https://live.paloaltonetworks.com/t5/next-generation-firewall/not-able-to-log-xff-actual-client-ip-in-paloalto-logs-even-when/m-p/1253286#M6883 <P>I've got the same issue. Been doing test and with decrypt ON, I cant see XFF header. Without decrypt, works OK.</P> <P>&nbsp;</P> <P>Dont know what the issue can be <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 29 Apr 2026 14:35:51 GMT ricardomo 2026-04-29T14:35:51Z https://live.paloaltonetworks.com/t5/next-generation-firewall/not-able-to-log-xff-actual-client-ip-in-paloalto-logs-even-when/m-p/1242643#M6487 <P>Issue Summary – XFF Not Logged on Palo Alto (Even With Decryption ON)</P><P>&nbsp;</P><P>We are running a flow where AWS ALB inserts X-Forwarded-For (XFF) and the Palo Alto firewall performs SSL decryption + re-encryption:</P><P>&nbsp;</P><P>Flow:</P><P>Client --&gt; Internet --&gt; AWS ALB (HTTPS) (Palo's are registered as TG IP) --&gt; Palo Alto FW (SSL Decrypt) --&gt; Server</P><P>&nbsp;</P><P>What works</P><UL><LI>ALB is configured to append XFF.</LI><LI>Server (Nginx) correctly logs the XFF header.</LI><LI>SSL decryption on Palo Alto is working → Traffic log shows “Decrypted: yes”.</LI><LI>Application is identified as web-browsing (so HTTP parsing should work).</LI><LI>Firewall-stage PCAP for HTTP/80 clearly shows X-Forwarded-For header.</LI></UL><P>&nbsp;</P><P>What doesn’t work</P><UL><LI>For HTTPS/443 traffic, even though decryption succeeds, XFF does NOT appear in:</LI><LI>Traffic logs (X-Forwarded-For column is empty)</LI><LI>Firewall-stage decrypted PCAP (XFF is missing for decrypted 443 sessions)</LI></UL><P>&nbsp;</P><P>What we tested</P><OL><LI>Confirmed ALB → Palo traffic on port 443 is decrypted (Decrypted: yes).</LI><LI>Verified that HTTP/80 decrypted traffic shows XFF in PCAP.</LI><LI>Verified that HTTPS/443 decrypted traffic does NOT show XFF in PCAP.</LI><LI>Confirmed Global Content-ID setting:</LI></OL><UL><LI>“Use X-Forwarded-For Header: Enabled for Security Policy.”</LI></UL><OL><LI>Verified security rule logging is enabled and URL filtering profile applied.</LI><LI>Confirmed no packet capture setting is blocking XFF logging.</LI></OL><P>&nbsp;</P><P>Observed Behavior</P><UL><LI>XFF header is present on HTTP/80 after Palo decrypt → Visible in PCAP.</LI><LI>XFF header is missing on HTTPS/443 after Palo decrypt → Not visible in PCAP.</LI><LI>Therefore: Firewall cannot log XFF because the header never arrives on the decrypted HTTPS session.</LI></UL> Wed, 26 Nov 2025 08:46:30 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/not-able-to-log-xff-actual-client-ip-in-paloalto-logs-even-when/m-p/1242643#M6487 tn001140351 2025-11-26T08:46:30Z https://live.paloaltonetworks.com/t5/next-generation-firewall/not-able-to-log-xff-actual-client-ip-in-paloalto-logs-even-when/m-p/1242735#M6489 <P>Do we have any solution for this issue?</P> Thu, 27 Nov 2025 14:56:02 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/not-able-to-log-xff-actual-client-ip-in-paloalto-logs-even-when/m-p/1242735#M6489 tn001140351 2025-11-27T14:56:02Z https://live.paloaltonetworks.com/t5/next-generation-firewall/not-able-to-log-xff-actual-client-ip-in-paloalto-logs-even-when/m-p/1253286#M6883 <P>I've got the same issue. Been doing test and with decrypt ON, I cant see XFF header. Without decrypt, works OK.</P> <P>&nbsp;</P> <P>Dont know what the issue can be <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 29 Apr 2026 14:35:51 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/not-able-to-log-xff-actual-client-ip-in-paloalto-logs-even-when/m-p/1253286#M6883 ricardomo 2026-04-29T14:35:51Z