https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/624#M483 <HTML><HEAD></HEAD><BODY><P>Hi James,</P><P></P><P>You mentioned the App-ID will work, do you mean we can see which application (e.g. facebook) was using but the source IP is still the proxy server in traffic log? <BR />How about the user-based QOS, it doesn't work with x-Forwared-for neither, right?</P><P></P><P>In PAN-OS 4.0.x/4.1.x, is the same limitation exist?</P><P></P><P>Regards,<BR />Linus</P></BODY></HTML> Mon, 19 Dec 2011 02:24:34 GMT linuss 2011-12-19T02:24:34Z https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/619#M478 <HTML><HEAD></HEAD><BODY><P>hi,</P><P></P><P>am wondering if PA can supports xforward as i need to install PA behind a bluecoat were the users request reaches 1st bluecoat then PA, so is there a way for pa to detect the ip addresses or usernames.</P><P></P><P>BR</P></BODY></HTML> Wed, 22 Dec 2010 09:40:38 GMT https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/619#M478 LCMember4717 2010-12-22T09:40:38Z https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/620#M479 <HTML><HEAD></HEAD><BODY><P>Hi There,</P><P></P><P>If you enable x-forward-for on the proxy, then the PA-Appliance will see the original source.&nbsp; However, this will only be seen in the URL logs and cannot currently be tied to User-ID.</P><P></P><P>Thanks</P><P>James</P></BODY></HTML> Wed, 22 Dec 2010 10:15:57 GMT https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/620#M479 James 2010-12-22T10:15:57Z https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/621#M480 <HTML><HEAD></HEAD><BODY><P>what about app-id would it work ? assuming my proxy doing url filter and pa application ana data filter ?</P></BODY></HTML> Wed, 22 Dec 2010 10:19:28 GMT https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/621#M480 LCMember4717 2010-12-22T10:19:28Z https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/622#M481 <HTML><HEAD></HEAD><BODY><P>Yes, App-ID will work - but you will not see users or the X-Forward-For information in the traffic logs - only the URL logs</P></BODY></HTML> Wed, 22 Dec 2010 10:23:52 GMT https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/622#M481 James 2010-12-22T10:23:52Z https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/623#M482 <HTML><HEAD></HEAD><BODY><P>Hi all!</P><P></P><P>Be aware if you do x-forward-via header you will "publish" your </P><P>internal IP-addresses on the internet as the header will not be removed by Palo Alto.</P><P>That is as far as I know a new feature in 4.0.</P><P></P><P>There is a much better way to do this!</P><P></P><P>Let Blue Coat do "send-client-ip" and you will see the original source from the client.</P><P>You can enable this function in management console (my guess is proxy and general) or in the VPM and forward layer.</P><P></P><P>I recommend to use two dedicated L3 interfaces on the Palo Alto for this and put these in its own routing table, just to make 100% sure you do not get any asymmetric routing. So hope you have one "spare" public IP you can use for this.</P><P></P><P>Make sure you have this also in the local policy of the Blue Coat.</P><P></P><P></P><P>http.client.persistence(preserve)</P><P></P><P>You probably do not need an routing table in Blue Coat either except the default gateway.</P><P>Be aware that Blue Coat will do return-to-sender by default, meaning that it will reply to internal macaddress where the packet came from.</P><P>So there should be no need for a routing table.</P><P></P><P>Best regards Staffan, Radpoint Sweden.</P></BODY></HTML> Thu, 23 Dec 2010 09:30:55 GMT https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/623#M482 solsen 2010-12-23T09:30:55Z https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/624#M483 <HTML><HEAD></HEAD><BODY><P>Hi James,</P><P></P><P>You mentioned the App-ID will work, do you mean we can see which application (e.g. facebook) was using but the source IP is still the proxy server in traffic log? <BR />How about the user-based QOS, it doesn't work with x-Forwared-for neither, right?</P><P></P><P>In PAN-OS 4.0.x/4.1.x, is the same limitation exist?</P><P></P><P>Regards,<BR />Linus</P></BODY></HTML> Mon, 19 Dec 2011 02:24:34 GMT https://live.paloaltonetworks.com/t5/general-topics/does-pa-supports-xforward/m-p/624#M483 linuss 2011-12-19T02:24:34Z