08-21-2019 02:42 PM
Does the PA support the ability to populate the x-forward-for field?
08-21-2019 05:04 PM
Yes, this is supported with customers who have a PANW-DB URL license.
Objects --> Security Profiles --> URL --> URL Filtering Settings
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK
03-14-2021 05:47 AM - edited 03-14-2021 05:48 AM
From what I read in the provided article the Palo Alto needs to have a proxy device before it for the XFF to be used ? I need the Palo Alto create HTTP x-forward-for (XFF) header as the Palo Alto is only proxy device and it is used as a Forwarding SSL outbound proxy for a small branch office. Is this possible?
03-15-2021 03:04 PM
Pretty sure that's not possible. The PA can use the XFF entry but can't insert it.
Why do you need the PA to insert XFF?
03-17-2021 12:48 AM
As mentioned the Palo Alto is also used as a forwarding web Proxy (SSL Outbound Inspection) for a small site. It also does NAT for the outbound traffic and some servers in HQ want to see the original client IP address. For me it seems normal to be able to do this on a firewall that also acts as a forwarding web Proxy.
03-17-2021 10:31 AM
Do you have your browsers configured to use the proxy settings and point them at the PA? If so, I wasn't aware they could do this.
As far as I know, the forward proxy is really meant as SSL decrypt when browsing. Traditional web proxy features like caching aren't available on the PA.
Is your HQ accessed over the internet or a private connection like a VPN tunnel?
03-20-2021 06:58 AM
The palo alto can be used as transperant ssl proxy with ssl redirect captive portal https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJYCA0 . I don't get why there is no option to instert a header with the client IP address variable, similar to https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/include-username-i... , I hope that this will be added as it is a simple option and in some cases needed. Thanks for your help.
11-21-2022 01:53 AM
Sorry for this bump, but another use-case are cloud deployments with active-active firewalls, which require a source-nat to keep the traffic symmetric. A variable like ($srcip) instead of ($user) would be helpful and eliminate the need of a proxy like the Azure AppGW in front of the FWs for this functionality.
11-22-2022 05:13 AM
Also now in version 11 Palo Alto NGFW is going full explicit/transparent proxy mode, so being able to insert XFF not only read it seems like something Palo Alto needs to think about.
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
