Using XFF Headers with VM-Series on GCP

mmclimans — Thu, 11 Jan 2024 00:27:58 GMT

Organizations often use Google Cloud’s Application Load Balancer to distribute HTTP/HTTPS traffic to VM-Series firewalls deployed within Google Cloud.

Diagram 1

In this setup, the Application Load Balancer functions as a proxy, altering the client's source address before forwarding the request to the VM-Series for security inspection. This may present challenges for organizations defining security policies based on the client's address or requiring IP preservation for backend applications protected by the VM-Series.

Using XFF Headers with PAN-OS

Within PAN-OS, the firewalls can be configured to use the source address of an X-Forwarded-For (XFF) header to enforce security policy. When configured, the firewall applies policy based on the address that was most-recently added to the XFF field.

However, when using the Application Load Balancer, this approach alone will not work. This is because the load balancer appends two addresses to the XFF header, where the <load-balancer-ip> is the most-recent address within the header and the <client-ip> is the next-to-last address.

X-Forwarded-For: <client-ip>, <load-balancer-ip>

Solution

Within the backend service configuration of the Application Load Balancer, you can define custom headers to make the client address the most-recently added address to the XFF field. When used, the load balancer preserves the supplied value of the custom header before the <client-ip>, <load-balancer-ip> addresses.

X-Forwarded-For: <supplied-value>, <client-ip>, <load-balancer-ip>

To insert the client’s address as the supplied value, you can use the client_ip_address header variable. This variable contains the client’s IP address, and has the same value as the <client-ip> address. Once configured, the VM-Series can then use the client’s address to enforce policy.

Diagram 2

Steps to Implement

The steps below outline how to add the client_ip_address value as a custom header to an existing Application Load Balancer that uses the VM-Series as its backend service.

Adding Custom Request Header to Backend Service

1. In Google Cloud, go to Network Services → Load Balancing. Select your Application Load Balancer and click Edit.

2. Select Backend Configuration and click the edit icon next to the backend service.

Selecting backend

3. Under Advance Configurations → Custom Request Headers, click Add Header.

4. Set the header name to X-Forwarded-For and the header value to {client_ip_address}.

Adding customer header

5. Click Update to apply the changes.

Configure VM-Series for XFF Headers

1. On the VM-Series, go to Device → Setup → Content-ID → X-Forwarded-For Headers.

2. Set Use X-Forwarded-For Header to Enabled for Security Policy.

Enabling XFF for policy.

3. Commit the changes.

View Traffic Logs

Once the changes have been applied, you can view the value of the client_ip_address header within the firewall's traffic logs.

1. Simulate traffic flows through the Application Load Balancer to your application.

2. Go to Monitor → Traffic and add the X-Forwarded-For IP field to the log view.

Log viewer.

The traffic logs should now contain the client's IP address under the X-Forwarded-For IP column. This address can then be used as the source address within the VM-Series security policies.

Traffic logs

Re: Using XFF Headers with VM-Series on GCP

Mitesh_Nandu — Thu, 22 Aug 2024 09:16:58 GMT

Hi mmclimans,

We have applied the setting which you have mentioned in the article, still we are unable to see the X-Forwarded-For IP entry in traffic logs.

In our environment we have applied SSL certificate on External & Internal Application Load Balancers or in PA we are performing Inbound SSL Inspection.

How we can resolve the issue ?

article Using XFF Headers with VM-Series on GCP in General Articles