Using XFF Headers with VM-Series on GCP

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.
L3 Networker
No ratings

Organizations often use Google Cloud’s Application Load Balancer to distribute HTTP/HTTPS traffic to VM-Series firewalls deployed within Google Cloud.


Diagram 1Diagram 1

In this setup, the Application Load Balancer functions as a proxy, altering the client's source address before forwarding the request to the VM-Series for security inspection. This may present challenges for organizations defining security policies based on the client's address or requiring IP preservation for backend applications protected by the VM-Series.


Using XFF Headers with PAN-OS

Within PAN-OS, the firewalls can be configured to use the source address of an X-Forwarded-For (XFF) header to enforce security policy.  When configured, the firewall applies policy based on the address that was most-recently added to the XFF field.


However, when using the Application Load Balancer, this approach alone will not work.  This is because the load balancer appends two addresses to the XFF header, where the <load-balancer-ip> is the most-recent address within the header and the <client-ip> is the next-to-last address.



X-Forwarded-For: <client-ip>, <load-balancer-ip>




Within the backend service configuration of the Application Load Balancer, you can define custom headers to make the client address the most-recently added address to the XFF field. When used, the load balancer preserves the supplied value of the custom header before the <client-ip>, <load-balancer-ip> addresses.  



X-Forwarded-For: <supplied-value>, <client-ip>, <load-balancer-ip>



To insert the client’s address as the supplied value, you can use the client_ip_address header variable.  This variable contains the client’s IP address, and has the same value as the <client-ip> address.  Once configured, the VM-Series can then use the client’s address to enforce policy.


Diagram 2Diagram 2


Steps to Implement

The steps below outline how to add the client_ip_address value as a custom header to an existing Application Load Balancer that uses the VM-Series as its backend service.


Adding Custom Request Header to Backend Service

1. In Google Cloud, go to Network Services → Load Balancing.  Select your Application Load Balancer and click Edit.


2. Select Backend Configuration and click the edit icon next to the backend service. 

Selecting backendSelecting backend


3. Under Advance Configurations → Custom Request Headers, click Add Header


4. Set the header name to X-Forwarded-For and the header value to {client_ip_address}.

Adding customer headerAdding customer header


5. Click Update to apply the changes. 



Configure VM-Series for XFF Headers

1. On the VM-Series, go to Device → Setup → Content-ID → X-Forwarded-For Headers.


2. Set Use X-Forwarded-For Header to Enabled for Security Policy.

Enabling XFF for policy.Enabling XFF for policy.


3. Commit the changes.


View Traffic Logs

Once the changes have been applied, you can view the value of the client_ip_address header within the firewall's traffic logs. 


1. Simulate traffic flows through the Application Load Balancer to your application. 


2. Go to Monitor → Traffic and add the X-Forwarded-For IP field to the log view.

Log viewer.Log viewer.


The traffic logs should now contain the client's IP address under the X-Forwarded-For IP column.  This address can then be used as the source address within the VM-Series security policies. 


Traffic logsTraffic logs

Rate this article:
Register or Sign-in
Article Dashboard
Version history
Last Updated:
‎01-10-2024 04:27 PM
Updated by: