topic Re: X-forwarded-for not showing results in General Topics

X-forwarded-for not showing results

raji_toor — Tue, 05 Jun 2018 16:37:12 GMT

We use F5 with its VIP interfaces in DMZ and is doing SSL offloading (presents a cert on the webserver's behalf allowing plain text traffic to be inspected). As in below example, external source(1.1.1.1) acesses 2.2.2.2(PA NATS to 10.10.10.10 of the F5 VIP). F5 then does SSL offload and SNAT for communication with server, but the source interface for this SNAT that it uses resides in INTERNAL network. F5 uses 172.16.16.16 as source to contact to 192.168.168.168.

With this setup when F5 (172.16.16.16) communicates with server it is in plain text and firewall is able to do inspection and drop traffic. But then for it F5 becomess the culprit while actually it is 2.2.2.2. There is no way to correlate both sides of communication and our management is not inclined towards using SSL decryption. F5 is able to insert external source IP(2.2.2.2) in to the header X-Forwarded-For. Can PA pull this information in logs. If this option "Use X-Forwarded-For Header in User-ID" is for what i am asking, I have it enabled on the firewall and all i see are our AD users and no external/internal IP in the source user field. And this webserver is heavily used from outside. Is there any other setting that i need to configure. I have it enabled on the URL profile also. Does that mean it shows results in URL logs only.

Re: X-forwarded-for not showing results

BPry — Tue, 05 Jun 2018 17:49:53 GMT

@raji_toor,

That option would only work if you were trying to generate user-id logs via something like a captive portal on forwarded traffic. SInce the firewall sees the source as the F5 VIP that's the interface that it's going to view as the source of any threat that it identifies.

I'm not sure how you would address this if management is against doing the decryption on the Palo.

Re: X-forwarded-for not showing results

gwesson — Tue, 05 Jun 2018 20:59:26 GMT

Starting with PAN-OS 8.0, you can use the XFF header for URL Filtering logs as well as for general use with security policies by mapping the XFF IP with a user name. You will need User-ID configured for that mapping to work:

~~https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-policies-and-logging-source-users~~

@BPry pointed out that these are external clients rather than users managed by the firewall. I missed that these are external addresses. There wouldn't be a way to map the external addresses to user names in that scenario.

Re: X-forwarded-for not showing results

BPry — Tue, 05 Jun 2018 20:48:17 GMT

@gwesson,

I'm not sure that really fixes the issue though does it? The logs will still record the F5 as the source address for outside sources and you wouldn't map outside sources to user-id.

Re: X-forwarded-for not showing results

raji_toor — Thu, 07 Jun 2018 19:24:33 GMT

I had it enabled, addresses are now showing under XFF column in URL filtering logs, source address is still the F5. I also had alerting diabled on few URL categories which was not showing the results.