topic Re: x-forwarded-for header parsing. in General Topics

x-forwarded-for header parsing.

Bart_Jocque — Tue, 22 Jan 2013 14:17:08 GMT

With the command "set system setting ctd x-forwarded-for yes" the x-forwarded-for header is parsed to populate the source.user field in the logs.

However, which exact header is actually being parsed with this command?

Is it "x-forwarded-for" ? ( according to the CLI guide)

Or is it "x-fwd-for" ? (according to the KB article)

or both ?

Can it be changed ?

How ?

Thanks,

Bart

Re: x-forwarded-for header parsing.

Bart_Jocque — Wed, 30 Jan 2013 10:10:39 GMT

anyone ?

Re: x-forwarded-for header parsing.

mikand — Wed, 27 Mar 2013 07:13:05 GMT

Would be great if someone from PA could answer

Re: x-forwarded-for header parsing.

dyang — Wed, 27 Mar 2013 07:17:04 GMT

The HTTP header is "X-Forwarded-For" , as noted in the Admin and CLI guides. If you provide me a link to the KB article in question, I can have it updated. My guess is that someone shortened it to "x-fwd-for" because it's easier to type.

--Doris

Re: x-forwarded-for header parsing.

mikand — Wed, 27 Mar 2013 07:28:06 GMT

I guess its

Also, looking in the CLI guide there is both:

set deviceconfig setting ctd x-forwarded-for yes

set system setting ctd x-forwarded-for yes

Whats the difference of the above (perhaps it could be described in the KB aswell)?

Re: x-forwarded-for header parsing.

dyang — Wed, 27 Mar 2013 20:33:54 GMT

There is no difference between the two commands - they do exactly the same thing. We most likely will not remove the duplicate command since it may cause migration issues.

Thanks,

Doris

Re: x-forwarded-for header parsing.

Bart_Jocque — Tue, 16 Apr 2013 11:54:32 GMT

I still didn't manage to get this working in our lab infra :

admin@lab01(active)> show system setting ctd state

Notify user for APP block : no

Alternative AHO : no

Skip CTD : no

Parse x-forwarded-for : yes

Strip x-fwd-for : no

Bloom Filter : yes

HTTP Proxy Use Transaction : yes

Enable Regex Statistics : no

URL Category Query Timeout : 5

Bypass when exceeds queue limit: yes

packets queued for packet capture: 5

whether to do packet capture after: yes

max. loop for packets processing: 1024

Not to Block HTTP Range request: yes

CTD ID : 1

CTD Allocator Usage : 92%(44 MB)

AHO Allocator Usage : 87%(97 MB)

Packet capture of a GET request:

GET http://www.microsoft.com/ HTTP/1.1

Host: www.microsoft.com

Pragma: no-cache

Cache-Control: no-cache

X-Forwarded-For: 10.255.224.130

Proxy-Connection: Keep-Alive

X-BlueCoat-Via: 36967894f0722148

I have also enabled user-id on the incoming zone.

That should be all to get thos working according to the DOC.

What else could be wrong ?

Re: x-forwarded-for header parsing.

emr_1 — Tue, 16 Apr 2013 13:21:17 GMT

I think this only works with URL filtering log.

Are you trying to parse in traffic log?

Regards,

Re: x-forwarded-for header parsing.

Bart_Jocque — Tue, 16 Apr 2013 15:00:49 GMT

Yes indeed I was looking into the traffic logs. There is no url filtering on this box.

Can someone of PA confirm that this is only working url filtering logs ?

Re: x-forwarded-for header parsing.

Bart_Jocque — Tue, 16 Apr 2013 15:10:09 GMT

Thanks emr,

I found indeed the answer here : https://live.paloaltonetworks.com/docs/DOC-1528

Re: x-forwarded-for header parsing.

dyang — Tue, 16 Apr 2013 15:56:25 GMT

Looks like you found what you're looking for, but just in case you need further validation, the X-Forwarded-For parsing feature is only applicable to the URL filtering logs. If you do not have a URL filtering license, you can still use the allow/block list as well as the custom categories, so you can use those to generate logs and parse the X-Forwarded-For field as indicated above.