topic Re: adding x-forward-for client IP to HTTP header in General Topics

adding x-forward-for client IP to HTTP header

skidoohead — Wed, 21 Aug 2019 21:42:50 GMT

Does the PA support the ability to populate the x-forward-for field?

Re: adding x-forward-for client IP to HTTP header

S.Cantwell — Thu, 22 Aug 2019 00:04:00 GMT

Yes, this is supported with customers who have a PANW-DB URL license.

Objects --> Security Profiles --> URL --> URL Filtering Settings

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK

Re: adding x-forward-for client IP to HTTP header

nikoolayy1 — Sun, 14 Mar 2021 12:48:35 GMT

From what I read in the provided article the Palo Alto needs to have a proxy device before it for the XFF to be used ? I need the Palo Alto create HTTP x-forward-for (XFF) header as the Palo Alto is only proxy device and it is used as a Forwarding SSL outbound proxy for a small branch office. Is this possible?

Re: adding x-forward-for client IP to HTTP header

rmfalconer — Mon, 15 Mar 2021 22:04:11 GMT

Pretty sure that's not possible. The PA can use the XFF entry but can't insert it.

Why do you need the PA to insert XFF?

Re: adding x-forward-for client IP to HTTP header

nikoolayy1 — Wed, 17 Mar 2021 07:48:14 GMT

As mentioned the Palo Alto is also used as a forwarding web Proxy (SSL Outbound Inspection) for a small site. It also does NAT for the outbound traffic and some servers in HQ want to see the original client IP address. For me it seems normal to be able to do this on a firewall that also acts as a forwarding web Proxy.

Re: adding x-forward-for client IP to HTTP header

rmfalconer — Wed, 17 Mar 2021 17:31:45 GMT

Do you have your browsers configured to use the proxy settings and point them at the PA? If so, I wasn't aware they could do this.

As far as I know, the forward proxy is really meant as SSL decrypt when browsing. Traditional web proxy features like caching aren't available on the PA.

Is your HQ accessed over the internet or a private connection like a VPN tunnel?

Re: adding x-forward-for client IP to HTTP header

nikoolayy1 — Sat, 20 Mar 2021 13:58:44 GMT

The palo alto can be used as transperant ssl proxy with ssl redirect captive portal https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJYCA0 . I don't get why there is no option to instert a header with the client IP address variable, similar to https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/include-username-in-http-header-insertion-entries.html , I hope that this will be added as it is a simple option and in some cases needed. Thanks for your help.

Re: adding x-forward-for client IP to HTTP header

robmaas — Mon, 21 Nov 2022 09:53:42 GMT

Sorry for this bump, but another use-case are cloud deployments with active-active firewalls, which require a source-nat to keep the traffic symmetric. A variable like ($srcip) instead of ($user) would be helpful and eliminate the need of a proxy like the Azure AppGW in front of the FWs for this functionality.

Re: adding x-forward-for client IP to HTTP header

nikoolayy1 — Tue, 22 Nov 2022 13:13:46 GMT

Also now in version 11 Palo Alto NGFW is going full explicit/transparent proxy mode, so being able to insert XFF not only read it seems like something Palo Alto needs to think about.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy