08-06-2020 11:52 PM
Hello,
My FW is behind ALB, so I want to see original Src IP.
I enabled "use x-forwarded-for header in user-id" setting and user-id on the zone.
But there is no info on source user column in traffic log.
I can see the information in url filtering logs using, but I want to see that in traffic log too.
It seems to be possible when I look into manual.
Is it impossible on AWS?
08-09-2020 06:23 AM
@yhlee1 Are you already using PAN-OS 10? Is my assumption correct that you only see something in the xff header column but not in the source user column in url logs? If yes then this behaviour is expected. If the IP in xff header would match a username in the local user-ip-mapping table, then the username would be shown in traffic log.
The question about PAN-OS 10 is because there a feature was added that would be helpful in your case: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a...
(PAN-OS 10 was just released and might contain (critical) bugs. It is recommended to wait until a preferred release exist to use PAN-OS 10 in a production environment)
08-07-2020 05:58 AM
As long as your ALB is set to include the XFF header in the request this should work perfectly fine as long as you've followed the proper configuration steps for each option, this being on AWS doesn't do anything to effect that functionality. Sounds like a dumb question, but are you sure you ran a commit after you made the changes?
08-09-2020 04:22 AM
Hi @yhlee1
Maybe another stupid question, but what type of traffic (protocol) is coming from that loadbalancer to your firewall where you expect the xff header?
08-09-2020 06:23 AM
@yhlee1 Are you already using PAN-OS 10? Is my assumption correct that you only see something in the xff header column but not in the source user column in url logs? If yes then this behaviour is expected. If the IP in xff header would match a username in the local user-ip-mapping table, then the username would be shown in traffic log.
The question about PAN-OS 10 is because there a feature was added that would be helpful in your case: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a...
(PAN-OS 10 was just released and might contain (critical) bugs. It is recommended to wait until a preferred release exist to use PAN-OS 10 in a production environment)
08-09-2020 07:09 PM
@Remo No, I'm not using PanOS 10 yet.
I can see XFF info in Source User field in URL logs, but not in Traffic logs.
If what you said is right, I completely thought wrong. I thought XFF info will show only if user-id is unknown.
I'll do upgrade to 10 and see what is different.
Thanks for the answers!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
