This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Is it possible for PaloAlto to read the client IP address or User name from HTTP header (when using proxy server)?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Is it possible for PaloAlto to read the client IP address or User name from HTTP header (when using proxy server)?

Go to solution
Gururaj
L4 Transporter

‎10-10-2013 05:08 AM

Hi All,

In our network scenario we have the Bluecoat proxy before PaloAlto, as all the users are authenticated to proxy ( in which we have user based policies) we are able to see only proxy IP address in logs and because of this we are not able to do user identification and control the traffic based on user.

But in our proxy we have the option to forward client IP and user name along with the HTTP header. Is it possible for PaloAlto to read these information from HTTP header? using this information is it possible to define user based policies and see the original client IP in logs (instead of proxy IP) along with the associated user name?

Regards,

Gururaj

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
apasupulati
L4 Transporter

‎10-10-2013 10:17 AM

Enable the x-forwarded-for option on the PAN device, so the firewall can examine the HTTP headers for the X-Forwarded-for header which a proxy uses to store the original client IP address.

You can then verify the URL-filtering logs to see if the real client IP is showing up in the Src field.

You may also enable the Strip-x-forwarded-for option: The firewall zeros out the header value before forwarding the request, and the forwarded packets do not contain internal source IP information.

xstrip.PNG

Hope that helps!

Aditi

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
kdd
L4 Transporter

‎10-10-2013 06:46 AM

Hi Gururaj,

the x-forwarded-for header (xff) should be enabled on your proxy ( proxy will pass the ip-address of the client to PaloAlto) and PaloAlto should have a LDAP-connection to a AD-Server where the the user-agent (from PaloAlto) is installed on. Each client who will connect to the AD is leaving a record in the log of the AD-Server. the user-agent will send this information to PaloAlto and PA compares this with the xff-header.

This works in  a Mircosoft enviroment. There ist also an agent-less solution but i don't know much about that. Hope this helps.

Regards Klaus

0 Likes Likes

Go to solution
apasupulati
L4 Transporter

‎10-10-2013 10:17 AM

Enable the x-forwarded-for option on the PAN device, so the firewall can examine the HTTP headers for the X-Forwarded-for header which a proxy uses to store the original client IP address.

You can then verify the URL-filtering logs to see if the real client IP is showing up in the Src field.

You may also enable the Strip-x-forwarded-for option: The firewall zeros out the header value before forwarding the request, and the forwarded packets do not contain internal source IP information.

xstrip.PNG

Hope that helps!

Aditi

0 Likes Likes

Go to solution
Gururaj
L4 Transporter

‎10-16-2013 04:51 AM

Thanks Aditi/Klaus

Its worked, but only in the url filtering log it is showing x-forwarded IP ( below snap shows the same). Is it possible to get the same information for traffic, threats and datafiltering logs?

In the username field it is showing X-forwarded IP not user name, but In the user id agent 192.168.29.118 ip has mapped to name "gururaj". I have configured LDAP in PaloAlto.


x.JPG

Regards,

Gururaj

0 Likes Likes

Go to solution
Phoenix
L4 Transporter
In response to Gururaj

‎10-16-2013 07:55 AM

Hello Gururaj,

Per the Admin guide, we see that it is right now supported for URL filtering logs only. If this is needed for other log db we can go for feature request.

Thanks

0 Likes Likes

Go to solution
mbutt
L5 Sessionator

‎10-16-2013 06:46 PM

Following docs explains how to enable it and how it works.

https://live.paloaltonetworks.com/docs/DOC-1128

https://live.paloaltonetworks.com/docs/DOC-4882

.

Hope this helps.
Thanks

Numan

  • 1 accepted solution
  • 5821 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks