adding x-forward-for client IP to HTTP header

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

adding x-forward-for client IP to HTTP header

L0 Member

Does the PA support the ability to populate the x-forward-for field?

8 REPLIES 8

Cyber Elite
Cyber Elite

Yes, this is supported with customers who have a PANW-DB URL license.

 

Objects  --> Security Profiles --> URL -->  URL Filtering Settings

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK

Please help out other users and “Accept as Solution” if a post helps solve your problem !

From what I read in the provided article the Palo Alto needs to have a proxy device before it for the XFF to be used ? I need the Palo Alto create HTTP  x-forward-for (XFF) header as the Palo Alto is only proxy device and it is used as a Forwarding SSL outbound proxy for a small branch office. Is this possible?

Pretty sure that's not possible. The PA can use the XFF entry but can't insert it.

Why do you need the PA to insert XFF? 

As mentioned the Palo Alto is also used as a forwarding web Proxy (SSL Outbound Inspection) for a small site. It also does NAT for the outbound traffic and some servers in HQ want to see the original client IP address. For me it seems normal to be able to do this on a firewall that also acts as a forwarding web Proxy.

Do you have your browsers configured to use the proxy settings and point them at the PA? If so, I wasn't aware they could do this. 

As far as I know, the forward proxy is really meant as SSL decrypt when browsing. Traditional web proxy features like caching aren't available on the PA.

Is your HQ accessed over the internet or a private connection like a VPN tunnel?

The palo alto can be used as transperant ssl proxy with ssl redirect captive portal https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJYCA0 . I don't get why there is no option to instert a header with the client IP address variable, similar to https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/include-username-i... , I hope that this will be added as it is a simple option and in some cases needed. Thanks for your help.

L3 Networker

Sorry for this bump, but another use-case are cloud deployments with active-active firewalls, which require a source-nat to keep the traffic symmetric. A variable like ($srcip) instead of ($user) would be helpful and eliminate the need of a proxy like the Azure AppGW in front of the FWs for this functionality.


- If it is broken, fix it. If it ain't broken, make it better.

L6 Presenter

Also now in version 11 Palo Alto NGFW is going full explicit/transparent proxy mode, so being able to insert XFF not only read it seems like something Palo Alto needs to think about.

 

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy

  • 8745 Views
  • 8 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!