https://live.paloaltonetworks.com/t5/general-topics/pa-with-proxy-user-logging-in-traffic-log/m-p/19609#M14327 <HTML><HEAD></HEAD><BODY><P>Hi Sven,</P><P></P><P>Please refer following document for more information.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1128">Enabling support for the X-Forwarded-For HTTP header</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 30 Jan 2015 15:49:08 GMT hshah 2015-01-30T15:49:08Z https://live.paloaltonetworks.com/t5/general-topics/pa-with-proxy-user-logging-in-traffic-log/m-p/19608#M14326 <HTML><HEAD></HEAD><BODY><P>Hi there,</P><P></P><P>we’re running the following setup on PAN-OS is 6.1:</P><P></P><P style="text-align: left; padding-left: 30px;">client-pc|pa-dmz|proxy|internet</P><P style="padding-left: 30px;">citrix-server|pa-dmz|proxy|internet</P><P>User-ID Agent is collecting IP&gt;User mapping.</P><P>We’re logging only Deny events in the traffic log.</P><P></P><P>We want to achieve the following:</P><P>When User A tries to open a website/app which is not allowed, we want to see in the traffic log the username and source IP address. The source IP is coming up with x-ff-header, but not the user; even if PA knows that User A has this specific IP address.</P><P>The reason is easy: We’re an almost Citrix-only shop, so IP logging only is not that helpful in this case. We could install the Citrix User-ID Agent, but at this stage even the username is not displayed when trying with a client-pc, so first things first.</P><P></P><P>A workaround that could work is the following: Enable logging for connection start (that shows the users) through proxy and check directly following entries for deny. Bu honestly, this might work for a handful user not for 700+ and that’s not very efficient.</P><P>I believe our setup is not that exotic, so we’re not the first customers who’re running into this. Maybe I just don’t see the right way… How did you solved this? </P><P></P><P>At this stage we’ve not purchased an URL-Filter license. We don’t want to oversee the users, just want to have an easy way to troubleshoot connection problems to websites; as with App-ID everything is blocked, what isn’t explicitly allowed this could become some hard times.</P><P></P><P>Thanks for helping!</P></BODY></HTML> Fri, 30 Jan 2015 11:02:13 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-with-proxy-user-logging-in-traffic-log/m-p/19608#M14326 Sven_Lieckfeldt 2015-01-30T11:02:13Z https://live.paloaltonetworks.com/t5/general-topics/pa-with-proxy-user-logging-in-traffic-log/m-p/19609#M14327 <HTML><HEAD></HEAD><BODY><P>Hi Sven,</P><P></P><P>Please refer following document for more information.</P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1128">Enabling support for the X-Forwarded-For HTTP header</A></P><P></P><P>Regards,</P><P>Hardik Shah</P></BODY></HTML> Fri, 30 Jan 2015 15:49:08 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-with-proxy-user-logging-in-traffic-log/m-p/19609#M14327 hshah 2015-01-30T15:49:08Z https://live.paloaltonetworks.com/t5/general-topics/pa-with-proxy-user-logging-in-traffic-log/m-p/19610#M14328 <HTML><HEAD></HEAD><BODY><P>Hi Hardik,</P><P></P><P>thanks for your answer. Unfortunately xff doesn't solve our problem at all.</P><P>We are able to map clientip to user, but that doesn't do the trick on the Citrix server; where 50 users share the same IP address. Also, with xff the User-ID Agent data is not used in the Traffic Log, which isn't really handy.</P><P></P><P>The following approach seems to be feasible for us:</P><P>Allowing the same websites/applications on the border from internal-lan to DMZ, as the proxy has, gives us the possibility to see who has tried to access a website. In this scenario the User-ID Agent does work, because the connection is established first by the Citrix server and after then handed over to the proxy.</P><P></P><P>Regards,</P><P>Sven</P></BODY></HTML> Tue, 10 Feb 2015 08:55:24 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-with-proxy-user-logging-in-traffic-log/m-p/19610#M14328 Sven_Lieckfeldt 2015-02-10T08:55:24Z