x-forwarded-for header in traffic log on AWS VM

Reply
Highlighted
L2 Linker

x-forwarded-for header in traffic log on AWS VM

Hello,

 

My FW is behind ALB, so I want to see original Src IP.

 

I enabled "use x-forwarded-for header in user-id" setting and user-id on the zone.

But there is no info on source user column in traffic log.

 

I can see the information in url filtering logs using, but I want to see that in traffic log too.

It seems to be possible when I look into manual.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/identify-users-connected-through-a-...

 

Is it impossible on AWS?


Accepted Solutions
Highlighted
Cyber Elite

@yhlee1 Are you already using PAN-OS 10? Is my assumption correct that you only see something in the xff header column but not in the source user column in url logs? If yes then this behaviour is expected. If the IP in xff header would match a username in the local user-ip-mapping table, then the username would be shown in traffic log.

 

The question about PAN-OS 10 is because there a feature was added that would be helpful in your case: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a...

(PAN-OS 10 was just released and might contain (critical) bugs. It is recommended to wait until a preferred release exist to use PAN-OS 10 in a production environment)

View solution in original post


All Replies
Highlighted
Cyber Elite

@yhlee1,

As long as your ALB is set to include the XFF header in the request this should work perfectly fine as long as you've followed the proper configuration steps for each option, this being on AWS doesn't do anything to effect that functionality. Sounds like a dumb question, but are you sure you ran a commit after you made the changes? 

Highlighted
Cyber Elite

Hi @yhlee1 

Maybe another stupid question, but what type of traffic (protocol) is coming from that loadbalancer to your firewall where you expect the xff header?

Highlighted
L2 Linker

@vsys_remo Alb takes care of HTTP traffic.

@BPry  Yes I did commit.

 

I have to look in to it further, it's strange url filtering log has xff info, but  not in traffic log.

 

Highlighted
Cyber Elite

@yhlee1 Are you already using PAN-OS 10? Is my assumption correct that you only see something in the xff header column but not in the source user column in url logs? If yes then this behaviour is expected. If the IP in xff header would match a username in the local user-ip-mapping table, then the username would be shown in traffic log.

 

The question about PAN-OS 10 is because there a feature was added that would be helpful in your case: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a...

(PAN-OS 10 was just released and might contain (critical) bugs. It is recommended to wait until a preferred release exist to use PAN-OS 10 in a production environment)

View solution in original post

Highlighted
L2 Linker

@vsys_remo No, I'm not using PanOS 10 yet.

 

I can see XFF info in Source User field in URL logs, but not in Traffic logs.

 

If what you said is right, I completely thought wrong. I thought XFF info will show only if user-id is unknown.

I'll do upgrade to 10 and see what is different.

Thanks for the answers!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!