HTTP Header Insertion with Username and Domain

Overview

Palo Alto Networks firewalls can insert user identity information, such as the username and domain, into HTTP headers of outbound traffic. This feature enables downstream devices to enforce user-based policies without requiring direct access to the firewall's user mappings.

The process involves:

• Retrieving the user's domain and username from the group mapping profile.
• Encoding this information using Base64.
• Inserting the encoded data into the HTTP header (e.g., X-Authenticated-User ).
• Forwarding the traffic to the destination server or downstream device.

For HTTPS traffic, SSL decryption must be enabled to allow header insertion.

Configuration Steps

1. Enable User-ID and configure group mapping on the firewall.
2. Create or edit a URL Filtering profile:
   • Navigate to Objects > Security Profiles > URL Filtering .
   • Select or create a profile and configure the HTTP Header Insertion settings.
3. Add an HTTP Header Insertion entry:
   • Select Dynamic Fields as the header type.
   • Add the domains where you want to insert headers. The firewall inserts the header only when a domain in this list matches the Host header of the HTTP request.
   • Add a new header or select X-Authenticated-User to edit it.
   • Select a header value format:
     • ($domain)\($user)
     • WinNT://($domain)/($user)
     • Or enter a custom format using the ($domain) and ($user) dynamic tokens (e.g., ($user)@($domain) ).
   • (Optional) Select Log to enable logging for the header insertion.
4. Apply the URL Filtering profile to the appropriate security policy rules.
5. Commit your changes.

For detailed guidance, refer to the official documentation: Insert Username in HTTP Headers .

Sequence Diagrams

1. Header Insertion Process

sequenceDiagram
    participant User
    participant Firewall
    participant DownstreamDevice

    User->>Firewall: Send HTTP/HTTPS Request
    Firewall->>Firewall: Retrieve User Info (Username & Domain)
    Firewall->>Firewall: Encode Info in Base64
    Firewall->>Firewall: Insert Header into Request
    Firewall->>DownstreamDevice: Forward Modified Request
    

2. Downstream Device Processing

sequenceDiagram
    participant Firewall
    participant DownstreamDevice
    participant DestinationServer

    Firewall->>DownstreamDevice: Send Request with Header
    DownstreamDevice->>DownstreamDevice: Extract User Info from Header
    DownstreamDevice->>DownstreamDevice: Enforce User-Based Policy
    DownstreamDevice->>DestinationServer: Forward Request
    

References

• Insert Username in HTTP Headers
• HTTP Header Insertion
• Create Custom HTTP Header Insertion Entries