This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Alex_Shpilman
Collaborator
‎2019-03-28 12:06 AM

HTTP XFF username in Application Control logs

Hi Mates,

I have a use case where users are sitting behind a 3rd party proxy which then forwards the traffic to the internet through a security gateway.

Application Control, Identity Awareness and XFF detection enabled.

When I insert the proxied client IP into the HTTP XFF, the security gateway recognizes it and all works as expected, the XFF stripped off properly on the out.

But I'd like to see the source user in the Application Control instead of (or in addition) the original IP.

When I re-write the username into the HTTP XFF, the security gateway doesn't recognize it, I tried different combinations but no luck.

I was able to achieve this a few years back in R77.10 or R77.20 but can't remember what exactly I did back then...

Any ideas?

Thanks.

0 Kudos
5 Replies
Wolfgang
MVP Gold
MVP Gold
‎2019-03-28 01:14 AM

Alex,

you have to use IdentityAwarenessBlade and enable the XFF-support to match the XFF IPs to the real user names.

But this does not work for HTTPS connections, because I think the XFF-header is too encrypted and the firewall cannot read this. Except you're using HTTPS inspection.

XFF_IdentityAwareness.PNG

0 Kudos
Alex_Shpilman
Collaborator
‎2019-03-28 02:45 AM
In response to Wolfgang

I am adding HFF only to HTTP on the proxy.

When IP is added, the security gateway can recognize it as "proxies source ip" but not the authenticated username.

 

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-03-28 07:37 AM
In response to Alex_Shpilman

Alex,

what are you saying?

With added XFF-header and IdentityAwareness configured like shown you are able to get the username.

This works in our environment.

Wolfgang

0 Kudos
Alex_Shpilman
Collaborator
‎2019-03-28 12:18 PM
In response to Wolfgang

Hi Wolfgang,

Do you use AD query or Identity Collector? 

In my case, the real IP is visible through XFF, and there is an identity record for that IP (in PDP) but not reflected in the logs.

Thanks.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2019-03-28 12:54 PM
In response to Alex_Shpilman

We are using Identity collector.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events