Cisco Cisco Firepower Management Center 4000

same area of the network analysis policy, you can also specify up to six custom client IP headers, as 
well as set the priority order in which the system selects the value for the Original Client IP event 
field. See 

 for more information.

This field is enabled by default.

When Extract Original Client IP Address is enabled, specifies the order in which the system 
processes original client IP HTTP headers. If, on your monitored network, you expect to encounter 
original client IP headers other than X-Forwarded-For (XFF) or True-Client-IP, you can click 

 to 

add up to six additional Client IP header names to the priority list. Note that if multiple XFF headers 
appear in an HTTP request, the value for the Original Client IP event field is the header with the 
highest priority. You can use the up and down arrow icons beside any header type to adjust its 
priority.

The port number on the sending host. For ICMP traffic, where there is no port number, the system 
displays the ICMP type.

The port number for the host receiving the traffic. For ICMP traffic, where there is no port number, 
the system displays the ICMP code.

The innermost VLAN ID associated with the packet that triggered the intrusion event.

The Multiprotocol Label Switching label associated with the packet that triggered this intrusion 
event.

This field is disabled by default.

The explanatory text for the event. For rule-based intrusion events, the event message is pulled from 
the rule. For decoder- and preprocessor-based events, the event message is hard coded.

The classification where the rule that generated the event belongs. See the 

 table 

for a list of rule classification names and numbers.

The component that generated the event. See the 

 table for a list of intrusion event 

generator IDs.

The User ID for any known user logged in to the source host.

The User ID for any known user logged in to the destination host.