X-Forwarded-For on Threats logs

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

X-Forwarded-For on Threats logs

L0 Member

what`s mean below article?


https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a... 

 

For non-URL Filtering logs, XFF IP logging is supported only when packet capture is not enabled.
-->> It mean that XFF ip is visible only when packet capture is not enable in other logs setting ?

 

The X-Forwarded-For IP column does not display a value if the firewall detects a threat that requires a reset action (reset-client, reset-server, or reset-both) and the last inspected packet does not contain the XFF header.

-->> This mean that threat logs other than reset are shown?

 

1 REPLY 1

L3 Networker

For non-URL Filtering logs, XFF IP logging is supported only when packet capture is not enabled.
-->> It mean that XFF ip is visible only when packet capture is not enable in other logs setting ?---yes

 

The X-Forwarded-For IP column does not display a value if the firewall detects a threat that requires a reset action (reset-client, reset-server, or reset-both) and the last inspected packet does not contain the XFF header.

-->> This mean as once firewall detects any threat with action "reset", the decoder will stop decoding further packet. If the XFF field does not reside in the last packet, we have no way to parse it. However if XFF field already reside in the last packet, then you are still able to see it. That's why for reset action there still might be a chance to see the value on the X-Forwarded-For IP column.

  • 1742 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!