Is it possible for PaloAlto to read the client IP address or User name from HTTP header (when using proxy server)?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Is it possible for PaloAlto to read the client IP address or User name from HTTP header (when using proxy server)?

L4 Transporter

Hi All,

In our network scenario we have the Bluecoat proxy before PaloAlto, as all the users are authenticated to proxy ( in which we have user based policies) we are able to see only proxy IP address in logs and because of this we are not able to do user identification and control the traffic based on user.

But in our proxy we have the option to forward client IP and user name along with the HTTP header. Is it possible for PaloAlto to read these information from HTTP header? using this information is it possible to define user based policies and see the original client IP in logs (instead of proxy IP) along with the associated user name?

Regards,

Gururaj

1 accepted solution

Accepted Solutions

L4 Transporter

Enable the x-forwarded-for option on the PAN device, so the firewall can examine the HTTP headers for the X-Forwarded-for header which a proxy uses to store the original client IP address.

You can then verify the URL-filtering logs to see if the real client IP is showing up in the Src field.

You may also enable the Strip-x-forwarded-for option: The firewall zeros out the header value before forwarding the request, and the forwarded packets do not contain internal source IP information.

xstrip.PNG

Hope that helps!

Aditi

View solution in original post

5 REPLIES 5

L4 Transporter

Hi Gururaj,

the x-forwarded-for header (xff) should be enabled on your proxy ( proxy will pass the ip-address of the client to PaloAlto) and PaloAlto should have a LDAP-connection to a AD-Server where the the user-agent (from PaloAlto) is installed on. Each client who will connect to the AD is leaving a record in the log of the AD-Server. the user-agent will send this information to PaloAlto and PA compares this with the xff-header.

This works in  a Mircosoft enviroment. There ist also an agent-less solution but i don't know much about that. Hope this helps.

Regards Klaus

L4 Transporter

Enable the x-forwarded-for option on the PAN device, so the firewall can examine the HTTP headers for the X-Forwarded-for header which a proxy uses to store the original client IP address.

You can then verify the URL-filtering logs to see if the real client IP is showing up in the Src field.

You may also enable the Strip-x-forwarded-for option: The firewall zeros out the header value before forwarding the request, and the forwarded packets do not contain internal source IP information.

xstrip.PNG

Hope that helps!

Aditi

L4 Transporter

Thanks Aditi/Klaus

Its worked, but only in the url filtering log it is showing x-forwarded IP ( below snap shows the same). Is it possible to get the same information for traffic, threats and datafiltering logs?

In the username field it is showing X-forwarded IP not user name, but In the user id agent 192.168.29.118 ip has mapped to name "gururaj". I have configured LDAP in PaloAlto.


x.JPG

Regards,

Gururaj

Hello Gururaj,

Per the Admin guide, we see that it is right now supported for URL filtering logs only. If this is needed for other log db we can go for feature request.

Thanks

L5 Sessionator

Following docs explains how to enable it and how it works.

https://live.paloaltonetworks.com/docs/DOC-1128

https://live.paloaltonetworks.com/docs/DOC-4882

.

Hope this helps.
Thanks

Numan

  • 1 accepted solution
  • 6650 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!