https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556770#M113009 <P>Oh I see, I had your traffic flow all wrong, yes I would imagine that as the only device to see the x-forwarded-for header is IIS and that is where you are pulling your user-id from that you will need to user the regex to get it from IIS.</P> Wed, 06 Sep 2023 15:02:45 GMT laurence64 2023-09-06T15:02:45Z https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556542#M112980 <P>Hi ,&nbsp;</P> <P>&nbsp;</P> <P>We are currently trying to solve an issue with User ID mapping on Exchange cluster.&nbsp;</P> <P>This cluster is sitting behind F5 WAF, and it is doing SNAT, therefore all request are coming from same IP. (IP of the WAF)</P> <P>This causes the User-IP binding to nonstop update and not reflect the reality.&nbsp;</P> <P>&nbsp;</P> <P>On F5 we have turned on the "X-Forwarded-For" header.&nbsp;</P> <P>We have reconfigured IIS logs to show the "X-Forwarded-For" IP of the request and we can see it in the log, therefore header insertion is working.&nbsp;</P> <P>&nbsp;</P> <P>However, as far as I know, User ID agent is using Security log.</P> <P>&nbsp;</P> <P>Is there any way how to make this work, or do we need to use Syslog and Regexp to match it from IIS logs ?&nbsp;</P> <P>&nbsp;</P> <P>Thank you in advance.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 Sep 2023 14:11:16 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556542#M112980 aber 2023-09-05T14:11:16Z https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556601#M112981 <P>Hi&nbsp;</P> <P>&nbsp;</P> <P>Looking at the admin guide, this may be east to do, under device &gt; setup &gt; content-ID there is an option for x-forwarded-for headers, in this there is a drop down for enable for user-id or for security policy and then another option to strip this as the traffic passes, this would be the first place to look I think it is fully covered in the user-id section of the admin guide, this is on version 10.1 and above, you do not mention what version you are on but as user-id is fairly static in the methods to get user-id data in I presume that some older versions also support.</P> <P>&nbsp;</P> <P>Hope this helps.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 05 Sep 2023 21:37:24 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556601#M112981 laurence64 2023-09-05T21:37:24Z https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556684#M112993 <P>Hi,</P> <P>&nbsp;</P> <P>I have seen this part of admin guide, and we have it "ON"for different reason. However the traffic flow is like this:&nbsp;</P> <P>&nbsp;</P> <P>PA---------&gt;F5&gt;---------Exch Cluster&nbsp;</P> <P>Header is added at the F5 and it does not traverse PA after header is added.&nbsp;</P> <P>&nbsp;</P> <P>Currently running&nbsp; 11.0.2&nbsp;</P> Wed, 06 Sep 2023 07:13:26 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556684#M112993 aber 2023-09-06T07:13:26Z https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556770#M113009 <P>Oh I see, I had your traffic flow all wrong, yes I would imagine that as the only device to see the x-forwarded-for header is IIS and that is where you are pulling your user-id from that you will need to user the regex to get it from IIS.</P> Wed, 06 Sep 2023 15:02:45 GMT https://live.paloaltonetworks.com/t5/general-topics/user-id-mapping-from-exchange-logs-behind-f5-loadbalancer/m-p/556770#M113009 laurence64 2023-09-06T15:02:45Z