Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor

HTTP XFF username in Application Control logs

Hi Mates,

I have a use case where users are sitting behind a 3rd party proxy which then forwards the traffic to the internet through a security gateway.

Application Control, Identity Awareness and XFF detection enabled.

When I insert the proxied client IP into the HTTP XFF, the security gateway recognizes it and all works as expected, the XFF stripped off properly on the out.

But I'd like to see the source user in the Application Control instead of (or in addition) the original IP.

When I re-write the username into the HTTP XFF, the security gateway doesn't recognize it, I tried different combinations but no luck.

I was able to achieve this a few years back in R77.10 or R77.20 but can't remember what exactly I did back then...

Any ideas?

Thanks.

0 Kudos
5 Replies
Highlighted
Leader
Leader

Alex,

you have to use IdentityAwarenessBlade and enable the XFF-support to match the XFF IPs to the real user names.

But this does not work for HTTPS connections, because I think the XFF-header is too encrypted and the firewall cannot read this. Except you're using HTTPS inspection.

XFF_IdentityAwareness.PNG

0 Kudos
Highlighted
Contributor

I am adding HFF only to HTTP on the proxy.

When IP is added, the security gateway can recognize it as "proxies source ip" but not the authenticated username.

 

0 Kudos
Highlighted
Leader
Leader

Alex,

what are you saying?

With added XFF-header and IdentityAwareness configured like shown you are able to get the username.

This works in our environment.

Wolfgang

0 Kudos
Highlighted
Contributor

Hi Wolfgang,

Do you use AD query or Identity Collector? 

In my case, the real IP is visible through XFF, and there is an identity record for that IP (in PDP) but not reflected in the logs.

Thanks.

0 Kudos
Highlighted
Leader
Leader

We are using Identity collector.

0 Kudos