HTTP Header - Logging NTLM Username

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HTTP Header - Logging NTLM Username

L2 Linker

My PA firewall inspects traffic between my users and proxy server. The proxy server provides NTLM authentication. Is there a way of logging the NTLM authenticated username within the http headers?

6 REPLIES 6

L7 Applicator

Hello Ascit,

I am not clear, what you want to achieve. HTTP header is not having a field for user. Could you please explain your requirement here in details.

Check out this discussion thread:

Re: Captive portal, manage authenticated users

Thanks

HULK, in this instance the PA is not acting as the proxy it sound like.  The PA is in between the proxy and the user and is able to inspect that traffic.

ascit, I believe that the NTLM portion of the traffic is not within the HTTP header but in a separate NTLM header in the packet.  I don't know if the PA would recognize the traffic separately once it ID's the traffic as HTTP.

Correct, I'm hoping to some how log the NTLM User name field:

ntlm.png

Hi Ascit

The firewall can not log this specific entry as a straight forward log option.

It can however be inspected to trigger a custom app or custom threat.

Through captive portal the firewall can also provide ntlm user authentication or could be configured to receive syslog from the proxy containing user information

Video Link : 1317

How to Configure Captive Portal

How to Locate the Predefined Syslog Filters in PAN-OS

hope this helps

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L4 Transporter

Hi ascit,

if you just want to identify the user coming from proxy, then there is a way to find out who it is.

Therefor the x-forwarded-for field has to be enabled on proxy and PA.

On PA:

xff.JPG

to find out which ip-adress it is look into the URL-log:

Unbenannt.JPG

to get filled the URL-log you need the URL-license. Maybe this result is not what you need but that is what is possible right now.

Regards,

Klaus

L4 Transporter

Hi ascit,

if you just want to identify the user coming from proxy, then there is a way to find out who it is.

Therefor the x-forwarded-for field has to be enabled on proxy and PA.

On PA:

xff.JPG

to find out which ip-adress it is look into the URL-log:

Unbenannt.JPG

to get filled the URL-log you need the URL-license. Maybe this result is not what you need but that is what is possible right now.

Regards,

Klaus

  • 3350 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!