https://live.paloaltonetworks.com/t5/next-generation-firewall/policy-match-either-xff-or-layer-3-ips/m-p/569965#M2273 <P>We have load balancers proxying traffic back through a pair of PA5250s and recently started extracting X-forwarded-for data to match in our traffic policies. Is it possible to have rules that match EITHER the XFF IP or the load balancers' proxied IPs at the same time?</P> <P>&nbsp;</P> <P>That is to say, if the load balancer's source is 10.10.10.1 but the XFF source is extracted as 10.11.11.1, can a policy be set up to match 10.10.10.1 with the "Use X-Forwarded-For Header" setting enabled for security policies without specifically allowing 10.11.11.1? We are currently using a general zone policy to match on all our load balancer interfaces, but would it be possible to narrow the match only a specific layer 3 source and specific XFF IPs?</P> Thu, 14 Dec 2023 21:17:15 GMT TonyKoontz 2023-12-14T21:17:15Z https://live.paloaltonetworks.com/t5/next-generation-firewall/policy-match-either-xff-or-layer-3-ips/m-p/569965#M2273 <P>We have load balancers proxying traffic back through a pair of PA5250s and recently started extracting X-forwarded-for data to match in our traffic policies. Is it possible to have rules that match EITHER the XFF IP or the load balancers' proxied IPs at the same time?</P> <P>&nbsp;</P> <P>That is to say, if the load balancer's source is 10.10.10.1 but the XFF source is extracted as 10.11.11.1, can a policy be set up to match 10.10.10.1 with the "Use X-Forwarded-For Header" setting enabled for security policies without specifically allowing 10.11.11.1? We are currently using a general zone policy to match on all our load balancer interfaces, but would it be possible to narrow the match only a specific layer 3 source and specific XFF IPs?</P> Thu, 14 Dec 2023 21:17:15 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/policy-match-either-xff-or-layer-3-ips/m-p/569965#M2273 TonyKoontz 2023-12-14T21:17:15Z