Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

User ID mapping from Exchange logs behind F5 loadbalancer

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

User ID mapping from Exchange logs behind F5 loadbalancer

L0 Member

Hi , 

 

We are currently trying to solve an issue with User ID mapping on Exchange cluster. 

This cluster is sitting behind F5 WAF, and it is doing SNAT, therefore all request are coming from same IP. (IP of the WAF)

This causes the User-IP binding to nonstop update and not reflect the reality. 

 

On F5 we have turned on the "X-Forwarded-For" header. 

We have reconfigured IIS logs to show the "X-Forwarded-For" IP of the request and we can see it in the log, therefore header insertion is working. 

 

However, as far as I know, User ID agent is using Security log.

 

Is there any way how to make this work, or do we need to use Syslog and Regexp to match it from IIS logs ? 

 

Thank you in advance. 

 

 

 

3 REPLIES 3

L4 Transporter

Hi 

 

Looking at the admin guide, this may be east to do, under device > setup > content-ID there is an option for x-forwarded-for headers, in this there is a drop down for enable for user-id or for security policy and then another option to strip this as the traffic passes, this would be the first place to look I think it is fully covered in the user-id section of the admin guide, this is on version 10.1 and above, you do not mention what version you are on but as user-id is fairly static in the methods to get user-id data in I presume that some older versions also support.

 

Hope this helps.

 

 

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants

L0 Member

Hi,

 

I have seen this part of admin guide, and we have it "ON"for different reason. However the traffic flow is like this: 

 

PA--------->F5>---------Exch Cluster 

Header is added at the F5 and it does not traverse PA after header is added. 

 

Currently running  11.0.2 

L4 Transporter

Oh I see, I had your traffic flow all wrong, yes I would imagine that as the only device to see the x-forwarded-for header is IIS and that is where you are pulling your user-id from that you will need to user the regex to get it from IIS.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
  • 1661 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!