Palo Alto behind ReverseProxy, how block real IP ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto behind ReverseProxy, how block real IP ?

L0 Member

Hello,

I have many website behind my Palo Alto.

In front of many websites (and then Palo Alto), I have Reverse Proxy.

Into traffic logs I see Reverse proxy IP, not the real visitor IP.

 

I have enabled "Use X-Forwarded-For" and now I see Real IP into colum X-Forwarded-For in Url Filtering.

 

But, it's possible to apply Security Profiles based on the IP of the x-forwarded-for header?

 

 

Thanks

Manuel

4 REPLIES 4

Cyber Elite
Cyber Elite

@ManuelRighi,

No, the X-Forwarded-For field can't be utilized in security policies unless you first utilize X-Forwarded-For for User-ID; when using X-Forwarded-For you would need to have a user-id mapping to that IP address to really get any benefit out of it from a security rulebase perspective. This may or may not be usable in your current situation, dending on if the sites are internal or external. 

I would reach out to your SE so that they can look and see if there is an existing Feature Request for this that he can add your vote to, and if not have him make one. 

Hey @BPry @ManuelRighi

 

Actually, I believe you can use the XFF IP address in a security policy 😉

 

Device -> Setup -> Content-ID -> "X-Forwarded-For Headers"

 

"Use X-Forwarded-For Header in User-ID"

 

https://www.paloaltonetworks.com/documentation/translated/70/newfeaturesguide/user-id-features/user-...

@LukeBullimore,

Right. As stated above, you can utilize the X-Forwarded-For header IP for user-ID mapping. This doesn't mean that you can utilize the X-Forwarded-For IP as a source IP when configuring policy or anything like that. It simply means that you could assign the XFF header IP to a user, and then use that user-id in policy, not the XFF IP. The source address that the firewall sees will continue to be the address actually sending the traffic. 

 

L7 Applicator

I have never tried it but if the firewall cannot assign a user to the xff IP it will add "x-fwd-for: IP-ADDRESS" in the source user field. Could be worth a try to use exactly that in the security policy as source user to create "source IP" based policies even with a reverse proxy in front of the paloalto firewall.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK

 

... or you place the reverse proxy also behind the paloalto firewall 😉

  • 3225 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!