Custom vulnerability signature based on X-Forwarded-For values

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Custom vulnerability signature based on X-Forwarded-For values

L0 Member


We are using a PA-3020 and in a need to set up some additional custom rules which will ignore false positives coming from legit external scanner to our webservers. The web traffic is hitting the load balancer so all traffic is showing as sourced to the load balancer's IP. We were able to create the following custom rule.


We are seeing most of the events triggered by the scanner being caught by the custom rule. However, some of the events are still bypassing the rule and triggering lots of alerts. This is a sample of an event triggering the custom rule


and this is a sample of another event bypassing the rule


The X-Forwarded-For value is being correctly translated in both packets, so I am not sure if there is some limitations in the custom rule or I am just missing some other configurations. Any advice would be appreciated. Thank you.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!