Identifying users behind Web Isolation Gateways
Article ID: 232695
Updated On:
Products
Issue/Introduction
Identifying users behind Web Isolation Gateways
Resolution
With Web Isolation, the following users are involved:
- Authenticated and Unauthenticated users: These are the authenticated users behind the web requests. These users can be seen in the "Activity Logs". Where an issue reported by a specific user does not seem to appear in the activity logs, this occurs when the user was not authenticated. A log for the issue exists, but the user was not authenticated because the rule did not require authentication.
- The activity log displays the username only if a specific Access Role or “All authenticated users” was specified in the matched rule’s User field (see section 4.2.7 "Defining Policy Rules", in the Admin Guide with URL added at the end of this update). If the User field is empty, the activity log will report “Unauthenticated”. For more information, see section 4.2.6 "Match Criteria Flow". It is recommended to try the following:
- If you know the source IP, try finding the log by source IP.
- If other logs exist for the same user, take their source IP and find logs with this source IP that do not include the user’s name.
- If you know the specific time that the issue occurred, try filtering by it.
- The activity log displays the username only if a specific Access Role or “All authenticated users” was specified in the matched rule’s User field (see section 4.2.7 "Defining Policy Rules", in the Admin Guide with URL added at the end of this update). If the User field is empty, the activity log will report “Unauthenticated”. For more information, see section 4.2.6 "Match Criteria Flow". It is recommended to try the following:
- Internal users: When no external user directory exists, such as Active Directory or SAML server, you can use the Symantec Threat Isolation User Directory. This User Directory is pushed to all Threat Isolation Gateways, thus avoiding the need for an additional authentication server. It is commonly used in demos, where no organizational user directory exists. To create "internal users", navigate with User Management → Internal Users → New User. For the step-by-step guidance to creating internal users and user groups, please refer to section 4.5.1, in the admin guide provided.
- Management Users: If multiple users will be logging in to the Management console, you must create a Management User object for each of these users. If your organization uses a RADIUS server or a SAML Identity Provider, you can create RADIUS Identity Provider or SAML Identity Provider objects instead (see section 4.7.2 "Identity Providers"). In either case, the system will use the “super admin” created in the First Time Wizard when the Management Gateway was defined. (By default, this user is named "admin". For added security it is recommended to specify a different username in the First Time Wizard or afterwards. For more information, see section 3.5.7 "Defining the Management Gateway"). For the step-by-step guidance to creating management users and management roles, please refer to sections 4.7.1 & 4.7.3 in the admin guide provided. The management users can be seen in the management audit logs. Audit log records are maintained on all actions performed in the Symantec Threat Isolation Management UI. The logs can be forwarded using log forwarding ( see section 6.4 "Log Forwarding").
To view the management audit log:
- Log in to the Management machine through SSH.
- Run the following command: tail -F /var/log/fireglass_management_audit.log | grep $LOG_STATUS$
For creating new next hop Proxy/Server Settings, please refer to section 4.12 in the admin guide with URL added at the end of this update.
Note:
The Threat Isolation Gateway adds the X-Forwarded-For (XFF) header, which contains the originating IP address for which the request was forwarded, to the outgoing request. The next hop proxy/server removes the XFF header from the request before forwarding it to the Internet.
The Threat Isolation Gateway adds the X-Authenticated-User (XAU) header, which contains the authenticated username, to the outgoing request. The next hop proxy/server removes the XAU header from the request before forwarding it to the Internet.
X-Forwarded-For (XFF) header – Contains the originating IP address for which the request was forwarded. The downstream proxy adds the XFF header to the request before forwarding it to the Threat Isolation Proxy.
X-Authenticated-User (XAU) header – Signifies that the downstream proxy has authenticated the end user who originated the request. The downstream proxy adds the XAU header to the request before forwarding it to the Threat Isolation Proxy.
X-Authenticated-Group (XAG) header – Signifies that the downstream proxy has authenticated the group that originated the request. The downstream proxy adds the XAG header to the request before forwarding it to the Threat Isolation Proxy.
Feedback
