- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-19-2018 05:23 AM
Hello,
I have many website behind my Palo Alto.
In front of many websites (and then Palo Alto), I have Reverse Proxy.
Into traffic logs I see Reverse proxy IP, not the real visitor IP.
I have enabled "Use X-Forwarded-For" and now I see Real IP into colum X-Forwarded-For in Url Filtering.
But, it's possible to apply Security Profiles based on the IP of the x-forwarded-for header?
Thanks
Manuel
10-19-2018 06:35 AM
No, the X-Forwarded-For field can't be utilized in security policies unless you first utilize X-Forwarded-For for User-ID; when using X-Forwarded-For you would need to have a user-id mapping to that IP address to really get any benefit out of it from a security rulebase perspective. This may or may not be usable in your current situation, dending on if the sites are internal or external.
I would reach out to your SE so that they can look and see if there is an existing Feature Request for this that he can add your vote to, and if not have him make one.
10-19-2018 07:03 AM
Hey @BPry @ManuelRighi
Actually, I believe you can use the XFF IP address in a security policy 😉
Device -> Setup -> Content-ID -> "X-Forwarded-For Headers"
"Use X-Forwarded-For Header in User-ID"
10-19-2018 07:20 AM
Right. As stated above, you can utilize the X-Forwarded-For header IP for user-ID mapping. This doesn't mean that you can utilize the X-Forwarded-For IP as a source IP when configuring policy or anything like that. It simply means that you could assign the XFF header IP to a user, and then use that user-id in policy, not the XFF IP. The source address that the firewall sees will continue to be the address actually sending the traffic.
10-20-2018 02:23 PM
I have never tried it but if the firewall cannot assign a user to the xff IP it will add "x-fwd-for: IP-ADDRESS" in the source user field. Could be worth a try to use exactly that in the security policy as source user to create "source IP" based policies even with a reverse proxy in front of the paloalto firewall.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK
... or you place the reverse proxy also behind the paloalto firewall 😉
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!