- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-19-2024 02:32 PM
I am trying to get the PA firewall to display and use the the x-forwarded-for (XFF) header in incoming web browsing traffic.
I must be missing something.
We have an Azure application gateway which is inserting the client_ip in the header, and stripping the port, as instructed:
Use XFF IP Address Values in Security Policy and Logging (paloaltonetworks.com)
How to Enable Support for the X-Forwarded-For HTTP Header - Knowledge Base - Palo Alto Networks
Rewrite HTTP headers with Azure Application Gateway | Microsoft Azure Blog
Behind the Azure AG is a VM300 (4x vCPU firewall) which should be showing the XFF client IP in the traffic logs.
I enabled the XFF for client IP, tried both thru the WebUI and at the CLI.
I have SSL decryption working and I'm testing on ports 80 and 443 anyway.
I have the XFF column in the log displayed, but it's never populated.
I have a URL filtering license and checked the XFF box on the url profile.
The status is that the XFF IP is shown on some entries in the URL logs.
The XFF IP is never shown in the traffic logs.
Some questions:
I examined packet captures with Wireshark and found that the XFF IP is in some packets, but not in every incoming packet. Is that normal?
What am I missing?
Thanks.
06-21-2024 11:31 AM
It turns out this works but only displays the XFF IP in denied traffic, not allowed.
There is also a fix in 11.1.3 for this, so this should start showing the XFF IP in allowed traffic also. Bug ID PAN-233463.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!