Be aware if you do x-forward-via header you will "publish" your
internal IP-addresses on the internet as the header will not be removed by Palo Alto.
That is as far as I know a new feature in 4.0.
There is a much better way to do this!
Let Blue Coat do "send-client-ip" and you will see the original source from the client.
You can enable this function in management console (my guess is proxy and general) or in the VPM and forward layer.
I recommend to use two dedicated L3 interfaces on the Palo Alto for this and put these in its own routing table, just to make 100% sure you do not get any asymmetric routing. So hope you have one "spare" public IP you can use for this.
Make sure you have this also in the local policy of the Blue Coat.
You probably do not need an routing table in Blue Coat either except the default gateway.
Be aware that Blue Coat will do return-to-sender by default, meaning that it will reply to internal macaddress where the packet came from.
So there should be no need for a routing table.
Best regards Staffan, Radpoint Sweden.
You mentioned the App-ID will work, do you mean we can see which application (e.g. facebook) was using but the source IP is still the proxy server in traffic log?
How about the user-based QOS, it doesn't work with x-Forwared-for neither, right?
In PAN-OS 4.0.x/4.1.x, is the same limitation exist?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!