Showing results for 
Search instead for 
Did you mean: 
Level 7

Client IP and Destination IP in logs


Off late our security team is seeing some malicious traffic from few desktops to external IP's. Unfortunately we could see only proxy IP in the firewall logs. what is the best way to get client IP (desktop IP) in proxy logs and FW. Do i need to enable something in MWG so that FW can see client IP in FW? FYI, my MWG ver 7.2.6.



0 Kudos
2 Replies
Level 12

Re: Client IP and Destination IP in logs


there are possible ways.

  1. configure your FW to use X-Forwarded-For http header. This field contains original source IP of the client going via proxy.
  2. Access.log should already contains field "src_ip" with value of Client.IP
  3. You can extend Access.log with custom field of value URL.Destination.IP


McAfee Employee

Re: Client IP and Destination IP in logs

Hi together,

Just some additional information.

Regarding 1.: Please notice that source IP is sensitive information. Maybe you don't want the requests to go out of the company with this information in the header.

Normally, we have the "Remove Privacy Violating Header" rule set in the library. There, the VIA header is removed or set (own value to prevent proxy loops) and the X-Forwarded-For header is removed but this is your decision based on your requirements.

See here:

Regarding 3.:Yes, access log can be extended with the URL.Destination.IP address.

Please notice that you would need to add a user-defined column in CSR for example when pushing/pulling log files there.

This must be done since CSR does not know this header by default.

See here under "Table A-2 McAfee Web Gateway header formats": CSR 2.3.0 Product Guide (PD26977)

Please let us know if you have further questions.



0 Kudos