Issue Summary – XFF Not Logged on Palo Alto (Even With Decryption ON)
We are running a flow where AWS ALB inserts X-Forwarded-For (XFF) and the Palo Alto firewall performs SSL decryption + re-encryption:
Flow:
Client --> Internet --> AWS ALB (HTTPS) (Palo's are registered as TG IP) --> Palo Alto FW (SSL Decrypt) --> Server
What works
- ALB is configured to append XFF.
- Server (Nginx) correctly logs the XFF header.
- SSL decryption on Palo Alto is working → Traffic log shows “Decrypted: yes”.
- Application is identified as web-browsing (so HTTP parsing should work).
- Firewall-stage PCAP for HTTP/80 clearly shows X-Forwarded-For header.
What doesn’t work
- For HTTPS/443 traffic, even though decryption succeeds, XFF does NOT appear in:
- Traffic logs (X-Forwarded-For column is empty)
- Firewall-stage decrypted PCAP (XFF is missing for decrypted 443 sessions)
What we tested
- Confirmed ALB → Palo traffic on port 443 is decrypted (Decrypted: yes).
- Verified that HTTP/80 decrypted traffic shows XFF in PCAP.
- Verified that HTTPS/443 decrypted traffic does NOT show XFF in PCAP.
- Confirmed Global Content-ID setting:
- “Use X-Forwarded-For Header: Enabled for Security Policy.”
- Verified security rule logging is enabled and URL filtering profile applied.
- Confirmed no packet capture setting is blocking XFF logging.
Observed Behavior
- XFF header is present on HTTP/80 after Palo decrypt → Visible in PCAP.
- XFF header is missing on HTTPS/443 after Palo decrypt → Not visible in PCAP.
- Therefore: Firewall cannot log XFF because the header never arrives on the decrypted HTTPS session.
