Looking for some help if possible?
Trying to set up XFF (PA-3250, 8.1.12), I have tried to set it up following this tutorial:
The only part I have not configured is pushing the URL logs to the syslog server.
The problem is, when "Strip X-Forwarded-For Header" is enabled the URL Filtering monitor displays the XFF value as 220.127.116.11. I temporarily disabled this feature and the internal client was displayed as expected, however, we would want to strip it and not make this information public. As soon as I enabled the strip feature again the value changed back to 18.104.22.168. I would have expected the XFF value to be displayed as the internal address and then as it leaves the firewall this information will be stripped from the HTTP header?
The clients go through a proxy server (Smoothwall), then to the FW and out. We do not have access to the proxy but have been assured this has been set up correctly.
Is there something I am missing in the set up?
Any help would be greatly appreciated!
I have the same result.
If you enable "Use X-Forwarded-For Header in User-ID", you can see the real XFF IP under the source user column of the logs. Palo Alto should have showed the real XFF IP in the XFF field and silently stripped it on the way out.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!