XFF Value 1.1.1.1 when "Strip X-Forwarded-For Header" enabled

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

XFF Value 1.1.1.1 when "Strip X-Forwarded-For Header" enabled

L0 Member

Hello,

 

Looking for some help if possible?

 

Trying to set up XFF (PA-3250, 8.1.12), I have tried to set it up following this tutorial:

https://live.paloaltonetworks.com/t5/General-Topics/Configuring-XFF-logging-without-a-URL-Filtering-...

 

The only part I have not configured is pushing the URL logs to the syslog server.

The problem is, when "Strip X-Forwarded-For Header" is enabled the URL Filtering monitor displays the XFF value as 1.1.1.1.  I temporarily disabled this feature and the internal client was displayed as expected, however, we would want to strip it and not make this information public.  As soon as I enabled the strip feature again the value changed back to 1.1.1.1.  I would have expected the XFF value to be displayed as the internal address and then as it leaves the firewall this information will be stripped from the HTTP header?

 

The clients go through a proxy server (Smoothwall), then to the FW and out.  We do not have access to the proxy but have been assured this has been set up correctly.

 

Is there something I am missing in the set up?

 

Any help would be greatly appreciated!

 

Thanks.

1 REPLY 1

L0 Member

I have the same result.

 

If you enable "Use X-Forwarded-For Header in User-ID", you can see the real XFF IP under the source user column of the logs.  Palo Alto should have showed the real XFF IP in the XFF field and silently stripped it on the way out. 

  • 4216 Views
  • 1 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!