x-forwarded-for header parsing.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

x-forwarded-for header parsing.

L3 Networker

With the command "set system setting ctd x-forwarded-for yes" the x-forwarded-for header is parsed to populate the source.user field in the logs.

However, which exact header is actually being parsed with this command?

Is it "x-forwarded-for"  ? ( according to the CLI guide)

Or is it "x-fwd-for" ? (according to the KB article)

or both ?

Can it be changed ?

How  ?

Thanks,

Bart

1 accepted solution

Accepted Solutions

L5 Sessionator

The HTTP header is "X-Forwarded-For" , as noted in the Admin and CLI guides.  If you provide me a link to the KB article in question, I can have it updated.  My guess is that someone shortened it to "x-fwd-for" because it's easier to type.  Smiley Wink

--Doris

View solution in original post

10 REPLIES 10

L3 Networker

anyone ?

Would be great if someone from PA could answer Smiley Happy

L5 Sessionator

The HTTP header is "X-Forwarded-For" , as noted in the Admin and CLI guides.  If you provide me a link to the KB article in question, I can have it updated.  My guess is that someone shortened it to "x-fwd-for" because it's easier to type.  Smiley Wink

--Doris

I guess its

Also, looking in the CLI guide there is both:

set deviceconfig setting ctd x-forwarded-for yes

set system setting ctd x-forwarded-for yes

Whats the difference of the above (perhaps it could be described in the KB aswell)?

There is no difference between the two commands - they do exactly the same thing.  We most likely will not remove the duplicate command since it may cause migration issues.

Thanks,

Doris

I still didn't manage to get this working in our lab infra :

admin@lab01(active)> show system setting ctd state

Notify user for APP block     : no

Alternative AHO               : no

Skip CTD                      : no

Parse x-forwarded-for         : yes

Strip x-fwd-for               : no

Bloom Filter                  : yes

HTTP Proxy Use Transaction    : yes

Enable Regex Statistics       : no

URL Category Query Timeout    : 5

Bypass when exceeds queue limit: yes

packets queued for packet capture: 5

whether to do packet capture after: yes

max. loop for packets processing: 1024

Not to Block HTTP Range request: yes

CTD ID                        : 1

CTD Allocator Usage           : 92%(44 MB)

AHO Allocator Usage           : 87%(97 MB)

Packet capture of a GET request:

GET http://www.microsoft.com/ HTTP/1.1

Host: www.microsoft.com

Pragma: no-cache

Cache-Control: no-cache

X-Forwarded-For: 10.255.224.130

Proxy-Connection: Keep-Alive

X-BlueCoat-Via: 36967894f0722148

I have also enabled user-id on the incoming zone.

That should be all to get thos working according to the DOC.

What else could be wrong ?

I think this only works with URL filtering log.

Are you trying to parse in traffic log?

Regards,

Yes indeed I was looking into the traffic logs. There is no url filtering on this box.

Can someone of PA confirm that this is only working url filtering logs ?

Thanks emr,

I found indeed the answer here : https://live.paloaltonetworks.com/docs/DOC-1528

Looks like you found what you're looking for, but just in case you need further validation, the X-Forwarded-For parsing feature is only applicable to the URL filtering logs.  If you do not have a URL filtering license, you can still use the allow/block list as well as the custom categories, so you can use those to generate logs and parse the X-Forwarded-For field as indicated above.

  • 1 accepted solution
  • 9743 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!