Using XFF for Logs Only

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Using XFF for Logs Only

Hello,

 

I have an application behind a WAF, without XFF the source IPs are always my WAF and for auditing reasons I need to get and log the real client IP addresses.

 

Traffic flow is like this:

 

Client -> WAN -> NAT -> DMZ - App Server

My security policy only allows the communication from internal IP addresses, in this case the private IP address of the NAT to my app server.

 

Because this is for auditing only, I do not require any action over the IPs, I just need to have them available on my traffic logs.

 

By enabling XFF I start to get the real client IPs but since my only 2 options are XFF for Security Policy and for User-ID, I opt for security policy as I don`t use User-ID, this causes the traffic to be blocked when it gets to my internal network because the client IP is being pushed to the policy and because it is not there it get blocked.

 

The end result I aiming for is to have the client IP address populated on XFF column without having any action over it, just log and keep using my policies as is.

 

Version is 10.2.3

I have a TAC case but no progress are being made.

 

Have anyone faced a similar situation?

1 REPLY 1

L3 Networker

Hello,

 

XFF for Security Policy is the only way to do this for the traffic log, but as you said this would need a complete review of policies to allow for the XFF IP, which may not be possible.

 

XFF for User-ID does not log the XFF IP in the traffic log.

 

There is one more option, you can enable XFF to be logged via a URL filtering profile. This performs no filtering actions and you will see it in the URL filtering logs:

Use the IP Address in the XFF Header to Troubleshoot Events (paloaltonetworks.com)

 

- DM

Sr. Technical Support Engineer, Strata
  • 971 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!