x-forwarded-for header parsing.

Reply
Highlighted
L3 Networker

x-forwarded-for header parsing.

With the command "set system setting ctd x-forwarded-for yes" the x-forwarded-for header is parsed to populate the source.user field in the logs.

However, which exact header is actually being parsed with this command?

Is it "x-forwarded-for"  ? ( according to the CLI guide)

Or is it "x-fwd-for" ? (according to the KB article)

or both ?

Can it be changed ?

How  ?

Thanks,

Bart


Accepted Solutions
Highlighted
L5 Sessionator

Re: x-forwarded-for header parsing.

The HTTP header is "X-Forwarded-For" , as noted in the Admin and CLI guides.  If you provide me a link to the KB article in question, I can have it updated.  My guess is that someone shortened it to "x-fwd-for" because it's easier to type.  :smileywink:

--Doris

View solution in original post


All Replies
Highlighted
L3 Networker

Re: x-forwarded-for header parsing.

anyone ?

Highlighted
L6 Presenter

Re: x-forwarded-for header parsing.

Would be great if someone from PA could answer :smileyhappy:

Highlighted
L5 Sessionator

Re: x-forwarded-for header parsing.

The HTTP header is "X-Forwarded-For" , as noted in the Admin and CLI guides.  If you provide me a link to the KB article in question, I can have it updated.  My guess is that someone shortened it to "x-fwd-for" because it's easier to type.  :smileywink:

--Doris

View solution in original post

Highlighted
L6 Presenter

Re: x-forwarded-for header parsing.

I guess its

Also, looking in the CLI guide there is both:

set deviceconfig setting ctd x-forwarded-for yes

set system setting ctd x-forwarded-for yes

Whats the difference of the above (perhaps it could be described in the KB aswell)?

Highlighted
L5 Sessionator

Re: x-forwarded-for header parsing.

There is no difference between the two commands - they do exactly the same thing.  We most likely will not remove the duplicate command since it may cause migration issues.

Thanks,

Doris

Highlighted
L3 Networker

Re: x-forwarded-for header parsing.

I still didn't manage to get this working in our lab infra :

admin@lab01(active)> show system setting ctd state

Notify user for APP block     : no

Alternative AHO               : no

Skip CTD                      : no

Parse x-forwarded-for         : yes

Strip x-fwd-for               : no

Bloom Filter                  : yes

HTTP Proxy Use Transaction    : yes

Enable Regex Statistics       : no

URL Category Query Timeout    : 5

Bypass when exceeds queue limit: yes

packets queued for packet capture: 5

whether to do packet capture after: yes

max. loop for packets processing: 1024

Not to Block HTTP Range request: yes

CTD ID                        : 1

CTD Allocator Usage           : 92%(44 MB)

AHO Allocator Usage           : 87%(97 MB)

Packet capture of a GET request:

GET http://www.microsoft.com/ HTTP/1.1

Host: www.microsoft.com

Pragma: no-cache

Cache-Control: no-cache

X-Forwarded-For: 10.255.224.130

Proxy-Connection: Keep-Alive

X-BlueCoat-Via: 36967894f0722148

I have also enabled user-id on the incoming zone.

That should be all to get thos working according to the DOC.

What else could be wrong ?

Highlighted
L4 Transporter

Re: x-forwarded-for header parsing.

I think this only works with URL filtering log.

Are you trying to parse in traffic log?

Regards,

Highlighted
L3 Networker

Re: x-forwarded-for header parsing.

Yes indeed I was looking into the traffic logs. There is no url filtering on this box.

Can someone of PA confirm that this is only working url filtering logs ?

Highlighted
L3 Networker

Re: x-forwarded-for header parsing.

Thanks emr,

I found indeed the answer here : https://live.paloaltonetworks.com/docs/DOC-1528

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!