12-14-2023 01:17 PM
We have load balancers proxying traffic back through a pair of PA5250s and recently started extracting X-forwarded-for data to match in our traffic policies. Is it possible to have rules that match EITHER the XFF IP or the load balancers' proxied IPs at the same time?
That is to say, if the load balancer's source is 10.10.10.1 but the XFF source is extracted as 10.11.11.1, can a policy be set up to match 10.10.10.1 with the "Use X-Forwarded-For Header" setting enabled for security policies without specifically allowing 10.11.11.1? We are currently using a general zone policy to match on all our load balancer interfaces, but would it be possible to narrow the match only a specific layer 3 source and specific XFF IPs?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
