Can PA block IP address in X-Forwarded-For ?

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Can PA block IP address in X-Forwarded-For ?

L1 Bithead



I built the sandwich type with external ELB & internal ELB.

As you know, external ELB shifts original client IP to X-Forwarded-For.

I enabled 'Use X-Forwarded-For Header in User-ID and I looked XFF IP in user-id of URL Filtering logs.

But PA has not shown XFF IP in traffic logs. 

I would like to block XFF IP using user-ID. 

If anyone knew it, Please let me know it.



KC Lee


Palo Alto Networks Guru

Hi KC Lee,


One of our TMEs has a working prototype that uses Lambda to map IPs learned from XFF to a User-ID group that can then be blocked by policy.  It isn't ready to be published as a template yet but if you'd like a preview, please reach out to your sales team to schedule a demo.




Palo Alto Networks Guru

The XFF to User-ID solution has been published on GitHub:


The solution provided deployes the XFF solution into an new VPC and Palo Alto instance. Is there any cloudformation template that is available to be deployed into an existing VPC and Palo Alto?

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!