Palo Alto behind ReverseProxy, how block real IP ?

Reply
Highlighted
L0 Member

Palo Alto behind ReverseProxy, how block real IP ?

Hello,

I have many website behind my Palo Alto.

In front of many websites (and then Palo Alto), I have Reverse Proxy.

Into traffic logs I see Reverse proxy IP, not the real visitor IP.

 

I have enabled "Use X-Forwarded-For" and now I see Real IP into colum X-Forwarded-For in Url Filtering.

 

But, it's possible to apply Security Profiles based on the IP of the x-forwarded-for header?

 

 

Thanks

Manuel

L7 Applicator

Re: Palo Alto behind ReverseProxy, how block real IP ?

@ManuelRighi,

No, the X-Forwarded-For field can't be utilized in security policies unless you first utilize X-Forwarded-For for User-ID; when using X-Forwarded-For you would need to have a user-id mapping to that IP address to really get any benefit out of it from a security rulebase perspective. This may or may not be usable in your current situation, dending on if the sites are internal or external. 

I would reach out to your SE so that they can look and see if there is an existing Feature Request for this that he can add your vote to, and if not have him make one. 

L5 Sessionator

Re: Palo Alto behind ReverseProxy, how block real IP ?

Hey @BPry @ManuelRighi

 

Actually, I believe you can use the XFF IP address in a security policy ;)

 

Device -> Setup -> Content-ID -> "X-Forwarded-For Headers"

 

"Use X-Forwarded-For Header in User-ID"

 

https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/user-id-features/user-...

L7 Applicator

Re: Palo Alto behind ReverseProxy, how block real IP ?

@LukeBullimore,

Right. As stated above, you can utilize the X-Forwarded-For header IP for user-ID mapping. This doesn't mean that you can utilize the X-Forwarded-For IP as a source IP when configuring policy or anything like that. It simply means that you could assign the XFF header IP to a user, and then use that user-id in policy, not the XFF IP. The source address that the firewall sees will continue to be the address actually sending the traffic. 

 

L7 Applicator

Re: Palo Alto behind ReverseProxy, how block real IP ?

I have never tried it but if the firewall cannot assign a user to the xff IP it will add "x-fwd-for: IP-ADDRESS" in the source user field. Could be worth a try to use exactly that in the security policy as source user to create "source IP" based policies even with a reverse proxy in front of the paloalto firewall.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK

 

... or you place the reverse proxy also behind the paloalto firewall ;)

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!