2 Replies Latest reply on Aug 22, 2017 1:55 AM by mkutrieba

    Client IP and Destination IP in logs




      Off late our security team is seeing some malicious traffic from few desktops to external IP's. Unfortunately we could see only proxy IP in the firewall logs. what is the best way to get client IP (desktop IP) in proxy logs and FW. Do i need to enable something in MWG so that FW can see client IP in FW? FYI, my MWG ver 7.2.6.




        • 1. Re: Client IP and Destination IP in logs


          there are possible ways.

          1. configure your FW to use X-Forwarded-For http header. This field contains original source IP of the client going via proxy.
          2. Access.log should already contains field "src_ip" with value of Client.IP
          3. You can extend Access.log with custom field of value URL.Destination.IP


          See Best Practices: Customizing Logs and Log File Management

          • 2. Re: Client IP and Destination IP in logs

            Hi together,


            Just some additional information.

            Regarding 1.: Please notice that source IP is sensitive information. Maybe you don't want the requests to go out of the company with this information in the header.

            Normally, we have the "Remove Privacy Violating Header" rule set in the library. There, the VIA header is removed or set (own value to prevent proxy loops) and the X-Forwarded-For header is removed but this is your decision based on your requirements.

            See here: Support Doc: X-Forwarded-For and VIA Headers


            Regarding 3.:Yes, access log can be extended with the URL.Destination.IP address.

            Please notice that you would need to add a user-defined column in CSR for example when pushing/pulling log files there.

            This must be done since CSR does not know this header by default.

            See here under "Table A-2 McAfee Web Gateway header formats": CSR 2.3.0 Product Guide (PD26977)


            Please let us know if you have further questions.