topic Re: XXF and building Security Policy in Next-Generation Firewall Discussions

XXF and building Security Policy

sxk654 — Wed, 07 Feb 2024 12:10:22 GMT

Hi all,

I would like to know how I would go about creating security policies based of the XFF headers please, any help would be appreciated.

I have read the documentation and I have to enable the XFF header

Select ->Device ->Setup ->Content-ID and edit the X-Forwarded-For Headers settings.

I need some help after that, so from my understanding this will populate the XFF header, can this be used within the security policy directly? I dont see any option to use XXF as the source IP address under the security policy.

I'm a little unsure of how to use the XFF header to build out a security policy to allow / deny traffic from the true customer source IP address rather than the proxy server address which is sit in between

https://docs.paloaltonetworks.com/network-security/security-policy/administration/identify-users-connected-through-a-proxy-server/add-xff-values-to-url-filtering-logs

Kind regards

Re: XXF and building Security Policy

iarobertson — Wed, 07 Feb 2024 21:43:03 GMT

Hello @sxk654 - if I understand correctly, you want to use the X-Forwarded-For header, populated by another device, in your ruleset. Is that correct?

In that case you probably don't want to populate the XFF header, because doing so will add the NGFW's IP address to the XFF header. That is more useful for subsequent downstream devices.

If my assessment of your need is correct, and assuming that your proxy "correctly" fills X-Forwarded-For and you're running PAN-OS 10.x or above, the steps required are as follows. Please note that X-Forwarded-For will only be visible for a subset of your traffic, specifically HTTP and (if you have appropriate decryption policies) HTTPS traffic.

Go to Objects -> Security Profiles -> URL Filtering and enable, configure, or add an appropriate URL Filtering profile.
Select URL Filtering Settings and enable X-Forwarded-For.
Click OK.
Attach the relevant policy edited in the first 3 steps to a security policy rule: select the rule in Policies -> Security.
Select Actions, set Profiles in Profile Type, and select the URL Filtering profile described above.
Click OK, then commit your configuration.

Re: XXF and building Security Policy

sxk654 — Thu, 08 Feb 2024 13:30:10 GMT

Hi & thanks for the detailed reply

Correct, the design at the moment is customer src IP -> Proxy -> Palo

& yes, I'm not interested in passing the Palo IP into the headers for the downstream device but want to build out a security policy to allow traffic from the true customer IP.

At the moment, while looking at the logs, I dont see any actual customer IPs, all source IP belong to the proxy IP addresses subnet, as expected.

From what you are saying, I will need to enable URL Filtering Settings and enable X-Forwarded-For and then assign this to the security policy.

Then edit the security policy and add in the customer's true source IP subnet / IP to the source addess section of the secuirty rule?

Enabling the URL X-Forwarded-For, will then this populate the Monitor tab field with ' X-Fordwarded-For IP ' ?

So that I can see what the true IP is? Also, do you know how to filter the traffic logs to show traffic from a certain customer ? similar to ( addr.src in '1.1.1.1' ) I can't seem to work out the filter for it, something like ( x-forwarded in '2.2.2.2' )

Thanks for your help.

Re: XXF and building Security Policy

iarobertson — Fri, 09 Feb 2024 00:47:27 GMT

Hello @sxk654 - please refer to this document within the user manual; it describes how to collect XFF details and how to use this information in logging.