HTTP Header - Logging NTLM Username

Reply
Highlighted
L2 Linker

HTTP Header - Logging NTLM Username

My PA firewall inspects traffic between my users and proxy server. The proxy server provides NTLM authentication. Is there a way of logging the NTLM authenticated username within the http headers?

Highlighted
L7 Applicator

Hello Ascit,

I am not clear, what you want to achieve. HTTP header is not having a field for user. Could you please explain your requirement here in details.

Check out this discussion thread:

Re: Captive portal, manage authenticated users

Thanks

Highlighted
L4 Transporter

HULK, in this instance the PA is not acting as the proxy it sound like.  The PA is in between the proxy and the user and is able to inspect that traffic.

ascit, I believe that the NTLM portion of the traffic is not within the HTTP header but in a separate NTLM header in the packet.  I don't know if the PA would recognize the traffic separately once it ID's the traffic as HTTP.

Highlighted
L2 Linker

Correct, I'm hoping to some how log the NTLM User name field:

ntlm.png

Highlighted
L7 Applicator

Hi Ascit

The firewall can not log this specific entry as a straight forward log option.

It can however be inspected to trigger a custom app or custom threat.

Through captive portal the firewall can also provide ntlm user authentication or could be configured to receive syslog from the proxy containing user information

Video Link : 1317

How to Configure Captive Portal

How to Locate the Predefined Syslog Filters in PAN-OS

hope this helps

Tom

reaper - PANgurus.com
Find my book at https://www.amazon.com/dp/1789956374
Highlighted
L4 Transporter

Hi ascit,

if you just want to identify the user coming from proxy, then there is a way to find out who it is.

Therefor the x-forwarded-for field has to be enabled on proxy and PA.

On PA:

xff.JPG

to find out which ip-adress it is look into the URL-log:

Unbenannt.JPG

to get filled the URL-log you need the URL-license. Maybe this result is not what you need but that is what is possible right now.

Regards,

Klaus

Highlighted
L4 Transporter

Hi ascit,

if you just want to identify the user coming from proxy, then there is a way to find out who it is.

Therefor the x-forwarded-for field has to be enabled on proxy and PA.

On PA:

xff.JPG

to find out which ip-adress it is look into the URL-log:

Unbenannt.JPG

to get filled the URL-log you need the URL-license. Maybe this result is not what you need but that is what is possible right now.

Regards,

Klaus

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!