How to display X-Forwarded-For values in firewall logs
13461
Created On 05/11/22 02:19 AM - Last Modified 09/11/24 23:05 PM
Objective
- To display "X-Forwarded-For" values in logs such as Traffic, Threat, Data-Filtering and URL Filtering.
- By default, 'Use X-Forwarded-For Header' is disabled and the firewall does not read the IP addresses from X-Forwarded-For (XFF) header in client requests.
- For displaying the XFF header in logs XFF values must first be used in the Policy. Refer Use XFF IP Address Values in Security Policy and Logging.
Environment
- Palo Alto NGFW Firewalls
- PAN-OS 9.1 or later
- X-Forwarded-For (XFF) header
Procedure
For Traffic, Threat, Data Filtering, or Wildfire Submissions:
- Select GUI: Device > Setup > Content-ID > X-Forwarded-For Headers.
- Select "Enabled for Security Policy" from the "Use X-Forwarded-For Header" drop-down.
- Commit the changes.
- Navigate to GUI: Monitoring > Logs > Traffic (or Threat, Data Filtering, or Wildfire Submissions)
- Click the arrow to the right of any column header and select Columns and then select "X-Forwarded-For IP" to display the XFF IP in the log.
For URL Filtering logs:
- Select GUI: Device > Setup > Content-ID > X-Forwarded-For Headers.
- Select "Enabled for User-ID" from the "Use X-Forwarded-For Header" drop-down.
- Commit the changes.
- Navigate to GUI: Monitoring > Logs > URL Filtering.
- XFF IP will appear in the "Source User column" if it is not resolved to a username.
Note: Use X-Forwarded-For Header for security policy and User-ID cannot be enabled at the same time.
Additional Information
Display XFF Values in Logs
Use the IP Address in the XFF Header to Troubleshoot Events
The default setting of X-Forwarded-For Header is disabled.
GUI: Device > Setup > Content-ID > X-Forwarded-For Headers > Use X-Forwarded-For Header: Disabled.