Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
920
Views
0
Helpful
4
Replies

WSA Policy configuration based on XFF field

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎06-05-2022 05:56 AM

Hello,

 

We have 3 WSAs which we are planning to put behind a Load Balancer. We will be using explicit proxy mode and our policies will be source subnet based / user based. Since our LB does SNAT when passing the requests to the WSA, we are unable to see the actual client IP and write granular policies. When we checked with the LB admin, they asked if they enable XFF from their side then can the WSA extract the client IP from the XFF field and use it in its policies?. In summary does the WSA support extracting the client IP from XFF and use it in the identity policy?. If not I believe the only option is to change the WSA's default gateway to the load balancer's interface IP. Kindly advise.

Labels:
0 Helpful
4 Replies 4

Ken Stieers
VIP
VIP

‎06-05-2022 07:26 AM

Make sure you are on 14.0.2 or later.
They added X authentication header consumption in 14.0


Release notes here:
https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/release-notes-for-wsa-14-0.html#Cisco_Concept.dita_191143b9-5fe9-41d6-a4b8-a77be748fbc7

See “Configuring Global Authentication Settings” and “Classifying Users and Client Software” sections in the user guide.

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0.html


0 Helpful

SHABEEB KUNHIPOCKER
Level 3
Level 3
In response to Ken Stieers

‎06-05-2022 07:31 AM

Hi,

 

Actually my question was about XFF (x-forwarded-for) header, not about XAU header. 

 

Thanks

Shabeeb

 

 

0 Helpful

Ken Stieers
VIP
VIP
In response to SHABEEB KUNHIPOCKER

‎06-05-2022 08:26 AM

https://www.cisco.com/c/en/us/td/docs/security/wsa/wsa_14-0/User-Guide/b_WSA_UserGuide_14_0/b_WSA_UserGuide_11_7_chapter_0100.html#con_1214212

Work through this set of instructions, look for "Use Recieved Headers"
Under "Step 4. Complet the advanced web proxy sertings as required."





0 Helpful

amojarra
Cisco Employee
Cisco Employee

‎06-05-2022 09:49 AM

in user guide :  User Guide for AsyncOS 14.0 for Cisco Web Security Appliances - GD (General Deployment)

 

Configuring Web Proxy Settings  ( page 61)

 

Allows a Web proxy deployed as an upstream proxy to identify clients using X-Forwarded-For headers send by downstream proxies. The Web Proxy will not accept the IP address in a X-Forwarded-For header from a source that is not included in this list.
If enabled, requires the IP address of a downstream proxy or load balancer (you cannot enter subnets or host names).

 

Also as Ken Mentioned, you might have some concerns regarding the client authentications. 

 

also you can capture the packet from WSA's interface to see the structure of data which is reviving to its interface, maybe you might need to configure the downstream proxy to add some data in the header.

 

+++++++++++++++++++++++++++++++++++++++++++++++++++

++++   If you find this answer helpful, please rate it as such  ++++

+++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

 

Regards,
Amirhossein Mojarrad
+++++++++++++++++++++++++++++++++++++++++++++++++++
++++ If you find this answer helpful, please rate it as such ++++
+++++++++++++++++++++++++++++++++++++++++++++++++++
0 Helpful
Customers Also Viewed These Support Documents