https://live.paloaltonetworks.com/t5/general-topics/xff-value-1-1-1-1-when-quot-strip-x-forwarded-for-header-quot/m-p/312807#M80846 <P>Hello,</P><P>&nbsp;</P><P>Looking for some help if possible?</P><P>&nbsp;</P><P>Trying to set up XFF (PA-3250, 8.1.12), I have tried to set it up following this tutorial:</P><P><A href="https://live.paloaltonetworks.com/t5/General-Topics/Configuring-XFF-logging-without-a-URL-Filtering-License/td-p/239987" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/Configuring-XFF-logging-without-a-URL-Filtering-License/td-p/239987</A></P><P>&nbsp;</P><P>The only part I have not configured is pushing the URL logs to the syslog server.</P><P>The problem is, when "Strip X-Forwarded-For Header" is enabled the URL Filtering monitor displays the XFF value as 1.1.1.1.&nbsp; I temporarily disabled this feature and the internal client was displayed as expected, however, we would want to strip it and not make this information public.&nbsp; As soon as I enabled the strip feature again the value changed back to 1.1.1.1.&nbsp; I would have expected the XFF value to be displayed as the internal address and then as it leaves the firewall this information will be stripped from the HTTP header?</P><P>&nbsp;</P><P>The clients go through a proxy server (Smoothwall), then to the FW and out.&nbsp; We do not have access to the proxy but have been assured this has been set up correctly.</P><P>&nbsp;</P><P>Is there something I am missing in the set up?</P><P>&nbsp;</P><P>Any help would be greatly appreciated!</P><P>&nbsp;</P><P>Thanks.</P> Tue, 25 Feb 2020 16:02:18 GMT Andrew.Scott 2020-02-25T16:02:18Z https://live.paloaltonetworks.com/t5/general-topics/xff-value-1-1-1-1-when-quot-strip-x-forwarded-for-header-quot/m-p/312807#M80846 <P>Hello,</P><P>&nbsp;</P><P>Looking for some help if possible?</P><P>&nbsp;</P><P>Trying to set up XFF (PA-3250, 8.1.12), I have tried to set it up following this tutorial:</P><P><A href="https://live.paloaltonetworks.com/t5/General-Topics/Configuring-XFF-logging-without-a-URL-Filtering-License/td-p/239987" target="_blank">https://live.paloaltonetworks.com/t5/General-Topics/Configuring-XFF-logging-without-a-URL-Filtering-License/td-p/239987</A></P><P>&nbsp;</P><P>The only part I have not configured is pushing the URL logs to the syslog server.</P><P>The problem is, when "Strip X-Forwarded-For Header" is enabled the URL Filtering monitor displays the XFF value as 1.1.1.1.&nbsp; I temporarily disabled this feature and the internal client was displayed as expected, however, we would want to strip it and not make this information public.&nbsp; As soon as I enabled the strip feature again the value changed back to 1.1.1.1.&nbsp; I would have expected the XFF value to be displayed as the internal address and then as it leaves the firewall this information will be stripped from the HTTP header?</P><P>&nbsp;</P><P>The clients go through a proxy server (Smoothwall), then to the FW and out.&nbsp; We do not have access to the proxy but have been assured this has been set up correctly.</P><P>&nbsp;</P><P>Is there something I am missing in the set up?</P><P>&nbsp;</P><P>Any help would be greatly appreciated!</P><P>&nbsp;</P><P>Thanks.</P> Tue, 25 Feb 2020 16:02:18 GMT https://live.paloaltonetworks.com/t5/general-topics/xff-value-1-1-1-1-when-quot-strip-x-forwarded-for-header-quot/m-p/312807#M80846 Andrew.Scott 2020-02-25T16:02:18Z https://live.paloaltonetworks.com/t5/general-topics/xff-value-1-1-1-1-when-quot-strip-x-forwarded-for-header-quot/m-p/313999#M81024 <P>I have the same result.</P><P>&nbsp;</P><P>If you enable "Use X-Forwarded-For Header in User-ID", you can see the real XFF IP under the source user column of the logs. &nbsp;Palo Alto should have showed the real XFF IP in the XFF field and silently stripped it on the way out.&nbsp;</P> Mon, 02 Mar 2020 20:14:45 GMT https://live.paloaltonetworks.com/t5/general-topics/xff-value-1-1-1-1-when-quot-strip-x-forwarded-for-header-quot/m-p/313999#M81024 KevinChan31 2020-03-02T20:14:45Z