Practical XFF usecase

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Practical XFF usecase

L4 Transporter

XFF for user-ID - Displays IP as 'x-fwd-for: x.x.x.x' format

  • Seems to me just an investigation help feature
  • maybe can even block a particular IP/s if used in security policy as a source user, haven't tested this.

 

XFF for Security Policy - Gives ability to block or allow based on IP in XFF.

  • XFF IP's can be allowed/blocked used in security policy as source IP/Subnet.
  • Although this is useful, it can be routing/administration nightmare. As an example, server in DMZ proxies traffic to a server in Database zone. Normally this would be allowed as source traffic is always the proxy, but with this feature ON, traffic is seen as coming external/internal client IP's, which may be routed differently and associated with different Zones. So the policy needs to allow those IPs/subnets which would normally be not expected on as source for DMZ zone.
  • This may be quite helpful though in simplifying our Azure architecture, which just has 2 zones, and use AGW in front instead of a Load Balancer.

 

Am I correct in understanding this.

2 REPLIES 2

L3 Networker

XFF for User-ID means you can filter traffic using users/groups in your security policy when the users are behind a proxy. User-ID rules usually don't work with a proxy, since the proxy IP doesn't have an IP to user mapping, but the real IP in the XFF header does (if User-ID is configured to do so).

 

XFF for Security Policy doesn't change anything with routing/zones, the session will still match the same zone-pair as before, and the source address will still be the proxy IP so will follow the same return route. The difference is that security rules are enforced based on the XFF IP instead of the source address, if one is parsed.

 

Sr. Technical Support Engineer, Strata


@dmifsud wrote:

XFF for User-ID means you can filter traffic using users/groups in your security policy when the users are behind a proxy. User-ID rules usually don't work with a proxy, since the proxy IP doesn't have an IP to user mapping, but the real IP in the XFF header does (if User-ID is configured to do so).


So, If I had to allow/block a certain proxied subnets, as an example for 10.0.0.0/24. I would have to add 255 entries with user-id as x-fwd-for: 10.0.0.1 upto to 255 in the user-id field..like this?? 

raji_toor_0-1669130246908.png

 

  • 1480 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!