Does anyone have any ideas if its possible to pass through XFF headers to the SA for the purpose of logging the originating client address. What do others do around this? Match up LB logs with the SA logs?
The X-Forwarded-For entry should be used automatically:
From p.829 of the 7.1 Admin Guide:
"When a Juniper Networks DX appliance or similar load balancer is deployed in front of
the SA Series Appliance in proxy mode, the real client IP address can be preserved in a
DX custom HTTP header and passed to the SA Series Appliance. This real client IP address
can be recorded within the SA Series ApplianceÕs logs when a user logs into the SA (or
a user roams), allowing you to audit and report on the username/real source IP pair using
the SA Series Appliance logs.
Chapter 31: Logging and Monitoring
The remainder of this topic refers to Juniper NetworksÕ DX appliance. See your load
balancerÕs documentation for information on sending an X-Forwarded-ForÓ log header.
The real source IP address is retrieved from the DX custom header when a user logs in
and is placed into the session record. The real source IP address is used in place of the
DX IP address in the event, user, admin, and sensors log if it is present in the context data.
Otherwise, the source IP address in the context data is used."
This feature was not deprecated, just wasn't working as expected and not documentated in newer releases.
At least in version 9.1R7, this features is working again, check PRS-382777.
In new documentation, it is not documented how this works, but take care, because as in release 7.4, client IP is just showed in 3 message IDs
and do not substitute sourceip variable.
The new AUT24326 should have the text
Primary authentication successful for <user>/<auth server> from <LB IP> forwarded for <client IP>