Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
12-22-2010 01:40 AM
hi,
am wondering if PA can supports xforward as i need to install PA behind a bluecoat were the users request reaches 1st bluecoat then PA, so is there a way for pa to detect the ip addresses or usernames.
BR
12-22-2010 02:23 AM
Yes, App-ID will work - but you will not see users or the X-Forward-For information in the traffic logs - only the URL logs
12-22-2010 02:15 AM
Hi There,
If you enable x-forward-for on the proxy, then the PA-Appliance will see the original source. However, this will only be seen in the URL logs and cannot currently be tied to User-ID.
Thanks
James
12-22-2010 02:19 AM
what about app-id would it work ? assuming my proxy doing url filter and pa application ana data filter ?
12-22-2010 02:23 AM
Yes, App-ID will work - but you will not see users or the X-Forward-For information in the traffic logs - only the URL logs
12-23-2010 01:30 AM
Hi all!
Be aware if you do x-forward-via header you will "publish" your
internal IP-addresses on the internet as the header will not be removed by Palo Alto.
That is as far as I know a new feature in 4.0.
There is a much better way to do this!
Let Blue Coat do "send-client-ip" and you will see the original source from the client.
You can enable this function in management console (my guess is proxy and general) or in the VPM and forward layer.
I recommend to use two dedicated L3 interfaces on the Palo Alto for this and put these in its own routing table, just to make 100% sure you do not get any asymmetric routing. So hope you have one "spare" public IP you can use for this.
Make sure you have this also in the local policy of the Blue Coat.
http.client.persistence(preserve)
You probably do not need an routing table in Blue Coat either except the default gateway.
Be aware that Blue Coat will do return-to-sender by default, meaning that it will reply to internal macaddress where the packet came from.
So there should be no need for a routing table.
Best regards Staffan, Radpoint Sweden.
12-18-2011 06:24 PM
Hi James,
You mentioned the App-ID will work, do you mean we can see which application (e.g. facebook) was using but the source IP is still the proxy server in traffic log?
How about the user-based QOS, it doesn't work with x-Forwared-for neither, right?
In PAN-OS 4.0.x/4.1.x, is the same limitation exist?
Regards,
Linus
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
