https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236354#M67737 <P>I have never tried it but if the firewall cannot assign a user to the xff IP it will add "x-fwd-for: IP-ADDRESS" in the source user field. Could be worth a try to use exactly that in the security policy as source user to create "source IP" based policies even with a reverse proxy in front of the paloalto firewall.</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK</A></P><P>&nbsp;</P><P>... or you place the reverse proxy also behind the paloalto firewall <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 20 Oct 2018 21:23:10 GMT Remo 2018-10-20T21:23:10Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236146#M67692 <P>Hello,</P><P>I have many website behind my Palo Alto.</P><P>In front of many websites (and then Palo Alto), I have Reverse Proxy.</P><P>Into traffic logs I see Reverse proxy IP, not the real visitor IP.</P><P>&nbsp;</P><P>I have enabled "Use X-Forwarded-For" and now I see Real IP into colum X-Forwarded-For in Url Filtering.</P><P>&nbsp;</P><P>But, it's possible to apply Security Profiles based on the IP of the x-forwarded-for header?</P><P>&nbsp;</P><P>&nbsp;</P><P>Thanks</P><P>Manuel</P> Fri, 19 Oct 2018 12:23:23 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236146#M67692 ManuelRighi 2018-10-19T12:23:23Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236172#M67695 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85716">@ManuelRighi</a>,</P><P>No, the X-Forwarded-For field can't be utilized in security policies unless you first utilize X-Forwarded-For for User-ID; when using X-Forwarded-For you would need to have a user-id mapping to that IP address to really get any benefit out of it from a security rulebase perspective. This may or may not be usable in your current situation, dending on if the sites are internal or external.&nbsp;</P><P>I would reach out to your SE so that they can look and see if there is an existing Feature Request for this that he can add your vote to, and if not have him make one.&nbsp;</P> Fri, 19 Oct 2018 13:35:54 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236172#M67695 BPry 2018-10-19T13:35:54Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236186#M67698 <P>Hey&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/85716">@ManuelRighi</a></P><P>&nbsp;</P><P>Actually, I believe you can use the XFF IP address in a security policy <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P>&nbsp;</P><P>Device -&gt; Setup -&gt; Content-ID -&gt; "X-Forwarded-For Headers"</P><P>&nbsp;</P><P>"<SPAN>Use X-Forwarded-For Header in User-ID"</SPAN></P><P>&nbsp;</P><P><SPAN><A href="https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/user-id-features/user-attribution-based-on-x-forwarded-for-headers" target="_blank">https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/user-id-features/user-attribution-based-on-x-forwarded-for-headers</A></SPAN></P> Fri, 19 Oct 2018 14:03:01 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236186#M67698 LukeBullimore 2018-10-19T14:03:01Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236195#M67700 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/52796">@LukeBullimore</a>,</P><P>Right. As stated above, you can utilize the X-Forwarded-For header IP for user-ID mapping. This doesn't mean that you can utilize the X-Forwarded-For IP as a source IP when configuring policy or anything like that. It simply means that you could assign the XFF header IP to a user, and then use that user-id in policy, not the XFF IP. The source address that the firewall sees will continue to be the address actually sending the traffic.&nbsp;</P><P>&nbsp;</P> Fri, 19 Oct 2018 14:20:54 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236195#M67700 BPry 2018-10-19T14:20:54Z https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236354#M67737 <P>I have never tried it but if the firewall cannot assign a user to the xff IP it will add "x-fwd-for: IP-ADDRESS" in the source user field. Could be worth a try to use exactly that in the security policy as source user to create "source IP" based policies even with a reverse proxy in front of the paloalto firewall.</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK</A></P><P>&nbsp;</P><P>... or you place the reverse proxy also behind the paloalto firewall <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Sat, 20 Oct 2018 21:23:10 GMT https://live.paloaltonetworks.com/t5/general-topics/palo-alto-behind-reverseproxy-how-block-real-ip/m-p/236354#M67737 Remo 2018-10-20T21:23:10Z