6.12 Ensure all HTTP Header Logging options are enabled - Referer

Information

Enable all options (User-Agent, Referer, and X-Forwarded-For) for HTTP header logging.

Rationale:

Logging HTTP header information provides additional information in the URL logs, which may be useful during forensic investigations. The User-Agent option logs which browser was used during the web session, which could provide insight to the vector used for malware retrieval. The Referer option logs the source webpage responsible for referring the user to the logged webpage. The X-Forwarded-For option is useful for preserving the user's source IP address, such as if a user traverses a proxy server prior to the firewall. Un-checking the Log container page only box produces substantially more information about web activity, with the expense of producing far more entries in the URL logs. If this option remains checked, a URL filter log entry showing details of a malicious file download may not exist.

Impact:

Not having an effective URL Filtering configuration can leave an organization open to legal action, internal HR issues, non-compliance with regulatory policies or productivity loss.

Solution

Navigate to Objects > Security Profiles > URL Filtering > URL Filtering Profile > URL Filtering Settings.
Set the following four settings:
a. Log container page only box is un-checked
b. Check the User-Agent box
c. Check the Referer box
d. Check the X-Forwarded-For box

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/files/3754