We use cookies on our website to ensure we provide you with the best experience on our website. By using our website, you agree to the use of cookies for analytics and personalized content.This website uses cookies. More Information
It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda Web Application Firewall

How do I log the actual client IP on IIS7/IIS7.5 when it is hosted behind the Barracuda Web Application Firewall?

  • Type: Knowledgebase
  • Date changed: 7 months ago

Solution #00005875


Scope:

This solution applies to the Barracuda Web Application Firewal, all firmware versions.

Answer:
The Barracuda Web Application Firewall, when configured in proxy mode, will by default use its LAN/WAN IP Address to talk to the back-end server, and therefore the back-end server will not see the actual client IP coming from clients.

In order to log the actual client IP in IIS7/7.5, please proceed with the following steps:
  1. We can install the "Advanced Logging" extension for IIS 7.5 (from Microsoft) to log the client ip in IIS 7.5.
  2. After installing advanced logging, restart the IIS manager. Now select the server root and then "Advanced Logging".
    • Note: You can select the individual site for enabling and configuring advanced logging options at the site level instead of at the server level.
  3. Select the default log definition (or create a new one) and enable "Advanced Logging" and "Client Logging" from the right pane.
  4. Click on "Edit Logging Fields".
    • The default Client IP field uses the TCP client IP address to log the IP address in the log files.
    • You can delete it and create a custom field by clicking on "Add Field".
  5. Define the new logging fields and save it.
  6. Back on the Advanced Logging page, double-click the log definition and edit the field you created.
  7. Type in the log header name and enable the "required" option. Save the changes.
  8. Now, toggle advanced logging by disabling and enabling it in the right pane.
  9. Access the web site and then click on "View Log Files" to view the actual source ip in the log file.
Sample:
#Software: IIS Advanced Logging Module
#Version: 1.0
#Start-Date: 2011-12-15 14:50:56.261
#Fields: date time cs-uri-stem cs-uri-query s-contentpath sc-status s-computername cs(Referer) sc-win32-status sc-bytes cs-bytes X-Forwarded-For
2011-12-15 14:50:55.949 / - "C:\inetpub\wwwroot" 401 "CAS2" - -2147024891 1554 556 "10.11.29.138"

Link to this page:

https://campus.barracuda.com/solution/50160000000IgmkAAC