does PA supports xForward ?

Showing results for 
Search instead for 
Did you mean: 

does PA supports xForward ?

L3 Networker


am wondering if PA can supports xforward as i need to install PA behind a bluecoat were the users request reaches 1st bluecoat then PA, so is there a way for pa to detect the ip addresses or usernames.



Accepted Solutions

Yes, App-ID will work - but you will not see users or the X-Forward-For information in the traffic logs - only the URL logs

View solution in original post


L4 Transporter

Hi There,

If you enable x-forward-for on the proxy, then the PA-Appliance will see the original source.  However, this will only be seen in the URL logs and cannot currently be tied to User-ID.



what about app-id would it work ? assuming my proxy doing url filter and pa application ana data filter ?

Yes, App-ID will work - but you will not see users or the X-Forward-For information in the traffic logs - only the URL logs

Hi all!

Be aware if you do x-forward-via header you will "publish" your

internal IP-addresses on the internet as the header will not be removed by Palo Alto.

That is as far as I know a new feature in 4.0.

There is a much better way to do this!

Let Blue Coat do "send-client-ip" and you will see the original source from the client.

You can enable this function in management console (my guess is proxy and general) or in the VPM and forward layer.

I recommend to use two dedicated L3 interfaces on the Palo Alto for this and put these in its own routing table, just to make 100% sure you do not get any asymmetric routing. So hope you have one "spare" public IP you can use for this.

Make sure you have this also in the local policy of the Blue Coat.


You probably do not need an routing table in Blue Coat either except the default gateway.

Be aware that Blue Coat will do return-to-sender by default, meaning that it will reply to internal macaddress where the packet came from.

So there should be no need for a routing table.

Best regards Staffan, Radpoint Sweden.

Hi James,

You mentioned the App-ID will work, do you mean we can see which application (e.g. facebook) was using but the source IP is still the proxy server in traffic log?
How about the user-based QOS, it doesn't work with x-Forwared-for neither, right?

In PAN-OS 4.0.x/4.1.x, is the same limitation exist?


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!