How to identify users connecting through proxy and restrict access through security policy
Symptom
Environment
- PAN-OS Firewall
Resolution
Setup:
Proxy server (192.168.30.103) ---- PA Firewall ----- Internet
Configure security policies on firewall as shown in order:
Details:
Allow DNS - Required to allow DNS queries before actual connection
Allow Handshake - Required to allow TCP 3-way handshake because XFF would be in HTTP GET packet, which would follow the 3-way handshake. Hence, user mapping could be determined only after the initial handshake. Following are traffic logs for the initial 3-way handshake:
Note: This policy has URL filtering profile applied to allow only an initial 3-way handshake and no web-browsing. After the 3-way handshake, further action is determined by user-specific policies:
XFF - Required for restricting user-based access (application can be changed to specific web-browsing [since XFF is in HTTP] or combined with other user-based policy as required. Also, a URL filtering profile could be applied for more restrictions on traffic.
After HTTP GET packets come on the firewall from a proxy server, the firewall checks the ip-user-mapping table to find and apply policies based on the source user.
GET Packet:
User Mapping:
Policy Shift:
Additional notes:
- For HTTPS, complete SSL handshake needs to be allowed (as Allow Handshake but no URL filtering) and SSL decryption needs to be enabled to read XFF header and check user-mapping
- If there is no user mapping for the IP in XFF, Source User would be blank in traffic logs and user based policies will not come into action
- If you enable XFF for user-ID, URL filtering logs will show username in Source User instead of XFF IP. To see how to enable XFF in URL filtering logs, please click here
- XFF can be enabled for URL filtering logs, even if there is no URL filtering license. For more details, please click here