https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/48983#M9598 <P>I am adding HFF only to HTTP on the proxy.</P><P>When IP is added, the security gateway can recognize it as "proxies source ip" but not the authenticated username.</P><P>&nbsp;</P> Thu, 28 Mar 2019 09:45:52 GMT Alex_Shpilman 2019-03-28T09:45:52Z https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/48955#M9589 <P>Hi Mates,</P><P>I have a use case where users are sitting behind a 3rd party proxy which then forwards the traffic to the internet through a security gateway.</P><P>Application Control, Identity Awareness and XFF detection enabled.</P><P>When I insert the proxied client IP into the HTTP XFF, the security gateway recognizes it and all works as expected, the XFF stripped off properly on the out.</P><P>But I'd like to see the source user in the Application Control instead of (or in addition) the original IP.</P><P>When I re-write the username into the HTTP XFF, the security gateway doesn't recognize it, I tried different combinations but no luck.</P><P>I was able to achieve this a few years back in R77.10 or R77.20 but can't remember what exactly I did back then...</P><P>Any ideas?</P><P>Thanks.</P> Thu, 28 Mar 2019 07:08:00 GMT https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/48955#M9589 Alex_Shpilman 2019-03-28T07:08:00Z https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/48968#M9592 <P>Alex,</P><P>you have to use IdentityAwarenessBlade and enable the XFF-support to match the XFF IPs to the real user names.</P><P>But this does not work for HTTPS connections, because I think the XFF-header is too encrypted and the firewall cannot read this. Except you're using HTTPS inspection.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="XFF_IdentityAwareness.PNG" style="width: 636px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/504iB92F95417A45BF73/image-size/large?v=v2&amp;px=999" role="button" title="XFF_IdentityAwareness.PNG" alt="XFF_IdentityAwareness.PNG" /></span></P> Thu, 28 Mar 2019 08:30:06 GMT https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/48968#M9592 Wolfgang 2019-03-28T08:30:06Z https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/48983#M9598 <P>I am adding HFF only to HTTP on the proxy.</P><P>When IP is added, the security gateway can recognize it as "proxies source ip" but not the authenticated username.</P><P>&nbsp;</P> Thu, 28 Mar 2019 09:45:52 GMT https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/48983#M9598 Alex_Shpilman 2019-03-28T09:45:52Z https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/49044#M9610 <P>Alex,</P><P>what are you saying?</P><P>With added XFF-header and IdentityAwareness configured like shown you are able to get the username.</P><P>This works in our environment.</P><P>Wolfgang</P> Thu, 28 Mar 2019 14:37:43 GMT https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/49044#M9610 Wolfgang 2019-03-28T14:37:43Z https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/49083#M9613 <P>Hi&nbsp;<SPAN>Wolfgang,</SPAN></P><P>Do you use AD query or Identity Collector?&nbsp;</P><P>In my case, the real IP is visible through XFF, and there is an identity record for that IP (in PDP) but not reflected in the logs.</P><P>Thanks.</P> Thu, 28 Mar 2019 19:18:19 GMT https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/49083#M9613 Alex_Shpilman 2019-03-28T19:18:19Z https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/49089#M9615 <P>We are using Identity collector.</P> Thu, 28 Mar 2019 19:54:59 GMT https://community.checkpoint.com/t5/General-Topics/HTTP-XFF-username-in-Application-Control-logs/m-p/49089#M9615 Wolfgang 2019-03-28T19:54:59Z