This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HTTP Header - Logging NTLM Username

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HTTP Header - Logging NTLM Username

ASCIT
L2 Linker

‎01-29-2015 09:23 PM

My PA firewall inspects traffic between my users and proxy server. The proxy server provides NTLM authentication. Is there a way of logging the NTLM authenticated username within the http headers?

0 Likes Likes
6 REPLIES 6

HULK
L7 Applicator

‎01-29-2015 11:30 PM

Hello Ascit,

I am not clear, what you want to achieve. HTTP header is not having a field for user. Could you please explain your requirement here in details.

Check out this discussion thread:

Re: Captive portal, manage authenticated users

Thanks

0 Likes Likes

Dz3015
L4 Transporter
In response to HULK

‎01-30-2015 06:06 AM

HULK, in this instance the PA is not acting as the proxy it sound like.  The PA is in between the proxy and the user and is able to inspect that traffic.

ascit, I believe that the NTLM portion of the traffic is not within the HTTP header but in a separate NTLM header in the packet.  I don't know if the PA would recognize the traffic separately once it ID's the traffic as HTTP.

0 Likes Likes

ASCIT
L2 Linker
In response to Dz3015

‎02-01-2015 09:51 PM

Correct, I'm hoping to some how log the NTLM User name field:

ntlm.png

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to ASCIT

‎02-01-2015 11:29 PM

Hi Ascit

The firewall can not log this specific entry as a straight forward log option.

It can however be inspected to trigger a custom app or custom threat.

Through captive portal the firewall can also provide ntlm user authentication or could be configured to receive syslog from the proxy containing user information

Video Link : 1317

How to Configure Captive Portal

How to Locate the Predefined Syslog Filters in PAN-OS

hope this helps

Tom

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

kdd
L4 Transporter
In response to reaper

‎06-19-2015 01:52 AM

Hi ascit,

if you just want to identify the user coming from proxy, then there is a way to find out who it is.

Therefor the x-forwarded-for field has to be enabled on proxy and PA.

On PA:

xff.JPG

to find out which ip-adress it is look into the URL-log:

Unbenannt.JPG

to get filled the URL-log you need the URL-license. Maybe this result is not what you need but that is what is possible right now.

Regards,

Klaus

0 Likes Likes

kdd
L4 Transporter

‎06-19-2015 03:16 AM

Hi ascit,

if you just want to identify the user coming from proxy, then there is a way to find out who it is.

Therefor the x-forwarded-for field has to be enabled on proxy and PA.

On PA:

xff.JPG

to find out which ip-adress it is look into the URL-log:

Unbenannt.JPG

to get filled the URL-log you need the URL-license. Maybe this result is not what you need but that is what is possible right now.

Regards,

Klaus

0 Likes Likes
  • 3905 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks