Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
368
Views
0
Helpful
1
Replies

WSA proxy log ip/port internal client and ip/port proxy's external

jketterer
Level 1
Level 1

‎12-22-2022 10:11 AM

Would like to log both internal client's ip/port and the proxy server's external ip/port for each session. I have the internal ip/port data logged using a log subscription of the "access" type. Is there a log field that would have the proxy server's ip/port for each session? We have SNORT alerts looking at the proxy server's upstream traffic before it is routed to the internet and the alerts have the ip/port of the proxy server session. We need the external ip/port assignments that the proxy server makes in order to match up the SNORT alerts with an internal network IP.

Thanks!

Labels:
0 Helpful
1 Reply 1

Milos_Jovanovic
VIP Alumni
VIP Alumni

‎12-22-2022 11:03 PM

Hi @jketterer,

I'm not sure that it is possible to embed WSA's IP in the log. You can find logging options for WSA here. I don't see the option you want here.

What crosses my mind that you could use X-Forwarded-For field for this purpose. WSA can embed additional header in each packet, which can be later analyzed and processed by Firepower, which should provide you exactly the functionality you need. For how to configure XFF on WSA, please see this post. For investigation on Firepower, please see this link.

Kind regards,

Milos

0 Helpful
Customers Also Viewed These Support Documents