General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
About General Articles
LIVEcommunity's General Articles area is home to how-to resources, technical documentation, and discussions with Accepted Solutions that turn into articles related to all Palo Alto Networks products.
Organizations often use Google Cloud’s Application Load Balancer to distribute HTTP/HTTPS traffic to VM-Series firewalls deployed within Google Cloud.   Diagram 1 In this setup, the Application Load Balancer functions as a proxy, altering the client's source address before forwarding the request to the VM-Series for security inspection. This may present challenges for organizations defining security policies based on the client's address or requiring IP preservation for backend applications protected by the VM-Series.   Using XFF Headers with PAN-OS Within PAN-OS, the firewalls can be configured to use the source address of an X-Forwarded-For (XFF) header to enforce security policy.  When configured, the firewall applies policy based on the address that was most-recently added to the XFF field.   However, when using the Application Load Balancer, this approach alone will not work.  This is because the load balancer appends two addresses to the XFF header, where the <load-balancer-ip> is the most-recent address within the header and the <client-ip> is the next-to-last address.     X-Forwarded-For: <client-ip>, <load-balancer-ip>     Solution Within the backend service configuration of the Application Load Balancer, you can define custom headers to make the client address the most-recently added address to the XFF field. When used, the load balancer preserves the supplied value of the custom header before the <client-ip>, <load-balancer-ip> addresses.       X-Forwarded-For: <supplied-value>, <client-ip>, <load-balancer-ip>     To insert the client’s address as the supplied value, you can use the client_ip_address header variable.  This variable contains the client’s IP address, and has the same value as the <client-ip> address.  Once configured, the VM-Series can then use the client’s address to enforce policy.   Diagram 2   Steps to Implement The steps below outline how to add the client_ip_address value as a custom header to an existing Application Load Balancer that uses the VM-Series as its backend service.   Adding Custom Request Header to Backend Service 1. In Google Cloud, go to Network Services → Load Balancing.  Select your Application Load Balancer and click Edit.   2. Select Backend Configuration and click the edit icon next to the backend service.  Selecting backend   3. Under Advance Configurations → Custom Request Headers, click Add Header.    4. Set the header name to X-Forwarded-For and the header value to {client_ip_address} . Adding customer header   5. Click Update to apply the changes.      Configure VM-Series for XFF Headers 1. On the VM-Series, go to Device → Setup → Content-ID → X-Forwarded-For Headers.   2. Set Use X-Forwarded-For Header to  Enabled for Security Policy . Enabling XFF for policy.   3. Commit the changes.   View Traffic Logs Once the changes have been applied, you can view the value of the client_ip_address header within the firewall's traffic logs.    1. Simulate traffic flows through the Application Load Balancer to your application.    2. Go to Monitor → Traffic and add the X-Forwarded-For IP field to the log view. Log viewer.   The traffic logs should now contain the client's IP address under the X-Forwarded-For IP column.  This address can then be used as the source address within the VM-Series security policies.    Traffic logs
View full article
  • 182 Posts
  • 261 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Labels
Top Contributors