https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-xff-operation-query/m-p/567188#M114584 <P>Hello,</P> <P>We are evaluating the implementation of X-Forwarded-For (XFF) functionality for logs.</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging </A></P> <P>However, this functionality was activated and affected the traffic, denying traffic that should be allowed and that contained the XFF header.</P> <P>In case the feature is enabled, if the traffic contains the XFF header, - How is the traffic policy evaluated, and is the source IPv4 address no longer taken into account and replaced in the evaluation by the IPv4 address of the XFF header? - Is there any mechanism to verify the authenticity of who wrote the XFF header?&nbsp;</P> <P>&nbsp;</P> <P>Thanks so much</P> Mon, 27 Nov 2023 12:13:05 GMT Alpalo 2023-11-27T12:13:05Z https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-xff-operation-query/m-p/567188#M114584 <P>Hello,</P> <P>We are evaluating the implementation of X-Forwarded-For (XFF) functionality for logs.</P> <P><A href="https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/identify-users-connected-through-a-proxy-server/use-xff-values-for-ip-based-security-policy-and-logging </A></P> <P>However, this functionality was activated and affected the traffic, denying traffic that should be allowed and that contained the XFF header.</P> <P>In case the feature is enabled, if the traffic contains the XFF header, - How is the traffic policy evaluated, and is the source IPv4 address no longer taken into account and replaced in the evaluation by the IPv4 address of the XFF header? - Is there any mechanism to verify the authenticity of who wrote the XFF header?&nbsp;</P> <P>&nbsp;</P> <P>Thanks so much</P> Mon, 27 Nov 2023 12:13:05 GMT https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-xff-operation-query/m-p/567188#M114584 Alpalo 2023-11-27T12:13:05Z https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-xff-operation-query/m-p/567220#M114589 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192671">@Alpalo</a> ,</P> <P>&nbsp;</P> <P>As described here - <A href="https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/policy-features/xff-header-support-for-security-policy" target="_blank">https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/policy-features/xff-header-support-for-security-policy</A></P> <P>Since 10.0 PAN will use XFF source IP to enforce security policy. <BR /><BR />Q: How is the traffic policy evaluated, and is the source IPv4 address no longer taken into account and replaced in the evaluation by the IPv4 address of the XFF header?<BR />A: Correct. Security policy will evaluated based on the source IP from the XFF and not the source IP from the network packet header.</P> <P>&nbsp;</P> <P>Q: Is there any mechanism to verify the authenticity of who wrote the XFF header?&nbsp;</P> <P>A: I don't there is a way. Due to the nature of the HTTP headers, you can slap there anything you want, the same way you can forged the user agent.</P> Mon, 27 Nov 2023 14:26:12 GMT https://live.paloaltonetworks.com/t5/general-topics/x-forwarded-for-xff-operation-query/m-p/567220#M114589 aleksandar.astardzhiev 2023-11-27T14:26:12Z