topic Inline Cloud Analyze Event Threat missing XFF_IP in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/inline-cloud-analyze-event-threat-missing-xff-ip/m-p/571623#M2357 <P>Hi, is there a reason why specific events (e.g.&nbsp;<SPAN>Inline Cloud Analyzed SQL Injection Traffic Detection)</SPAN> do not contain an XFF_IP entry?</P> <P>&nbsp;</P> <TABLE style="font-weight: 400;" width="540"> <TBODY> <TR> <TD> <P>Host</P> </TD> <TD> <P>abc</P> </TD> </TR> <TR> <TD> <P>Service</P> </TD> <TD> <P><STRONG>Events Threat</STRONG></P> </TD> </TR> <TR> <TD> <P>Event</P> </TD> <TD> <P>OK -&gt; CRIT</P> </TD> </TR> <TR> <TD> <P>IP</P> </TD> <TD> <P>10.y.z.w</P> </TD> </TR> <TR> <TD> <P>Date/Time</P> </TD> <TD> <P>2023-12-13 19:50:48</P> </TD> </TR> <TR> <TD> <P>Summary</P> </TD> <TD> <P>CRIT - 1 events (1 unacknowledged), worst state is CRIT (Last line: vulnerability:reset-both:high:1:2023/12/13 19:44:14:566653:src:10.x.y.z:dst:10.x.y.z:Inline Cloud Analyzed SQL Injection Traffic Detection(99950):<STRONG>xff_ip</STRONG><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Other threat alerts show these entries:</P> <TABLE style="font-weight: 400;" width="530px"> <TBODY> <TR> <TD width="84.2031px"> <P>Host</P> </TD> <TD width="444.797px"> <P><SPAN>abc</SPAN></P> </TD> </TR> <TR> <TD width="84.2031px"> <P>Service</P> </TD> <TD width="444.797px"> <P><STRONG>Events Threat</STRONG></P> </TD> </TR> <TR> <TD width="84.2031px"> <P>Event</P> </TD> <TD width="444.797px"> <P>OK -&gt; CRIT</P> </TD> </TR> <TR> <TD width="84.2031px"> <P>IP</P> </TD> <TD width="444.797px"> <P>10.y.z.x</P> </TD> </TR> <TR> <TD width="84.2031px"> <P>Date/Time</P> </TD> <TD width="444.797px"> <P>2023-12-19 13:04:20</P> </TD> </TR> <TR> <TD width="84.2031px"> <P>Summary</P> </TD> <TD width="444.797px"> <P><SPAN>CRIT - 1 events (1 unacknowledged), worst state is CRIT (Last line: vulnerability:reset-both:critical:1:2023/12/19 12:59:28:383117:src:10.x.y.z:dst:10.y.z.w:WordPress Backup Migration Plugin Remote Code Execution Vulnerability(94778):<STRONG>xff_ip:45.x.y.z</STRONG>)</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>PAN-OS&nbsp;<SPAN>11.02&nbsp;</SPAN></P> Wed, 03 Jan 2024 16:04:35 GMT Alexander Schrader 2024-01-03T16:04:35Z Inline Cloud Analyze Event Threat missing XFF_IP https://live.paloaltonetworks.com/t5/next-generation-firewall/inline-cloud-analyze-event-threat-missing-xff-ip/m-p/571623#M2357 <P>Hi, is there a reason why specific events (e.g.&nbsp;<SPAN>Inline Cloud Analyzed SQL Injection Traffic Detection)</SPAN> do not contain an XFF_IP entry?</P> <P>&nbsp;</P> <TABLE style="font-weight: 400;" width="540"> <TBODY> <TR> <TD> <P>Host</P> </TD> <TD> <P>abc</P> </TD> </TR> <TR> <TD> <P>Service</P> </TD> <TD> <P><STRONG>Events Threat</STRONG></P> </TD> </TR> <TR> <TD> <P>Event</P> </TD> <TD> <P>OK -&gt; CRIT</P> </TD> </TR> <TR> <TD> <P>IP</P> </TD> <TD> <P>10.y.z.w</P> </TD> </TR> <TR> <TD> <P>Date/Time</P> </TD> <TD> <P>2023-12-13 19:50:48</P> </TD> </TR> <TR> <TD> <P>Summary</P> </TD> <TD> <P>CRIT - 1 events (1 unacknowledged), worst state is CRIT (Last line: vulnerability:reset-both:high:1:2023/12/13 19:44:14:566653:src:10.x.y.z:dst:10.x.y.z:Inline Cloud Analyzed SQL Injection Traffic Detection(99950):<STRONG>xff_ip</STRONG><span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Other threat alerts show these entries:</P> <TABLE style="font-weight: 400;" width="530px"> <TBODY> <TR> <TD width="84.2031px"> <P>Host</P> </TD> <TD width="444.797px"> <P><SPAN>abc</SPAN></P> </TD> </TR> <TR> <TD width="84.2031px"> <P>Service</P> </TD> <TD width="444.797px"> <P><STRONG>Events Threat</STRONG></P> </TD> </TR> <TR> <TD width="84.2031px"> <P>Event</P> </TD> <TD width="444.797px"> <P>OK -&gt; CRIT</P> </TD> </TR> <TR> <TD width="84.2031px"> <P>IP</P> </TD> <TD width="444.797px"> <P>10.y.z.x</P> </TD> </TR> <TR> <TD width="84.2031px"> <P>Date/Time</P> </TD> <TD width="444.797px"> <P>2023-12-19 13:04:20</P> </TD> </TR> <TR> <TD width="84.2031px"> <P>Summary</P> </TD> <TD width="444.797px"> <P><SPAN>CRIT - 1 events (1 unacknowledged), worst state is CRIT (Last line: vulnerability:reset-both:critical:1:2023/12/19 12:59:28:383117:src:10.x.y.z:dst:10.y.z.w:WordPress Backup Migration Plugin Remote Code Execution Vulnerability(94778):<STRONG>xff_ip:45.x.y.z</STRONG>)</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>PAN-OS&nbsp;<SPAN>11.02&nbsp;</SPAN></P> Wed, 03 Jan 2024 16:04:35 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/inline-cloud-analyze-event-threat-missing-xff-ip/m-p/571623#M2357 Alexander Schrader 2024-01-03T16:04:35Z