This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Practical XFF usecase

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Practical XFF usecase

raji_toor
L4 Transporter

‎11-21-2022 02:03 PM

XFF for user-ID - Displays IP as 'x-fwd-for: x.x.x.x' format

  • Seems to me just an investigation help feature
  • maybe can even block a particular IP/s if used in security policy as a source user, haven't tested this.

 

XFF for Security Policy - Gives ability to block or allow based on IP in XFF.

  • XFF IP's can be allowed/blocked used in security policy as source IP/Subnet.
  • Although this is useful, it can be routing/administration nightmare. As an example, server in DMZ proxies traffic to a server in Database zone. Normally this would be allowed as source traffic is always the proxy, but with this feature ON, traffic is seen as coming external/internal client IP's, which may be routed differently and associated with different Zones. So the policy needs to allow those IPs/subnets which would normally be not expected on as source for DMZ zone.
  • This may be quite helpful though in simplifying our Azure architecture, which just has 2 zones, and use AGW in front instead of a Load Balancer.

 

Am I correct in understanding this.

0 Likes Likes
2 REPLIES 2

dmifsud
L3 Networker

‎11-21-2022 03:37 PM

XFF for User-ID means you can filter traffic using users/groups in your security policy when the users are behind a proxy. User-ID rules usually don't work with a proxy, since the proxy IP doesn't have an IP to user mapping, but the real IP in the XFF header does (if User-ID is configured to do so).

 

XFF for Security Policy doesn't change anything with routing/zones, the session will still match the same zone-pair as before, and the source address will still be the proxy IP so will follow the same return route. The difference is that security rules are enforced based on the XFF IP instead of the source address, if one is parsed.

 

Sr. Technical Support Engineer, Strata
0 Likes Likes

raji_toor
L4 Transporter
In response to dmifsud

‎11-22-2022 07:17 AM

@dmifsud wrote:

XFF for User-ID means you can filter traffic using users/groups in your security policy when the users are behind a proxy. User-ID rules usually don't work with a proxy, since the proxy IP doesn't have an IP to user mapping, but the real IP in the XFF header does (if User-ID is configured to do so).

So, If I had to allow/block a certain proxied subnets, as an example for 10.0.0.0/24. I would have to add 255 entries with user-id as x-fwd-for: 10.0.0.1 upto to 255 in the user-id field..like this?? 

raji_toor_0-1669130246908.png

 

0 Likes Likes
  • 1483 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks