Configuring XFF logging without a URL Filtering License

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Configuring XFF logging without a URL Filtering License

L0 Member

1. Create a Custom URL Category with * under ‘sites’ (Objects >> Custom Objects >> URL Category >> Add)

1.png

 

2. Create a URL Filtering Profile & set your Custom Category action to “alert” (Objects >> Security Profiles >> URL Filtering >> Add)

 2.png

 

Tick the box to log XFF on the ‘URL Filtering Settings’ tab…

 3.png

 

3. Create a syslog server profile & modify the custom log format settings for URL (Device >> Server Profiles >> Syslog >> Add)

4.png5.png6.png

 

 

4. Create a Log Forwarding Profile & point it at your syslog server (Objects >> Log Forwarding >> Add)

 7.png

 

Make sure your Log Type is ‘url’…

 8.png

 

5. Apply both the URL Filtering & Log Forwarding Profiles to your Security Policy rules (Policies >> Security)

 9.png

 

6. Commit your configuration, and observe this expected warning message

 9.png

 

7. To test, you can use a free extension to Firefox called “Modify Header Value (HTTP Headers) by Milen Monrov. Type ‘about:addons’, click on ‘More’ & scroll down.  You will have an opportunity to setup a header insertion rule like I have…

 11.png

 

If I scroll to the right, you can see I am inserting a value of 1.1.1.1…

 12.png

 

8. Pick a cleartext site against which you can validate that the header insertion is working (I use http://www.xhaus.com/headers)

 13.png

 

9. Validate that the log data being sent by the firewall includes your expected values (ultimately this will match the string setting from step #3 above, which in my case is sip=$src,xff=$xff,dip=$dst,url=$misc).  you can apply the wireshark display filter 'syslog' to match only what we are after...

 14.png

 

NOTE: Your browser will likely be sending traffic in the background that does not fire the XFF extension tool (safe browsing, etc.). Do not be alarmed if this type of traffic does not display an XFF value.

2 REPLIES 2

Great artical! Very useful.

 

 

 

 

One small note - on step 6 I believe you got the wrong screenshot. I guess you wanted to should the warning for the no valid URL filtering during commit?

To prevent additional information leakage of the IP address, you should enable this option (Device>Setup>Content-ID>X-Forwarder-for Headers):

Screenshot_20181230-215434_Chrome.jpg

  • 7586 Views
  • 2 replies
  • 4 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!