How to block the real IPs from CDN?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to block the real IPs from CDN?

L1 Bithead

Is there any function that can makes the PA block the traffic of the real IP instead of CDN IPs?

We deployed the PA NGFW on the external side of our web server and enabled the Threat Prevention function. Because we are using the CDN, so from the web server, all the source IPs in the traffic are hosted by the CDN service provider.

So when the PA  NGFW blocks  the source IP addresses because of the attack behavior, is there any way to block the real IPs of the attackers nor the IPs hosted by the CDN provider?

Thanks!

6 REPLIES 6

L6 Presenter

Hi...Do you know if the CDN provider is passing the real IP address in any way to your web server such that the PA can see it?

Thanks for reply, rmonvon.

Yes, we have asked our CDN provider to pass the real IP addresses in the packet header.

Do you have any idea?Smiley Happy

Are they embedding the IP address in the TCP option 28 header or HTTP 'x-forwarded-for' header or another header? 

If they are using  the TCP option 28 header, I suggest you contact your local Palo Alto Nwks' SE and submit a feature request. 

If they are using the HTTP 'x-forwarded-for' header, the PA can log the header so you can correlate the logs to determine the real IP of the intruder.  From there, you can write a custom threat signature to match the real IP and block this new custom threat. This is a manual process though.

Thanks for your reply.

They are embedding the IP address in the HTTP 'x-forwarded-for' header.

Can the blocking function be automatical?

For example, if the attacker is launching a DOS attack, can PA only block or quarantine the real IP nor the CDN IP?

For example, if I enable syn flood prevetion, will the PA FW quarantine the real IPs or CDN IP? Thank you!

1.png

The default behavior of the PA will take action on the source IP address, and in this case this would be the CDN's IP address.   At this time, the PA cannot take action on the IP address in the HTTP 'x-forwarded-for' header.  Please contact your local Palo Alto Nwks' SE and submit a feature request.  You can turn on logging for HTTP 'x-forwarded-for' header:

Enabling support for the X-Forwarded-For HTTP header

  • 3862 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!