable XFF for user-ID, URL filtering logs will show username in Source User instead of XFF IP. To see how to enable XFF in URL filtering logs, please click here

    - XFF can be enabled for URL filtering logs, even if there is no URL filtering license. For more details, please click here
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CletCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language