X-Forwarded-For is the header field option that preserves the IP address of the user who requested the web page. It allows the identification of the IP address of the user particularly if there is a proxy server on the network, where all requests might seem to originate from the proxy server’s IP address.
This feature is used when to see the client IP address. When the web traffic is coming via a proxy server, the source IP address of the proxy server under URL filtering logs is seen. Once this feature is enabled the client IP address can be seen under URL filtering logs ( x-forwarded-for column).
Details
This feature must be enabled on a proxy server and on the Palo Alto Networks firewall. The proxy server will add “x-forwarded-for” in the GET request from the client and client IP address to this field. When the firewall receives the GET request, it will look for the “x-forwarded-for” field to check client IP address and populate it under URL filtering log.
Example configuration
Create a proxy server with IP address 192.168.171.100.
TRUST PC as 192.168.163.100 with proxy configured in IE browser.
Enable X-FORWARDED-FOR on the firewall under URL filtering profile used in a security policy.
Example flow
Initiate web traffic for the website www.icicibank.com from the client with IP address 192.168.163.100.
The traffic reached proxy server 192.168.171.100
Proxy server will add the field “X-FORWARDED-FOR” in the GET request from the client.
When the GET request reached firewall, the firewall will check the “X-FORWARDED-FOR” field and populate the same under URL filtering logs. In the above log snapshot, the client IP address is displayed as 192.168.163.100 under the “x-forwarded-for” column along with source IP address as 192.168.171.100 (Proxy Server).