This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to block the real IPs from CDN?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to block the real IPs from CDN?

SteveY
L1 Bithead

‎01-25-2014 08:55 PM

Is there any function that can makes the PA block the traffic of the real IP instead of CDN IPs?

We deployed the PA NGFW on the external side of our web server and enabled the Threat Prevention function. Because we are using the CDN, so from the web server, all the source IPs in the traffic are hosted by the CDN service provider.

So when the PA  NGFW blocks  the source IP addresses because of the attack behavior, is there any way to block the real IPs of the attackers nor the IPs hosted by the CDN provider?

Thanks!

1 person had this problem.
0 Likes Likes
6 REPLIES 6

rmonvon
L6 Presenter

‎01-27-2014 07:34 AM

Hi...Do you know if the CDN provider is passing the real IP address in any way to your web server such that the PA can see it?

0 Likes Likes

SteveY
L1 Bithead
In response to rmonvon

‎01-27-2014 07:55 AM

Thanks for reply, rmonvon.

Yes, we have asked our CDN provider to pass the real IP addresses in the packet header.

Do you have any idea?Smiley Happy

0 Likes Likes

rmonvon
L6 Presenter
In response to SteveY

‎01-27-2014 08:44 AM

Are they embedding the IP address in the TCP option 28 header or HTTP 'x-forwarded-for' header or another header? 

If they are using  the TCP option 28 header, I suggest you contact your local Palo Alto Nwks' SE and submit a feature request. 

If they are using the HTTP 'x-forwarded-for' header, the PA can log the header so you can correlate the logs to determine the real IP of the intruder.  From there, you can write a custom threat signature to match the real IP and block this new custom threat. This is a manual process though.

0 Likes Likes

SteveY
L1 Bithead
In response to rmonvon

‎01-27-2014 09:43 AM

Thanks for your reply.

They are embedding the IP address in the HTTP 'x-forwarded-for' header.

Can the blocking function be automatical?

For example, if the attacker is launching a DOS attack, can PA only block or quarantine the real IP nor the CDN IP?

0 Likes Likes

SteveY
L1 Bithead
In response to rmonvon

‎01-27-2014 09:58 AM

For example, if I enable syn flood prevetion, will the PA FW quarantine the real IPs or CDN IP? Thank you!

1.png

0 Likes Likes

rmonvon
L6 Presenter
In response to SteveY

‎01-27-2014 10:17 AM

The default behavior of the PA will take action on the source IP address, and in this case this would be the CDN's IP address.   At this time, the PA cannot take action on the IP address in the HTTP 'x-forwarded-for' header.  Please contact your local Palo Alto Nwks' SE and submit a feature request.  You can turn on logging for HTTP 'x-forwarded-for' header:

Enabling support for the X-Forwarded-For HTTP header

0 Likes Likes
  • 4653 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks