We use F5 with its VIP interfaces in DMZ and is doing SSL offloading (presents a cert on the webserver's behalf allowing plain text traffic to be inspected). As in below example, external source(1.1.1.1) acesses 2.2.2.2(PA NATS to 10.10.10.10 of the F5 VIP). F5 then does SSL offload and SNAT for communication with server, but the source interface for this SNAT that it uses resides in INTERNAL network. F5 uses 172.16.16.16 as source to contact to 192.168.168.168.
With this setup when F5 (172.16.16.16) communicates with server it is in plain text and firewall is able to do inspection and drop traffic. But then for it F5 becomess the culprit while actually it is 2.2.2.2. There is no way to correlate both sides of communication and our management is not inclined towards using SSL decryption. F5 is able to insert external source IP(2.2.2.2) in to the header X-Forwarded-For. Can PA pull this information in logs. If this option "Use X-Forwarded-For Header in User-ID" is for what i am asking, I have it enabled on the firewall and all i see are our AD users and no external/internal IP in the source user field. And this webserver is heavily used from outside. Is there any other setting that i need to configure. I have it enabled on the URL profile also. Does that mean it shows results in URL logs only.
