https://community.checkpoint.com/t5/Cloud-Firewall/Log-the-real-IP-address-of-the-client-user-X-Forwarded-For-XFF/m-p/217739#M4861 <P><FONT size="4">In today’s web environment, many web servers utilize CDNs or application load balancers.</FONT></P> <P><FONT size="4"> It is beneficial to log the real IP address of the client user rather than the IP address of the CDN or load balancer server. </FONT></P> <P><FONT size="4">Fortunately, CDNs and load balancers send requests with the X-Forwarded-For (XFF) header, which includes the real IP of the client user. </FONT></P> <P><FONT size="4">We can use the value of the X-Forwarded-For header in our Check Point logs.</FONT></P> <P><FONT size="4">When a Check Point Gateway is positioned between a CDN or an application load balancer and your web servers, the gateway will log the private IP address of the load balancer as the source.</FONT></P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="1.png" style="width: 925px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26293i0CA000C6DD829AEF/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>In order to see the client user’s real IP on the Check Point logs, follow the below steps:</SPAN></FONT></P> <P><FONT size="4"><SPAN>1. On the Gateway object , enable the application control blade.</SPAN></FONT></P> <P><FONT size="4"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="3.png" style="width: 470px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26295iC42723EEC8BAF9FE/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>2. On the policy , enable application control</SPAN></FONT></P> <P><FONT size="4"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4.png" style="width: 265px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26296iC7B684C066741932/image-size/large?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span></SPAN></FONT></P> <P><FONT size="4"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="5.png" style="width: 954px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26297i2E630AE9AAD79718/image-size/large?v=v2&amp;px=999" role="button" title="5.png" alt="5.png" /></span></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="6.png" style="width: 624px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26298i36CA1E938FA98706/image-size/large?v=v2&amp;px=999" role="button" title="6.png" alt="6.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>3. On the access rule , enable extended logging</SPAN></FONT></P> <P><FONT size="4"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="8.png" style="width: 442px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26299i54B7893515480E95/image-size/large?v=v2&amp;px=999" role="button" title="8.png" alt="8.png" /></span></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>4.&nbsp;</SPAN><SPAN>On the logs , add the field , Proxied Source IP</SPAN></FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="2.png" style="width: 832px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26294i4CBC1EB281A52C89/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4">*** If the session is encrypted , enable HTTPS Inspection on the Gateway and upload the Web Server SSL Private key to the GW,</FONT><FONT size="4">&nbsp; Step by Step Guide is <A href="https://community.checkpoint.com/t5/Security-Gateways/Tutorial-Video-Activating-Inbound-SSL-inspection/m-p/198123#M37044" target="_self">here</A></FONT></P> <P>&nbsp; &nbsp;&nbsp;</P> Mon, 17 Jun 2024 11:12:43 GMT Shay_Levin 2024-06-17T11:12:43Z https://community.checkpoint.com/t5/Cloud-Firewall/Log-the-real-IP-address-of-the-client-user-X-Forwarded-For-XFF/m-p/217739#M4861 <P><FONT size="4">In today’s web environment, many web servers utilize CDNs or application load balancers.</FONT></P> <P><FONT size="4"> It is beneficial to log the real IP address of the client user rather than the IP address of the CDN or load balancer server. </FONT></P> <P><FONT size="4">Fortunately, CDNs and load balancers send requests with the X-Forwarded-For (XFF) header, which includes the real IP of the client user. </FONT></P> <P><FONT size="4">We can use the value of the X-Forwarded-For header in our Check Point logs.</FONT></P> <P><FONT size="4">When a Check Point Gateway is positioned between a CDN or an application load balancer and your web servers, the gateway will log the private IP address of the load balancer as the source.</FONT></P> <P><FONT size="4"><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="1.png" style="width: 925px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26293i0CA000C6DD829AEF/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>In order to see the client user’s real IP on the Check Point logs, follow the below steps:</SPAN></FONT></P> <P><FONT size="4"><SPAN>1. On the Gateway object , enable the application control blade.</SPAN></FONT></P> <P><FONT size="4"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="3.png" style="width: 470px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26295iC42723EEC8BAF9FE/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>2. On the policy , enable application control</SPAN></FONT></P> <P><FONT size="4"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4.png" style="width: 265px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26296iC7B684C066741932/image-size/large?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span></SPAN></FONT></P> <P><FONT size="4"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="5.png" style="width: 954px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26297i2E630AE9AAD79718/image-size/large?v=v2&amp;px=999" role="button" title="5.png" alt="5.png" /></span></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="6.png" style="width: 624px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26298i36CA1E938FA98706/image-size/large?v=v2&amp;px=999" role="button" title="6.png" alt="6.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>3. On the access rule , enable extended logging</SPAN></FONT></P> <P><FONT size="4"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="8.png" style="width: 442px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26299i54B7893515480E95/image-size/large?v=v2&amp;px=999" role="button" title="8.png" alt="8.png" /></span></SPAN></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4"><SPAN>4.&nbsp;</SPAN><SPAN>On the logs , add the field , Proxied Source IP</SPAN></FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="2.png" style="width: 832px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/26294i4CBC1EB281A52C89/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4">*** If the session is encrypted , enable HTTPS Inspection on the Gateway and upload the Web Server SSL Private key to the GW,</FONT><FONT size="4">&nbsp; Step by Step Guide is <A href="https://community.checkpoint.com/t5/Security-Gateways/Tutorial-Video-Activating-Inbound-SSL-inspection/m-p/198123#M37044" target="_self">here</A></FONT></P> <P>&nbsp; &nbsp;&nbsp;</P> Mon, 17 Jun 2024 11:12:43 GMT https://community.checkpoint.com/t5/Cloud-Firewall/Log-the-real-IP-address-of-the-client-user-X-Forwarded-For-XFF/m-p/217739#M4861 Shay_Levin 2024-06-17T11:12:43Z