user-manage xff-parse
Function
The user-manage xff-parse command enables the function of parsing the X-Forwarded-For fields in HTTP packets.
The undo user-manage xff-parse command disables the function.
Parameters
| Parameter | Description | Value |
|---|---|---|
proxy-ip ip-address |
Specifies the IP address of the HTTP proxy server. |
The value is in dotted decimal notation. |
Usage Guidelines
When a user sends a packet to access the Internet through an HTTP proxy server, the source IP address of the packet becomes the IP address of the HTTP proxy server. As a result, the FW cannot implement user-based security control. To solve the problem, enable the function of parsing the X-Forwarded-For field. Then the FW can parse the X-Forwarded-For field in the HTTP packet header to obtain the IP address of the user and implement user-based security control.
To implement user-based security control through the function of parsing the X-Forwarded-For field, ensure that the user has been online on the FW. Therefore, the FW can find the user name corresponding to the real IP address of the user and then search for the matching policy of the user. If the user is not online, the FW will block the packet. The function of parsing the X-Forwarded-For field is used together with SSO. Before the HTTP traffic of a user reaches the FW, the FW has obtained the identity of the user.
When the administrator logs in to the device Web, the device parses the X-Forwarded-For field in HTTP packets by default, and is not controlled by this command.
The FW parses the HTTP packets (port 80) sent from a proxy server with the specified IP address. For other packets or packets without the X-Forwarded-For field, the FW cannot obtain the real IP addresses of users. In this case, the FW considers the source IP address of a received packet to be the IP address of the proxy server and matches the packet with policies.
When the FW identifies the user identity after receiving a packet, the FW only adds the user name as the user identity. The source IP address of the packet is still the IP address of the proxy server. Therefore, configure the security policy that references users and then the security policy that references the proxy server IP address. Otherwise, traffic matches the security policy that references the proxy server IP address but not the security policy that references users.
The FW can parse only level-1 proxy server. If proxy servers of multiple levels are deployed, the FW cannot obtain the real IP addresses of users.