cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Reverse Proxy and X-forwarded-for

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
MerrickNetworkEngineers
MerrickNetworkEngineers
L1 Bithead
‎10-30-2017 03:15 PM
‎10-30-2017 03:15 PM

Reverse Proxy and X-forwarded-for

We use a load balancer to terminate SSL connections coming into our publicly accessible web servers from the Internet.  The same load balancers are used as a reverse proxy.  Because this produces a blind-spot for us, we have configured the load balancer to insert the real Internet IP into the XFF entry of the resulting inbound HTTP packet (we don't re-encrypt the packet after the load balancer has decrypted it).  I can't find a way to generate a report that shows the XFF entries within packets coming into the firewall from the load balancer.

 

All documentation I can find is for outbound traffic going over a proxy server (not reverse-proxy).  Can the firewall retrieve the XFF entries from packets coming from a reverse-proxy sourced from the Internet?  If so, how can I generate a report that shows this information?

 

Thanks!

0 Likes
Reply
reaper
Community Manager
Community Manager
‎10-31-2017 01:14 AM
‎10-31-2017 01:14 AM

Re: Reverse Proxy and X-forwarded-for

Hi

 

have you enabled x-forward for? How to Enable Support for the X-Forwarded-For HTTP Header

 

reaper@myNGFW> configure 
Entering configuration mode
[edit]                                                                          
reaper@myNGFW# set deviceconfig setting ctd x-forwarded-for 
  no    no 
  yes   yes

Help the community: Like helpful comments and mark solutions
Reaper out
Reply
reaper
Community Manager
Community Manager
‎10-31-2017 08:04 AM
‎10-31-2017 08:04 AM

Re: Reverse Proxy and X-forwarded-for

Hi @MerrickNetworkEngineers

 

I deleted your comments in the KB article as those would not make sense from a conversational standpoint

 

If you have enabled the x-forward for headers, then we move on to the next step: have you enabled user-id in the zone where the load balancers sit?

user identification zone


Help the community: Like helpful comments and mark solutions
Reaper out
0 Likes
Reply
MerrickNetworkEngineers
MerrickNetworkEngineers
L1 Bithead
‎10-31-2017 08:19 AM
‎10-31-2017 08:19 AM

Re: Reverse Proxy and X-forwarded-for

Yes.  User-ID is enabled for the zone the LB is in.

0 Likes
Reply
MerrickNetworkEngineers
MerrickNetworkEngineers
L1 Bithead
‎10-31-2017 08:37 AM
‎10-31-2017 08:37 AM

Re: Reverse Proxy and X-forwarded-for

An item of note in the document you refer to is that it appears that XFF entries in the Source User field is only support with URL filtering.  I'm not doing any URL filtering for inbound reverse-proxied connections.  There is not reason I can think of to do URL filtering on an inbound connection through a reverse-proxy.

0 Likes
Reply
Highlighted
reaper
Community Manager
Community Manager
‎10-31-2017 08:56 AM
‎10-31-2017 08:56 AM

Re: Reverse Proxy and X-forwarded-for

Ah, that would explain why it's not working working as expected

 

XFF plugs in in the URL filtering layer on the firewall, if you haven't got URL filtering enabled the headers will be ignored

 

XFF Headers


Help the community: Like helpful comments and mark solutions
Reaper out
0 Likes
Reply
lagop
lagop
L1 Bithead
‎09-19-2019 11:27 AM
‎09-19-2019 11:27 AM

Re: Reverse Proxy and X-forwarded-for

Try creating a custom URL Filtering with your sites or * and apply it to a URL Filtering Profile which is then attached to your rule(s) processing inbound traffic. This can be done without the need for our PAN-DB URL Filtering subscription. This post has some useful steps that may be helpful. Although the true source IP will be added to the Source User field in your URL logs, they can also be leveraged when looking at other logs through 'Related Logs' feature.  Good luck and please post if it works or not.

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2019 - Palo Alto Networks