Jump to content
Welcome to our new Citrix community!

How to replace client-ip with XFF header in application firewall log?


Recommended Posts

Hi All,

 

There is a proxy server used in front of our NetScaler VPX. So the client IP in application firewall logs shows the proxy IP.

I wonder how to replace client-ip with X-Forwarded-For header in application firewall logs.

 

I've tried to use customized auditing message actions. It logs all web requests with X-Forwarded-For as well.

However, I only want to collect the application firewall logs with blocked events.

Is it possible to do this or do I need additional product feature?

 

Thanks for any suggestion or hints.

Link to comment
Share on other sites

In the AppFw Engine Settings (global parameter), configure the Client Logging Header name with the name of the X-Forwarded-For header that your other device is inserting. That should affect the header used to extract the client ip for appfw logging purposes.  https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/configuring-global-settings/engine-settings.html

 

The regular app firewall profile LOG action, logs violations only. You do not need to set the custom syslog action for regular appfw policies or every policy hit is logged and not just the violations.  I typically only use a custom log action on appfw policies being used to handle policy expressions like ip blacklisting by ipreputation or callouts and not the ones that process full profiles.

 

 

  • Like 1
Link to comment
Share on other sites

1 hour ago, Rhonda Rowland1709152125 said:

In the AppFw Engine Settings (global parameter), configure the Client Logging Header name with the name of the X-Forwarded-For header that your other device is inserting. That should affect the header used to extract the client ip for appfw logging purposes.  https://docs.citrix.com/en-us/citrix-adc/current-release/application-firewall/configuring-global-settings/engine-settings.html

 

The regular app firewall profile LOG action, logs violations only. You do not need to set the custom syslog action for regular appfw policies or every policy hit is logged and not just the violations.  I typically only use a custom log action on appfw policies being used to handle policy expressions like ip blacklisting by ipreputation or callouts and not the ones that process full profiles.

 

 

Thanks Rhonda!

Configuring client logging header works. Never notice there is such an option to configure.

Also thanks for you practical suggestion for custom log ?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...