I have a MX100 with two WAN connections. Is there any way to add a XFF HTTP request header to outgoing traffic? We've had a number of instances of Wikipedia vandalism from within our campus network (students experimenting, mostly) and Wikipedia attributes these edits to our shared public IP addresses, using the XFF header is one way Wikipedia recommends dealing with this. I haven't found a way to configure the MX100 to append this header. Any ideas?
I would configure a syslog server and record all the flows. Then when an incident happens examine who was talking to Wikipedia at the time.
If you are not using authenticated WiFi - considering changing to it. Hopefully, users will do less dumb things if they know they are being tracked by their login. Also, the login name will be written out to syslog to make it easier to identify who is doing it.
Thanks for these recommendations! I had dabbled with syslog (Kiwi) quite a while ago, but didn't have time to dive into it and was a bit overwhelmed at the volume of data it generated. Do you use syslog-ng as described in the article you linked to, or do you use another syslog server on Ubuntu?