Identify Users Connected through a Proxy Server
If you have a proxy server deployed between the users on your network and the firewall, in HTTP/HTTPS requests the firewall might see the proxy server IP address as the source IP address in the traffic that the proxy forwards rather than the IP address of the client that requested the content. In many cases, the proxy server adds an X-Forwarded-For (XFF) header to traffic packets that includes the actual IPv4 or IPv6 address of the client that requested the content or from whom the request originated. In such cases, you can configure the firewall to read the XFF header values and determine the IP addresses of the client who requested the content. The firewall matches the XFF IP addresses with usernames that your policy rules reference so that those rules can control access for the associated users and groups. The firewall also uses the XFF-derived usernames to populate the source user fields of logs so you can monitor user access to web services.
You can also configure the firewall to add XFF values to URL Filtering logs. In these logs, an XFF value can be the client IP address, client username (if available), the IP address of the last proxy server traversed in a proxy chain, or any string of up to 128 characters that the XFF header stores.
XFF user identification applies only to HTTP or HTTPS traffic, and only if the proxy server supports the XFF header. If the header has an invalid IP address, the firewall uses that IP address as a username for group mapping references in policies. If the XFF header has multiple IP addresses, the firewall uses the first entry from the left.
Use XFF Values for Policies and Logging Source Users
You can configure the firewall to use XFF values in user-based policies and in the source user fields of logs. To use XFF values in policies, you must also Enable User-ID.
Logging XFF values doesn’t populate the source IP address values of logs. When you view the logs, the source field displays the IP address of the proxy server if one is deployed between the user clients and the firewall. However, you can configure the firewall to Add XFF Values to URL Filtering Logs so that you can see user IP addresses in those logs.
To ensure that attackers can’t read and exploit the XFF values in web request packets that exit the firewall to retrieve content from an external server, you can also configure the firewall to strip the XFF values from outgoing packets.
These options are not mutually exclusive: if you configure both, the firewall zeroes out XFF values only after using them in policies and logs.
Use XFF Values for Policies and Logging Source Users
Enable the firewall to use XFF values in policies and in the source user fields of logs. Select Device > Setup > Content-ID and edit the X-Forwarded-For Headers settings. Select Use X-Forwarded-For Header in User-ID.
Remove XFF values from outgoing web requests. Select Strip X-Forwarded-For Header. Click OK and Commit.
Verify the firewall is populating the source user fields of logs. Select a log type that has a source user field (for example, Monitor > Logs > Traffic). Verify that the Source User column displays the usernames of users who access the web.
Add XFF Values to URL Filtering Logs
You can configure the firewall to add the XFF values from web requests to URL Filtering logs. The XFF values that the logs display can be client IP addresses, usernames if available, or any values of up to 128 characters that the XFF fields store.
This method of logging XFF values doesn’t add usernames to the source user fields in URL Filtering logs. To populate the source user fields, see Use XFF Values for Policies and Logging Source Users.
Add XFF Values to URL Filtering Logs
Configure a URL Filtering profile. Select Objects > Security Profiles > URL Filtering. Select an existing profile or Add a new profile and enter a descriptive Name. You can’t enable XFF logging in the default URL Filtering profile. In the Categories tab, Define how to control access to web content. Select the Settings tab and select X-Forwarded-For. Click OK to save the profile.
Attach the URL Filtering profile to a policy rule. Select Policies > Security and click the rule. Select the Actions tab, set the Profile Type to Profiles, and select the URL Filtering profile you just created. Click OK and Commit.
Verify the firewall is logging XFF values. Select Monitor > Logs > URL Filtering. Display the XFF values in one of the following ways: To display the XFF value for a single log—Click the icon for the log to displays its details. The HTTP Headers section displays the X-Forwarded-For value. To display the XFF values for all logs—Open the drop-down in any column header, select Columns, and select X-Forwarded-For. The page then displays an X-Forwarded-For column.

Related Documentation