Not able to log XFF (Actual Client IP) in PaloAlto Logs even when we enable XFF and URL filtering profile in Palo's

Issue Summary – XFF Not Logged on Palo Alto (Even With Decryption ON)

We are running a flow where AWS ALB inserts X-Forwarded-For (XFF) and the Palo Alto firewall performs SSL decryption + re-encryption:

Flow:

Client --> Internet --> AWS ALB (HTTPS) (Palo's are registered as TG IP) --> Palo Alto FW (SSL Decrypt) --> Server

What works

• ALB is configured to append XFF.
• Server (Nginx) correctly logs the XFF header.
• SSL decryption on Palo Alto is working → Traffic log shows “Decrypted: yes”.
• Application is identified as web-browsing (so HTTP parsing should work).
• Firewall-stage PCAP for HTTP/80 clearly shows X-Forwarded-For header.

What doesn’t work

• For HTTPS/443 traffic, even though decryption succeeds, XFF does NOT appear in:
• Traffic logs (X-Forwarded-For column is empty)
• Firewall-stage decrypted PCAP (XFF is missing for decrypted 443 sessions)

What we tested

1. Confirmed ALB → Palo traffic on port 443 is decrypted (Decrypted: yes).
2. Verified that HTTP/80 decrypted traffic shows XFF in PCAP.
3. Verified that HTTPS/443 decrypted traffic does NOT show XFF in PCAP.
4. Confirmed Global Content-ID setting:

• “Use X-Forwarded-For Header: Enabled for Security Policy.”

1. Verified security rule logging is enabled and URL filtering profile applied.
2. Confirmed no packet capture setting is blocking XFF logging.

Observed Behavior

• XFF header is present on HTTP/80 after Palo decrypt → Visible in PCAP.
• XFF header is missing on HTTPS/443 after Palo decrypt → Not visible in PCAP.
• Therefore: Firewall cannot log XFF because the header never arrives on the decrypted HTTPS session.