https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48392#M35612 <HTML><HEAD></HEAD><BODY><P>My PA firewall inspects traffic between my users and proxy server. The proxy server provides NTLM authentication. Is there a way of logging the NTLM authenticated username within the http headers?</P></BODY></HTML> Fri, 30 Jan 2015 05:23:00 GMT ASCIT 2015-01-30T05:23:00Z https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48392#M35612 <HTML><HEAD></HEAD><BODY><P>My PA firewall inspects traffic between my users and proxy server. The proxy server provides NTLM authentication. Is there a way of logging the NTLM authenticated username within the http headers?</P></BODY></HTML> Fri, 30 Jan 2015 05:23:00 GMT https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48392#M35612 ASCIT 2015-01-30T05:23:00Z https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48393#M35613 <HTML><HEAD></HEAD><BODY><P>Hello Ascit,</P><P></P><P>I am not clear, what you want to achieve. HTTP header is not having a field for user. Could you please explain your requirement here in details.</P><P></P><P>Check out this discussion thread:</P><P><A href="https://live.paloaltonetworks.com/message/1983">Re: Captive portal, manage authenticated users</A></P><P></P><P></P><P>Thanks</P></BODY></HTML> Fri, 30 Jan 2015 07:30:00 GMT https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48393#M35613 HULK 2015-01-30T07:30:00Z https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48394#M35614 <HTML><HEAD></HEAD><BODY><P><A href="https://live.paloaltonetworks.com/u1/19491">HULK</A>, in this instance the PA is not acting as the proxy it sound like.&nbsp; The PA is in between the proxy and the user and is able to inspect that traffic.</P><P></P><P><A href="https://live.paloaltonetworks.com/u1/30544">ascit</A>, I believe that the NTLM portion of the traffic is not within the HTTP header but in a separate NTLM header in the packet.&nbsp; I don't know if the PA would recognize the traffic separately once it ID's the traffic as HTTP.</P></BODY></HTML> Fri, 30 Jan 2015 14:06:36 GMT https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48394#M35614 Dz3015 2015-01-30T14:06:36Z https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48395#M35615 <HTML><HEAD></HEAD><BODY><P>Correct, I'm hoping to some how log the NTLM User name field:</P><P></P><P><IMG alt="ntlm.png" class="image-1 jive-image jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/18107_ntlm.png" /></P></BODY></HTML> Mon, 02 Feb 2015 05:51:51 GMT https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48395#M35615 ASCIT 2015-02-02T05:51:51Z https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48396#M35616 <HTML><HEAD></HEAD><BODY><P>Hi Ascit</P><P></P><P>The firewall can not log this specific entry as a straight forward log option.</P><P>It can however be inspected to trigger a custom app or custom threat.</P><P>Through captive portal the firewall can also provide ntlm user authentication or could be configured to receive syslog from the proxy containing user information</P><P></P><P></P><P><A href="https://live.paloaltonetworks.com/videos/1317"> Video Link : 1317</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1159">How to Configure Captive Portal</A></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-6747">How to Locate the Predefined Syslog Filters in PAN-OS</A></P><P></P><P></P><P>hope this helps</P><P>Tom</P></BODY></HTML> Mon, 02 Feb 2015 07:29:43 GMT https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48396#M35616 reaper 2015-02-02T07:29:43Z https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48397#M35617 <HTML><HEAD></HEAD><BODY><P><IMG /></P><P>Hi ascit,</P><P></P><P>if you just want to identify the user coming from proxy, then there is a way to find out who it is.</P><P>Therefor the x-forwarded-for field has to be enabled on proxy and PA.</P><P>On PA:<BR /><BR /></P><P><IMG alt="xff.JPG" class="image-0 jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/20101_xff.JPG" style="width: 620px; height: 231px;" /></P><P></P><P></P><P>to find out which ip-adress it is look into the URL-log:</P><P></P><P><IMG alt="Unbenannt.JPG" class="jive-image image-2 jiveImage" src="https://live.paloaltonetworks.com/legacyfs/online/20103_Unbenannt.JPG" /></P><P></P><P>to get filled the URL-log you need the URL-license. Maybe this result is not what you need but that is what is possible right now.</P><P></P><P>Regards,</P><P>Klaus</P></BODY></HTML> Fri, 19 Jun 2015 08:52:54 GMT https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48397#M35617 kdd 2015-06-19T08:52:54Z https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48398#M35618 <HTML><HEAD></HEAD><BODY><P>Hi ascit,</P><P></P><P>if you just want to identify the user coming from proxy, then there is a way to find out who it is.</P><P>Therefor the x-forwarded-for field has to be enabled on proxy and PA.</P><P>On PA:</P><P></P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/servlet/JiveServlet/showImage/2-53753-20101/xff.JPG"><IMG alt="xff.JPG" class="image-0 jive-image jiveImage" height="306" src="https://live.paloaltonetworks.com/legacyfs/online/20104_xff.JPG" width="822" /></A></P><P></P><P></P><P>to find out which ip-adress it is look into the URL-log:</P><P></P><P><A _jive_internal="true" href="https://live.paloaltonetworks.com/servlet/JiveServlet/showImage/2-53753-20103/Unbenannt.JPG"><IMG alt="Unbenannt.JPG" class="jive-image image-2 jiveImage" height="586" src="https://live.paloaltonetworks.com/legacyfs/online/20105_Unbenannt.JPG" width="1214" /></A></P><P></P><P>to get filled the URL-log you need the URL-license. Maybe this result is not what you need but that is what is possible right now.</P><P></P><P>Regards,</P><P>Klaus</P></BODY></HTML> Fri, 19 Jun 2015 10:16:10 GMT https://live.paloaltonetworks.com/t5/general-topics/http-header-logging-ntlm-username/m-p/48398#M35618 kdd 2015-06-19T10:16:10Z