XFF for User-ID means you can filter traffic using users/groups in your security policy when the users are behind a proxy. User-ID rules usually don't work with a proxy, since the proxy IP doesn't have an IP to user mapping, but the real IP in the XFF header does (if User-ID is configured to do so).
XFF for Security Policy doesn't change anything with routing/zones, the session will still match the same zone-pair as before, and the source address will still be the proxy IP so will follow the same return route. The difference is that security rules are enforced based on the XFF IP instead of the source address, if one is parsed.
... View more