Problems with XFF cleaning

Showing results for 
Search instead for 
Did you mean: 

Problems with XFF cleaning

L2 Linker

Dear all,

we are getting more and more problems with the way PA handles the X-forwarded-for header.

It is very useful in getting the internal client IP in a proxy environment. OTOH, you need to clean it before it goes out so that you don't leak internal IP addresses.

This cleaning creates a problem.

PA only replaces the content of the header with blanks, so that it doesn't change the packet size.

With this approach we are getting more and more reports from users and external web site operators about us attacking them.

It looks like the empty XFF header triggers signatures on other IDS/IPS devices like:

"Apache HTTP Server X-Forwarded-For Denial-of-Service".

Is anybody else experiencing similar problems?




L6 Presenter

A really ugly workaround would be to place a transparent squid proxy between PA and Internet to clean out any unwanted headers as described in: How to use or configure High Anonymous Proxy squid 2.6 stable21 release

A better approach would be to use a http-proxy which has the capability of keeping the srcip of the client when forwarding the traffic. This way no x-forwarded-for header is added and there is no need for such.

I know the Farist Firewall (Färist Firewall — Tutus) has this capability but also newer versions of squid as described in (look at my post from ).

Regarding manipulating the http stream through PA, can this cleaning be applied for the full row where the "X-Forwarded-For" exists? Or would the IDS/IPSes start to complain that the http header suddently has a blank newline? If so - what about cleaning out including the \n in the end?

I dont know if the ASICs/FPGAs which PA uses has the capability of altering the headers this way. Things that might break can be http-length (but thats for the http payload isnt it so changing the http-header shouldnt affect the http-length?) and perhaps ip-lengths for each packet (or in case this occurs in a fragmented packet for some odd reason and such).

I guess the best option currently is, unless you can get a Farist or a Squid as http-proxy, to file this as a feature request and if possible update this thread when you get a reply on this topic from your SE.

L4 Transporter

Hello Andreas,

andreas.bischoff.cs schrieb:

It looks like the empty XFF header triggers signatures on other IDS/IPS devices like:

"Apache HTTP Server X-Forwarded-For Denial-of-Service".

Are you really sure this IPS event is related to how PA handles XFF ?

I see a lot of these IPS events on our customers IPS recently, and I doubt it's just because every company starts using PAN FW's stripping Proxy headers 🙂



True 🙂

It also seems to be related to multiple X-Forwarded-For headers in a single request:

National Vulnerability Database (NVD) National Vulnerability Database (CVE-2012-3526)

So either these IDS/IPSes are broken or the packets leaving your networks for Internet for some reason contains two (or more) X-Forwarded-For headers in the same request?

L2 Linker

there is also a bug in the way PA handles such traffic:

The first request with the blanked out XFF header gets denied by the destination IPS. PA then resends the packet, this time with the header present.

May be that this retransmission triggers the signature.

Could you get a pcap of this behaviour?

Sounds somewhat odd that 1) the IDS/IPS sends a NACK to block the traffic (instead of just RST or just silently drop the traffic) but also 2) that the PA on the resend sends the original packet instead of the modified one?

If the 2) is verified then you should file this as a bug to PA/your SE.

At the moment this is handled as a bug, not as a feature request.

No ETA for a fix yet.

A possible fix is  to replace the whole line with blanks to keep the packet size. This would add a bunch of blanks to the preceding line. Should still be RFC compliant, but you never know if this will break other sites.

I can't post a pcap, but here the analysis from one of the sites which failed:

After analyzing this issue I think we finally found the problem.

Our IDS System was dropping your HTTP packet due to a malformed XFF header. Judging from your pcap file the XFF header in the first GET is empty, while in the retransmission packets the XFF value is correctly filled with an IP address. This behavior forces our IDS to block this connection attempt as it could lead to a possible Denial of Service attack.

We filed a bug report but apparently this is the expected behavior.

Getting the original bug fixed by completely blanking out the XFF header should fix this issue too.

So what about the thing I wrote in to configure your current http-proxy to keep the srcip (instead of using X-Forwarded-For) and then do the SNAT in the PA?

Currently impossible with two layers of proxies and a firewall inbetween. Don't ask me why

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!