https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342893#M85888 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;Alb takes care of HTTP traffic.</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; Yes I did commit.</P><P>&nbsp;</P><P>I have to look in to it further, it's strange url filtering log has xff info, but&nbsp; not in traffic log.</P><P>&nbsp;</P> Sun, 09 Aug 2020 11:26:56 GMT yhlee1 2020-08-09T11:26:56Z https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342638#M85853 <P>Hello,</P><P>&nbsp;</P><P>My FW is behind ALB, so I want to see original Src IP.</P><P>&nbsp;</P><P>I enabled "use x-forwarded-for header in user-id" setting and user-id on the zone.</P><P>But there is no info on source user column in traffic log.</P><P>&nbsp;</P><P>I can see the information in url filtering logs using, but I want to see that in traffic log too.</P><P>It seems to be possible when I look into manual.</P><P><A href="https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-policies-and-logging-source-users.html#idf6817a49-c97b-4a80-9684-0c1cf3d50d56" target="_blank">https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-policies-and-logging-source-users.html#idf6817a49-c97b-4a80-9684-0c1cf3d50d56</A></P><P>&nbsp;</P><P>Is it impossible on AWS?</P> Fri, 07 Aug 2020 06:52:30 GMT https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342638#M85853 yhlee1 2020-08-07T06:52:30Z https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342675#M85857 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/103730">@yhlee1</a>,</P> <P>As long as your ALB is set to include the XFF header in the request this should work perfectly fine as long as you've followed the proper configuration steps for each option, this being on AWS doesn't do anything to effect that functionality. Sounds like a dumb question, but are you sure you ran a commit after you made the changes?&nbsp;</P> Fri, 07 Aug 2020 12:58:36 GMT https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342675#M85857 BPry 2020-08-07T12:58:36Z https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342891#M85887 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/103730">@yhlee1</a>&nbsp;</P> <P>Maybe another stupid question, but what type of traffic (protocol) is coming from that loadbalancer to your firewall where you expect the xff header?</P> Sun, 09 Aug 2020 11:22:17 GMT https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342891#M85887 Remo 2020-08-09T11:22:17Z https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342893#M85888 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;Alb takes care of HTTP traffic.</P><P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; Yes I did commit.</P><P>&nbsp;</P><P>I have to look in to it further, it's strange url filtering log has xff info, but&nbsp; not in traffic log.</P><P>&nbsp;</P> Sun, 09 Aug 2020 11:26:56 GMT https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342893#M85888 yhlee1 2020-08-09T11:26:56Z https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342901#M85891 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/103730">@yhlee1</a>&nbsp;Are you already using PAN-OS 10? Is my assumption correct that you only see something in the xff header column but not in the source user column in url logs? If yes then this behaviour is expected. If the IP in xff header would match a username in the local user-ip-mapping table, then the username would be shown in traffic log.</P> <P>&nbsp;</P> <P>The question about PAN-OS 10 is because there a feature was added that would be helpful in your case:&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging.html#ida9a1d4bc-33e5-4ff5-9455-fe2800cb8ff0" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging.html#ida9a1d4bc-33e5-4ff5-9455-fe2800cb8ff0</A></P> <P>(PAN-OS 10 was just released and might contain (critical) bugs. It is recommended to wait until a preferred release exist to use PAN-OS 10 in a production environment)</P> Sun, 09 Aug 2020 13:23:11 GMT https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342901#M85891 Remo 2020-08-09T13:23:11Z https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342951#M85898 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/16592">@Remo</a>&nbsp;No, I'm not using PanOS 10 yet.</P><P>&nbsp;</P><P>I can see XFF info in Source User field in URL logs, but not in Traffic logs.</P><P>&nbsp;</P><P>If what you said is right, I completely thought wrong. I thought XFF info will show only if user-id is unknown.</P><P>I'll do upgrade to 10 and see what is different.</P><P>Thanks for the answers!</P> Mon, 10 Aug 2020 02:09:59 GMT https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-header-in-traffic-log-on-aws-vm/m-p/342951#M85898 yhlee1 2020-08-10T02:09:59Z