PA with proxy, user logging in traffic log

L2 Linker

PA with proxy, user logging in traffic log

Hi there,

we’re running the following setup on PAN-OS is 6.1:



User-ID Agent is collecting IP>User mapping.

We’re logging only Deny events in the traffic log.

We want to achieve the following:

When User A tries to open a website/app which is not allowed, we want to see in the traffic log the username and source IP address. The source IP is coming up with x-ff-header, but not the user; even if PA knows that User A has this specific IP address.

The reason is easy: We’re an almost Citrix-only shop, so IP logging only is not that helpful in this case. We could install the Citrix User-ID Agent, but at this stage even the username is not displayed when trying with a client-pc, so first things first.

A workaround that could work is the following: Enable logging for connection start (that shows the users) through proxy and check directly following entries for deny. Bu honestly, this might work for a handful user not for 700+ and that’s not very efficient.

I believe our setup is not that exotic, so we’re not the first customers who’re running into this. Maybe I just don’t see the right way… How did you solved this?

At this stage we’ve not purchased an URL-Filter license. We don’t want to oversee the users, just want to have an easy way to troubleshoot connection problems to websites; as with App-ID everything is blocked, what isn’t explicitly allowed this could become some hard times.

Thanks for helping!

L6 Presenter

Re: PA with proxy, user logging in traffic log

Hi Sven,

Please refer following document for more information.

Enabling support for the X-Forwarded-For HTTP header


Hardik Shah

L2 Linker

Re: PA with proxy, user logging in traffic log

Hi Hardik,

thanks for your answer. Unfortunately xff doesn't solve our problem at all.

We are able to map clientip to user, but that doesn't do the trick on the Citrix server; where 50 users share the same IP address. Also, with xff the User-ID Agent data is not used in the Traffic Log, which isn't really handy.

The following approach seems to be feasible for us:

Allowing the same websites/applications on the border from internal-lan to DMZ, as the proxy has, gives us the possibility to see who has tried to access a website. In this scenario the User-ID Agent does work, because the connection is established first by the Citrix server and after then handed over to the proxy.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!