Configuring XFF logging without a URL Filtering License

Reply
L0 Member

Configuring XFF logging without a URL Filtering License

1. Create a Custom URL Category with * under ‘sites’ (Objects >> Custom Objects >> URL Category >> Add)

1.png

 

2. Create a URL Filtering Profile & set your Custom Category action to “alert” (Objects >> Security Profiles >> URL Filtering >> Add)

 2.png

 

Tick the box to log XFF on the ‘URL Filtering Settings’ tab…

 3.png

 

3. Create a syslog server profile & modify the custom log format settings for URL (Device >> Server Profiles >> Syslog >> Add)

4.png5.png6.png

 

 

4. Create a Log Forwarding Profile & point it at your syslog server (Objects >> Log Forwarding >> Add)

 7.png

 

Make sure your Log Type is ‘url’…

 8.png

 

5. Apply both the URL Filtering & Log Forwarding Profiles to your Security Policy rules (Policies >> Security)

 9.png

 

6. Commit your configuration, and observe this expected warning message

 9.png

 

7. To test, you can use a free extension to Firefox called “Modify Header Value (HTTP Headers) by Milen Monrov. Type ‘about:addons’, click on ‘More’ & scroll down.  You will have an opportunity to setup a header insertion rule like I have…

 11.png

 

If I scroll to the right, you can see I am inserting a value of 1.1.1.1…

 12.png

 

8. Pick a cleartext site against which you can validate that the header insertion is working (I use http://www.xhaus.com/headers)

 13.png

 

9. Validate that the log data being sent by the firewall includes your expected values (ultimately this will match the string setting from step #3 above, which in my case is sip=$src,xff=$xff,dip=$dst,url=$misc).  you can apply the wireshark display filter 'syslog' to match only what we are after...

 14.png

 

NOTE: Your browser will likely be sending traffic in the background that does not fire the XFF extension tool (safe browsing, etc.). Do not be alarmed if this type of traffic does not display an XFF value.

L4 Transporter

Re: Configuring XFF logging without a URL Filtering License

Great artical! Very useful.

 

 

 

 

One small note - on step 6 I believe you got the wrong screenshot. I guess you wanted to should the warning for the no valid URL filtering during commit?

L7 Applicator

Re: Configuring XFF logging without a URL Filtering License

To prevent additional information leakage of the IP address, you should enable this option (Device>Setup>Content-ID>X-Forwarder-for Headers):

Screenshot_20181230-215434_Chrome.jpg

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!