This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User ID mapping from Exchange logs behind F5 loadbalancer

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User ID mapping from Exchange logs behind F5 loadbalancer

aber
L0 Member

‎09-05-2023 07:11 AM

Hi , 

 

We are currently trying to solve an issue with User ID mapping on Exchange cluster. 

This cluster is sitting behind F5 WAF, and it is doing SNAT, therefore all request are coming from same IP. (IP of the WAF)

This causes the User-IP binding to nonstop update and not reflect the reality. 

 

On F5 we have turned on the "X-Forwarded-For" header. 

We have reconfigured IIS logs to show the "X-Forwarded-For" IP of the request and we can see it in the log, therefore header insertion is working. 

 

However, as far as I know, User ID agent is using Security log.

 

Is there any way how to make this work, or do we need to use Syslog and Regexp to match it from IIS logs ? 

 

Thank you in advance. 

 

 

 

0 Likes Likes
3 REPLIES 3

laurence64
L4 Transporter

‎09-05-2023 02:37 PM

Hi 

 

Looking at the admin guide, this may be east to do, under device > setup > content-ID there is an option for x-forwarded-for headers, in this there is a drop down for enable for user-id or for security policy and then another option to strip this as the traffic passes, this would be the first place to look I think it is fully covered in the user-id section of the admin guide, this is on version 10.1 and above, you do not mention what version you are on but as user-id is fairly static in the methods to get user-id data in I presume that some older versions also support.

 

Hope this helps.

 

 

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
0 Likes Likes

aber
L0 Member

‎09-06-2023 12:13 AM

Hi,

 

I have seen this part of admin guide, and we have it "ON"for different reason. However the traffic flow is like this: 

 

PA--------->F5>---------Exch Cluster 

Header is added at the F5 and it does not traverse PA after header is added. 

 

Currently running  11.0.2 

0 Likes Likes

laurence64
L4 Transporter

‎09-06-2023 08:02 AM

Oh I see, I had your traffic flow all wrong, yes I would imagine that as the only device to see the x-forwarded-for header is IIS and that is where you are pulling your user-id from that you will need to user the regex to get it from IIS.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
0 Likes Likes
  • 1662 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks