XXF and building Security Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

XXF and building Security Policy

L0 Member

Hi all, 

 

I would like to know how I would go about creating security policies based of the XFF headers please, any help would be appreciated.  

 

I have read the documentation and I have to enable the XFF header 

 

  • Select ->Device ->Setup ->Content-ID and edit the X-Forwarded-For Headers settings.

I need some help after that, so from my understanding this will populate the XFF header, can this be used within the security policy directly?  I dont see any option to use XXF as the source IP address under the security policy. 

 

I'm a little unsure of how to use the XFF header to build out a security policy to allow / deny traffic from the true customer source IP address rather than the proxy server address which is sit in between 

 

https://docs.paloaltonetworks.com/network-security/security-policy/administration/identify-users-con...

 

Kind regards 

 

 

 

 

 

3 REPLIES 3

L4 Transporter

Hello @sxk654 - if I understand correctly, you want to use the X-Forwarded-For header, populated by another device, in your ruleset.  Is that correct?

 

In that case you probably don't want to populate the XFF header, because doing so will add the NGFW's IP address to the XFF header.  That is more useful for subsequent downstream devices. 

 

If my assessment of your need is correct, and assuming that your proxy "correctly" fills X-Forwarded-For and you're running PAN-OS 10.x or above, the steps required are as follows.  Please note that X-Forwarded-For will only be visible for a subset of your traffic, specifically HTTP and (if you have appropriate decryption policies) HTTPS traffic.

  1. Go to Objects -> Security Profiles -> URL Filtering and enable, configure, or add an appropriate URL Filtering profile.
  2. Select URL Filtering Settings and enable X-Forwarded-For.
  3. Click OK.
  4. Attach the relevant policy edited in the first 3 steps to a security policy rule: select the rule in Policies -> Security.
  5. Select Actions, set Profiles in Profile Type, and select the URL Filtering profile described above.
  6. Click OK, then commit your configuration.
Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks

L0 Member

Hi & thanks for the detailed reply 

 

Correct, the design at the moment is customer src IP -> Proxy -> Palo 

& yes, I'm not interested in passing the Palo IP into the headers for the downstream device but want to build out a security policy to allow traffic from the true customer IP. 

At the moment, while looking at the logs, I dont see any actual customer IPs, all source IP belong to the proxy IP addresses subnet, as expected. 

From what you are saying, I will need to enable URL Filtering Settings and enable X-Forwarded-For and then assign this to the security policy.  

Then edit the security policy and add in the customer's true source IP subnet / IP to the source addess section of the secuirty rule? 

 

Enabling the URL X-Forwarded-For, will then this populate the Monitor tab field with ' X-Fordwarded-For IP ' ?

So that I can see what the true IP is? Also, do you know how to filter the traffic logs to show traffic from a certain customer ? similar to ( addr.src in '1.1.1.1' ) I can't seem to work out the filter for it, something like ( x-forwarded in '2.2.2.2' )

 

Thanks for your help. 

 

Hello @sxk654 - please refer to this document within the user manual; it describes how to collect XFF details and how to use this information in logging. 

Iain Robertson
Senior Customer Success Engineer, NGFW, Palo Alto Networks
  • 231 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!