This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

X-forwarder header does not work when vulnerability profile action changed to block ip

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

X-forwarder header does not work when vulnerability profile action changed to block ip

Poojadesai
L1 Bithead

‎04-27-2023 03:21 AM

ISSUE REPORTED: unable to block x-forwarder ip when the action is set to block ip in the vulnerability profile
------------------------------------------------------------------------------------------------------------------------

Discussion,observation, Troubleshooting:
------------------------------------------------------------------------------------------
++++ We have users accessing joomla website from wan and your proxy server is placed in dmz and application server is placed in lan

++++Traffic flow:

wan-------->dmz-------->lan

++++ we have 3 rules RULE 1. wan to dmz (Indian cx)

Rule 2. dmz to wan (Indian cx) url filtering profile (x forwarder enabled)+vulnerability profile(action= deny)

RULE 3. dmz to wan (non Indian cx with exceptions) url filtering profile (x forwarder enabled)+vulnerability profile(action= deny)------------want to change action to block-ip

In RULE 2 we would like action to be deny as we are not facing any threat attack from this traffic

In RULE 3 we want to block certain source IP's based on vulnerability signature therefore we want to set the vulnerability profile action as (Block -IP) based on X forwarder IP(Gives actual source IP). But currently when we change action to Block-IP we are able to block Proxy Ip and not the actual source IP. IN X-forwarder column we are getting right source IP but we are not able to block it.

When we set action as deny we are able to deny the source IP without issue but our requirement is to block the actual source IP and put it in blacklist. Right now when we use action=block ip it is blacklisting proxy ip.

In addition I am attaching few screenshots of security policy configured and also the screenshot of traffic logs when the action is set to block ip and ip that is sent to black list.

Preview file
28 KB
Preview file
35 KB
Preview file
169 KB
Preview file
119 KB
0 Likes Likes
1 REPLY 1

delliott_6784
L2 Linker

‎04-27-2023 05:07 AM

Would it be possible to assign a user-id statically to the IP address you wish to block and use that user/IP mapping in the security policy to block the user and IP?

Douglas Elliott
Security Implementation Engineer
delliott@sayers.com
0 Likes Likes
  • 1620 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks