PAN-VM x-forwarded-for feature question in gcp cloud

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN-VM x-forwarded-for feature question in gcp cloud

L1 Bithead

Hello.
I have built a simple sandwich structure test environment on GCP Cloud.

 

    ALB

   ↙ ↘

FW1 FW2

   ↘ ↙

    NLB

   ↙ ↘

SV1 SV2

 

However, in the PAN traffic log, XFF IP is only the IP of the upper ALB.

GCP's official documentation confirmed that the XFF header contains both the client IP and the LB IP.

I actually did a packet capture from the PAN, both IPs are in the XFF header.

 

Below is a capture of only the XFF part of the captured packet.

(By capturing the packet, both the real client IP and the ALB IP can be checked.)

ttak87_0-1627279983422.png

Below is the XFF IP seen by the PAN.
Only the IP of the ALB that is checked in packet capture is recorded in the log.

ttak87_1-1627280162423.png

The detailed log only checks the IP of the ALB.

ttak87_2-1627280344002.png

 

The point is, if the XFF IP is simply an ALB IP in the PAN traffic log, then the XFF function doesn't seem to have any meaning.

Is there any way to see in the log the client IP and not the ALB IP?
Or am I doing something wrong?

 

Please help me...

Regards,

 

1 accepted solution

Accepted Solutions

L1 Bithead

Hi @ttak87,

 

There are a couple of options around XFF in PAN-OS:

 

  1. If the requirement is to enforce security on XFF IP, the option you are currently using is the right one. However, with this PAN-OS feature, the policy enforcement and the corresponding logs will apply only to the last IP in the XFF list. In GCP, ALB inserts the source IP of the packet received followed by the ALB's IP. So the last IP in this case always happens to be ALB IP.  So, unfortunately in GCP's ALB case, this feature is limited in its application.
  2. If the requirement is only to log the original client IP (and not policy enforcement), then another option is to use the attached PAN-OS feature. With this feature though, the 'first' IP address in the XFF list is logged in the URL filtering logs. If the packet traverses multiple proxies on the path, there could be multiple IP addresses (comma separated) in the XFF header. And this feature will use the first IP address in the list to add to the URL filtering log.  

Hope this helps.

View solution in original post

9 REPLIES 9

Cyber Elite
Cyber Elite

Hi @ttak87 

You need to do settings on firewall to enable these logs. Its not enabled by default on Palo Alto.

Kindly refer below article. 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIVCA0 

 

Hope it helps!

 

M

Hi, @SutareMayur 

Thanks for your reply.

However, I have already set the settings you taught me.

ttak87_0-1627349294632.png

I want to check the Client IP and not the ALB IP in the log.

Hi @ttak87 

Could you please share PA o/p of below cli command  -

 

show system setting ctd state | match x-

M

Hi, @SutareMayur 

This is the result of the requested command.

ttak87_0-1627434618757.png

 

Additionally, I looked at Palo Alto's document, and it seems that only the LB's IP is checked for the XFF IP in the proxy type LB.

If so, I think that GCP is limited in practically using XFF when using ALB.
Am I right?

 

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/identify-users-connected-through-a...

ttak87_1-1627434995797.png

ttak87_2-1627435085876.png

 

 

L2 Linker

The issue is that the firewall is using the last IP in the list and not the first.  Please open a TAC case to push the fix through to engineering.

L1 Bithead

Hi @ttak87,

 

There are a couple of options around XFF in PAN-OS:

 

  1. If the requirement is to enforce security on XFF IP, the option you are currently using is the right one. However, with this PAN-OS feature, the policy enforcement and the corresponding logs will apply only to the last IP in the XFF list. In GCP, ALB inserts the source IP of the packet received followed by the ALB's IP. So the last IP in this case always happens to be ALB IP.  So, unfortunately in GCP's ALB case, this feature is limited in its application.
  2. If the requirement is only to log the original client IP (and not policy enforcement), then another option is to use the attached PAN-OS feature. With this feature though, the 'first' IP address in the XFF list is logged in the URL filtering logs. If the packet traverses multiple proxies on the path, there could be multiple IP addresses (comma separated) in the XFF header. And this feature will use the first IP address in the list to add to the URL filtering log.  

Hope this helps.

I understood the content.
Be able to explain well to customers.

 

Thanks everyone for the replies. 🙂

L2 Linker

We Enabled for User-ID, still we are not receiving client real ip address.

 

  • 1 accepted solution
  • 6921 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!