Organizations often use Google Cloud’s Application Load Balancer to distribute HTTP/HTTPS traffic to VM-Series firewalls deployed within Google Cloud.
In this setup, the Application Load Balancer functions as a proxy, altering the client's source address before forwarding the request to the VM-Series for security inspection. This may present challenges for organizations defining security policies based on the client's address or requiring IP preservation for backend applications protected by the VM-Series.
Within PAN-OS, the firewalls can be configured to use the source address of an X-Forwarded-For (XFF) header to enforce security policy. When configured, the firewall applies policy based on the address that was most-recently added to the XFF field.
However, when using the Application Load Balancer, this approach alone will not work. This is because the load balancer appends two addresses to the XFF header, where the <load-balancer-ip> is the most-recent address within the header and the <client-ip> is the next-to-last address.
X-Forwarded-For: <client-ip>, <load-balancer-ip>
Within the backend service configuration of the Application Load Balancer, you can define custom headers to make the client address the most-recently added address to the XFF field. When used, the load balancer preserves the supplied value of the custom header before the <client-ip>, <load-balancer-ip> addresses.
X-Forwarded-For: <supplied-value>, <client-ip>, <load-balancer-ip>
To insert the client’s address as the supplied value, you can use the client_ip_address header variable. This variable contains the client’s IP address, and has the same value as the <client-ip> address. Once configured, the VM-Series can then use the client’s address to enforce policy.
The steps below outline how to add the client_ip_address value as a custom header to an existing Application Load Balancer that uses the VM-Series as its backend service.
1. In Google Cloud, go to Network Services → Load Balancing. Select your Application Load Balancer and click Edit.
2. Select Backend Configuration and click the edit icon next to the backend service.
3. Under Advance Configurations → Custom Request Headers, click Add Header.
4. Set the header name to X-Forwarded-For and the header value to {client_ip_address}.
5. Click Update to apply the changes.
1. On the VM-Series, go to Device → Setup → Content-ID → X-Forwarded-For Headers.
2. Set Use X-Forwarded-For Header to Enabled for Security Policy.
3. Commit the changes.
Once the changes have been applied, you can view the value of the client_ip_address header within the firewall's traffic logs.
1. Simulate traffic flows through the Application Load Balancer to your application.
2. Go to Monitor → Traffic and add the X-Forwarded-For IP field to the log view.
The traffic logs should now contain the client's IP address under the X-Forwarded-For IP column. This address can then be used as the source address within the VM-Series security policies.
Hi mmclimans,
We have applied the setting which you have mentioned in the article, still we are unable to see the X-Forwarded-For IP entry in traffic logs.
In our environment we have applied SSL certificate on External & Internal Application Load Balancers or in PA we are performing Inbound SSL Inspection.
How we can resolve the issue ?
