topic X-forwarder header does not work when vulnerability profile action changed to block ip in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/x-forwarder-header-does-not-work-when-vulnerability-profile/m-p/540312#M1184 <P>ISSUE REPORTED: unable to block x-forwarder ip when the action is set to block ip in the vulnerability profile<BR />------------------------------------------------------------------------------------------------------------------------<BR /><BR />Discussion,observation, Troubleshooting:<BR />------------------------------------------------------------------------------------------<BR />++++ We have users accessing joomla website from wan and your proxy server is placed in dmz and application server is placed in lan<BR /><BR />++++Traffic flow:<BR /><BR />wan--------&gt;dmz--------&gt;lan<BR /><BR />++++ we have 3 rules RULE 1. wan to dmz (Indian cx)<BR /><BR />Rule 2. dmz to wan (Indian cx) url filtering profile (x forwarder enabled)+vulnerability profile(action= deny)<BR /><BR />RULE 3. dmz to wan (non Indian cx with exceptions) url filtering profile (x forwarder enabled)+vulnerability profile(action= deny)------------want to change action to block-ip<BR /><BR />In RULE 2 we would like action to be deny as we are not facing any threat attack from this traffic<BR /><BR />In RULE 3 we want to block certain source IP's based on vulnerability signature therefore we want to set the vulnerability profile action as (Block -IP) based on X forwarder IP(Gives actual source IP). But currently when we change action to Block-IP we are able to block Proxy Ip and not the actual source IP. IN X-forwarder column we are getting right source IP but we are not able to block it.<BR /><BR />When we set action as deny we are able to deny the source IP without issue but our requirement is to block the actual source IP and put it in blacklist. Right now when we use action=block ip it is blacklisting proxy ip.<BR /><BR />In addition I am attaching few screenshots of security policy configured and also the screenshot of traffic logs when the action is set to block ip and ip that is sent to black list.</P> Thu, 27 Apr 2023 10:21:48 GMT Poojadesai 2023-04-27T10:21:48Z X-forwarder header does not work when vulnerability profile action changed to block ip https://live.paloaltonetworks.com/t5/next-generation-firewall/x-forwarder-header-does-not-work-when-vulnerability-profile/m-p/540312#M1184 <P>ISSUE REPORTED: unable to block x-forwarder ip when the action is set to block ip in the vulnerability profile<BR />------------------------------------------------------------------------------------------------------------------------<BR /><BR />Discussion,observation, Troubleshooting:<BR />------------------------------------------------------------------------------------------<BR />++++ We have users accessing joomla website from wan and your proxy server is placed in dmz and application server is placed in lan<BR /><BR />++++Traffic flow:<BR /><BR />wan--------&gt;dmz--------&gt;lan<BR /><BR />++++ we have 3 rules RULE 1. wan to dmz (Indian cx)<BR /><BR />Rule 2. dmz to wan (Indian cx) url filtering profile (x forwarder enabled)+vulnerability profile(action= deny)<BR /><BR />RULE 3. dmz to wan (non Indian cx with exceptions) url filtering profile (x forwarder enabled)+vulnerability profile(action= deny)------------want to change action to block-ip<BR /><BR />In RULE 2 we would like action to be deny as we are not facing any threat attack from this traffic<BR /><BR />In RULE 3 we want to block certain source IP's based on vulnerability signature therefore we want to set the vulnerability profile action as (Block -IP) based on X forwarder IP(Gives actual source IP). But currently when we change action to Block-IP we are able to block Proxy Ip and not the actual source IP. IN X-forwarder column we are getting right source IP but we are not able to block it.<BR /><BR />When we set action as deny we are able to deny the source IP without issue but our requirement is to block the actual source IP and put it in blacklist. Right now when we use action=block ip it is blacklisting proxy ip.<BR /><BR />In addition I am attaching few screenshots of security policy configured and also the screenshot of traffic logs when the action is set to block ip and ip that is sent to black list.</P> Thu, 27 Apr 2023 10:21:48 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/x-forwarder-header-does-not-work-when-vulnerability-profile/m-p/540312#M1184 Poojadesai 2023-04-27T10:21:48Z Re: X-forwarder header does not work when vulnerability profile action changed to block ip https://live.paloaltonetworks.com/t5/next-generation-firewall/x-forwarder-header-does-not-work-when-vulnerability-profile/m-p/540320#M1185 <P>Would it be possible to assign a user-id statically to the IP address you wish to block and use that user/IP mapping in the security policy to block the user and IP?</P> Thu, 27 Apr 2023 12:07:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/x-forwarder-header-does-not-work-when-vulnerability-profile/m-p/540320#M1185 delliott_6784 2023-04-27T12:07:52Z