https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/xff-ip-address-not-seen-in-traffic-logs/m-p/590104#M2190 <P>It turns out this works but only displays the XFF IP in denied traffic, not allowed.</P> <P>There is also a fix in 11.1.3 for this, so this should start showing the XFF IP in allowed traffic also. Bug ID PAN-233463.</P> Fri, 21 Jun 2024 18:31:42 GMT Keith_S 2024-06-21T18:31:42Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/xff-ip-address-not-seen-in-traffic-logs/m-p/589935#M2189 <P>I am trying to get the PA firewall to display and use the the x-forwarded-for (XFF) header in incoming web browsing traffic.</P> <P>&nbsp;</P> <P>I must be missing something.</P> <P>&nbsp;</P> <P>We have an Azure application gateway which is inserting the client_ip in the header, and stripping the port, as instructed:</P> <P><A href="https://docs.paloaltonetworks.com/network-security/security-policy/administration/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging" target="_blank">Use XFF IP Address Values in Security Policy and Logging (paloaltonetworks.com)</A></P> <P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIVCA0" target="_blank">How to Enable Support for the X-Forwarded-For HTTP Header - Knowledge Base - Palo Alto Networks</A></P> <P><A href="https://azure.microsoft.com/en-us/blog/rewrite-http-headers-with-azure-application-gateway/" target="_blank">Rewrite HTTP headers with Azure Application Gateway | Microsoft Azure Blog</A></P> <P>&nbsp;</P> <P>Behind the Azure AG is a VM300 (4x vCPU firewall) which should be showing the XFF client IP in the traffic logs.</P> <P>I enabled the XFF for client IP, tried both thru the WebUI and at the CLI.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Keith_S_0-1718832288886.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60425i5FE4765F7A7C383E/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="Keith_S_0-1718832288886.png" alt="Keith_S_0-1718832288886.png" /></span></P> <P>I have SSL decryption working and I'm testing on ports 80 and 443 anyway.</P> <P>I have the XFF column in the log displayed, but it's never populated.</P> <P>I have a URL filtering license and checked the XFF box on the url profile.</P> <P>&nbsp;</P> <P>The status is that the XFF IP is shown on some entries in the URL logs.</P> <P>The XFF IP is never shown in the traffic logs.</P> <P>&nbsp;</P> <P>Some questions:</P> <P>I examined packet captures with Wireshark and found that the XFF IP is in some packets, but not in every incoming packet. Is that normal?</P> <P>What am I missing?</P> <P>Thanks.</P> Wed, 19 Jun 2024 21:32:57 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/xff-ip-address-not-seen-in-traffic-logs/m-p/589935#M2189 Keith_S 2024-06-19T21:32:57Z https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/xff-ip-address-not-seen-in-traffic-logs/m-p/590104#M2190 <P>It turns out this works but only displays the XFF IP in denied traffic, not allowed.</P> <P>There is also a fix in 11.1.3 for this, so this should start showing the XFF IP in allowed traffic also. Bug ID PAN-233463.</P> Fri, 21 Jun 2024 18:31:42 GMT https://live.paloaltonetworks.com/t5/vm-series-in-the-public-cloud/xff-ip-address-not-seen-in-traffic-logs/m-p/590104#M2190 Keith_S 2024-06-21T18:31:42Z