https://live.paloaltonetworks.com/t5/general-topics/configuring-xff-logging-without-a-url-filtering-license/m-p/244632#M69795 <P>To prevent additional information leakage of the IP address, you should enable this option (Device&gt;Setup&gt;Content-ID&gt;X-Forwarder-for Headers):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20181230-215434_Chrome.jpg" style="width: 523px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18129iF77C564C117C9811/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot_20181230-215434_Chrome.jpg" alt="Screenshot_20181230-215434_Chrome.jpg" /></span></P> Sun, 30 Dec 2018 20:57:41 GMT Remo 2018-12-30T20:57:41Z https://live.paloaltonetworks.com/t5/general-topics/configuring-xff-logging-without-a-url-filtering-license/m-p/239987#M68745 <P><STRONG>1.</STRONG> Create a Custom URL Category with * under ‘sites’ (Objects &gt;&gt; Custom Objects &gt;&gt; URL Category &gt;&gt; Add)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="1.png" style="width: 729px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17814i1425ED25A966EB3C/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></P> <P>&nbsp;</P> <P><SPAN style="font-size: 12.88px;"><STRONG>2.</STRONG> Create a URL Filtering Profile &amp; set your Custom Category action to “alert” (Objects &gt;&gt; Security Profiles &gt;&gt; URL Filtering &gt;&gt; Add)</SPAN></P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2.png" style="width: 725px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17815iE5F7E6D252A54EA6/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> <P>&nbsp;</P> <P>Tick the box to log XFF on the ‘URL Filtering Settings’ tab…</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3.png" style="width: 727px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17816i5BF26B2E83B5B664/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></P> <P>&nbsp;</P> <P><STRONG>3.</STRONG> Create a syslog server profile &amp; modify the custom log format settings for URL (Device &gt;&gt; Server Profiles &gt;&gt; Syslog &gt;&gt; Add)</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4.png" style="width: 739px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17817iCF8B1A96FA8A3225/image-size/large?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="5.png" style="width: 735px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17818i2BD2CF790B371CC7/image-size/large?v=v2&amp;px=999" role="button" title="5.png" alt="5.png" /></span><IMG class="lia-image-display" src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17819iD04D6291913F0A94/image-size/large?v=1.0&amp;px=-1" border="0" width="733" height="511" data-lia-image-count="6" title="6.png" alt="6.png" /></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>4.</STRONG> Create a Log Forwarding Profile &amp; point it at your syslog server (Objects &gt;&gt; Log Forwarding &gt;&gt; Add)</P> <P>&nbsp;<I class="lia-fa lia-fa-pencil lia-image-edit-icon"></I><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="7.png" style="width: 736px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17820iA9924A41FB47D3D0/image-size/large?v=v2&amp;px=999" role="button" title="7.png" alt="7.png" /></span></P> <P>&nbsp;</P> <P>Make sure your Log Type is ‘url’…</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="8.png" style="width: 730px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17821i048BAE2E7CCD0DE5/image-size/large?v=v2&amp;px=999" role="button" title="8.png" alt="8.png" /></span></P> <P>&nbsp;</P> <P><STRONG>5.</STRONG> Apply both the URL Filtering &amp; Log Forwarding Profiles to your Security Policy rules (Policies &gt;&gt; Security)</P> <P>&nbsp;<IMG class="lia-image-display" src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17822i99D48CE77DB609B9/image-size/large?v=1.0&amp;px=-1" border="0" width="732" height="485" data-lia-image-count="9" title="9.png" alt="9.png" /></P> <P>&nbsp;</P> <P><STRONG>6.</STRONG> Commit your configuration, and observe this expected warning message</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="9.png" style="width: 732px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17822i99D48CE77DB609B9/image-size/large?v=v2&amp;px=999" role="button" title="9.png" alt="9.png" /></span></P> <P>&nbsp;</P> <P><STRONG>7.</STRONG> To test, you can use a free extension to Firefox called “Modify Header Value (HTTP Headers) by Milen Monrov. Type ‘about:addons’, click on ‘More’ &amp; scroll down.<SPAN>&nbsp; </SPAN>You will have an opportunity to setup a header insertion rule like I have…</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="11.png" style="width: 711px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17829i2C490603E880AC7B/image-size/large?v=v2&amp;px=999" role="button" title="11.png" alt="11.png" /></span></P> <P>&nbsp;</P> <P>If I scroll to the right, you can see I am inserting a value of 1.1.1.1…</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="12.png" style="width: 734px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17828i9492453FF58339CE/image-size/large?v=v2&amp;px=999" role="button" title="12.png" alt="12.png" /></span></P> <P>&nbsp;</P> <P><STRONG>8.</STRONG> Pick a cleartext site against which you can validate that the header insertion is working (I use <A href="http://www.xhaus.com/headers" target="_blank">http://www.xhaus.com/headers</A>)</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="13.png" style="width: 737px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17827i8EEC9D7F8B274247/image-size/large?v=v2&amp;px=999" role="button" title="13.png" alt="13.png" /></span></P> <P>&nbsp;</P> <P><STRONG>9.</STRONG> Validate that the log data being sent by the firewall includes your expected values (ultimately this will match the string setting from step #3 above, which in my case is sip=$src,xff=$xff,dip=$dst,url=$misc). &nbsp;you can apply the wireshark display filter 'syslog' to match only what we are after...</P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="14.png" style="width: 738px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/17826i58CD0608D5950693/image-size/large?v=v2&amp;px=999" role="button" title="14.png" alt="14.png" /></span></P> <P>&nbsp;</P> <P><STRONG>NOTE:</STRONG> Your browser will likely be sending traffic in the background that does not fire the XFF extension tool (safe browsing, etc.). Do not be alarmed if this type of traffic&nbsp;does not display an XFF value.</P> Thu, 06 Dec 2018 08:59:21 GMT https://live.paloaltonetworks.com/t5/general-topics/configuring-xff-logging-without-a-url-filtering-license/m-p/239987#M68745 BrianTaggart 2018-12-06T08:59:21Z https://live.paloaltonetworks.com/t5/general-topics/configuring-xff-logging-without-a-url-filtering-license/m-p/242809#M69435 <P>Great artical! Very useful.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>One small note - on step 6 I believe you got the wrong screenshot. I guess you wanted to should the warning for the no valid URL filtering during commit?</P> Tue, 11 Dec 2018 07:29:38 GMT https://live.paloaltonetworks.com/t5/general-topics/configuring-xff-logging-without-a-url-filtering-license/m-p/242809#M69435 aleksandar.astardzhiev 2018-12-11T07:29:38Z https://live.paloaltonetworks.com/t5/general-topics/configuring-xff-logging-without-a-url-filtering-license/m-p/244632#M69795 <P>To prevent additional information leakage of the IP address, you should enable this option (Device&gt;Setup&gt;Content-ID&gt;X-Forwarder-for Headers):</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot_20181230-215434_Chrome.jpg" style="width: 523px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/18129iF77C564C117C9811/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="Screenshot_20181230-215434_Chrome.jpg" alt="Screenshot_20181230-215434_Chrome.jpg" /></span></P> Sun, 30 Dec 2018 20:57:41 GMT https://live.paloaltonetworks.com/t5/general-topics/configuring-xff-logging-without-a-url-filtering-license/m-p/244632#M69795 Remo 2018-12-30T20:57:41Z