07-21-2017 01:35 AM
Hello,
I built the sandwich type with external ELB & internal ELB.
As you know, external ELB shifts original client IP to X-Forwarded-For.
I enabled 'Use X-Forwarded-For Header in User-ID and I looked XFF IP in user-id of URL Filtering logs.
But PA has not shown XFF IP in traffic logs.
I would like to block XFF IP using user-ID.
If anyone knew it, Please let me know it.
Thanks,
KC Lee
08-26-2017 03:10 PM
Hi KC Lee,
One of our TMEs has a working prototype that uses Lambda to map IPs learned from XFF to a User-ID group that can then be blocked by policy. It isn't ready to be published as a template yet but if you'd like a preview, please reach out to your sales team to schedule a demo.
HTH,
Warby
01-25-2018 04:17 PM
The XFF to User-ID solution has been published on GitHub: https://github.com/PaloAltoNetworks/XFF-to-User-ID-mapping
04-18-2018 01:11 PM
The solution provided deployes the XFF solution into an new VPC and Palo Alto instance. Is there any cloudformation template that is available to be deployed into an existing VPC and Palo Alto?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
