X-forwarder header does not work when vulnerability profile action changed to block ip

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

X-forwarder header does not work when vulnerability profile action changed to block ip

L1 Bithead

ISSUE REPORTED: unable to block x-forwarder ip when the action is set to block ip in the vulnerability profile
------------------------------------------------------------------------------------------------------------------------

Discussion,observation, Troubleshooting:
------------------------------------------------------------------------------------------
++++ We have users accessing joomla website from wan and your proxy server is placed in dmz and application server is placed in lan

++++Traffic flow:

wan-------->dmz-------->lan

++++ we have 3 rules RULE 1. wan to dmz (Indian cx)

Rule 2. dmz to wan (Indian cx) url filtering profile (x forwarder enabled)+vulnerability profile(action= deny)

RULE 3. dmz to wan (non Indian cx with exceptions) url filtering profile (x forwarder enabled)+vulnerability profile(action= deny)------------want to change action to block-ip

In RULE 2 we would like action to be deny as we are not facing any threat attack from this traffic

In RULE 3 we want to block certain source IP's based on vulnerability signature therefore we want to set the vulnerability profile action as (Block -IP) based on X forwarder IP(Gives actual source IP). But currently when we change action to Block-IP we are able to block Proxy Ip and not the actual source IP. IN X-forwarder column we are getting right source IP but we are not able to block it.

When we set action as deny we are able to deny the source IP without issue but our requirement is to block the actual source IP and put it in blacklist. Right now when we use action=block ip it is blacklisting proxy ip.

In addition I am attaching few screenshots of security policy configured and also the screenshot of traffic logs when the action is set to block ip and ip that is sent to black list.

1 REPLY 1

L2 Linker

Would it be possible to assign a user-id statically to the IP address you wish to block and use that user/IP mapping in the security policy to block the user and IP?

Douglas Elliott
Security Implementation Engineer
delliott@sayers.com
  • 1392 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!