Use XFF IP Address Values in Policy
Table of Contents
Expand all | Collapse all
-
- Cloud NGFW for Azure
- Cloud NGFW Components
- Cloud NGFW for Azure Supported Regions
- Cloud NGFW for Azure Limits and Quotas
- Cloud NGFW for Azure Pricing
- Cloud NGFW for Azure Free Trial
- Cloud NGFW Credit Distribution and Management
- Start with Cloud NGFW for Azure
- Manage Cloud NGFW Roles for Azure Users
- Integrate Single Sign-on
- Monitor Cloud NGFW Health
- Create a Support Case
- Register Your Cloud NGFW Tenant with a Palo Alto Networks Support Account
- Cloud NGFW for Azure Certifications
- Cloud NGFW For Azure Privacy and Data Protection
-
- About Rulestacks and Rules on Cloud NGFW for Azure
- Create a Rulestack on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Rule Objects
- Create a Prefix List on Cloud NGFW for Azure
- Create an FQDN List for Cloud NGFW on Azure
- Add a Certificate to Cloud NGFW for Azure
- Create Security Rules on Cloud NGFW for Azure
- Cloud NGFW for Azure Security Services
- Enable DNS Security on Cloud NGFW for Azure
- Set Up Outbound Decryption on Cloud NGFW for Azure
- Set Up Inbound Decryption on Cloud NGFW for Azure
-
- Panorama Integration
- Panorama Integration Prerequisites
- Link the Cloud NGFW to Palo Alto Networks Management
- Use Panorama for Cloud NGFW Policy Management
- Enable User-ID on the Cloud NGFW for Azure
- Configure Service Routes for On-Prem Services
- Use XFF IP Address Values in Policy
- View Cloud NGFW Logs and Activity in Panorama
- Strata Cloud Manager Policy Management
-
- Configure Logging for Cloud NGFW on Azure
- Cloud NGFW for Azure Traffic Log Fields
- Cloud NGFW for Azure Threat Log Fields
- Cloud NGFW for Azure Decryption Log Fields
- Enable Log Settings
- Disable Log Settings
- Enable Activity Logging on Cloud NGFW for Azure
- Multiple Logging Destinations on Cloud NGFW for Azure
- View the Logs
- View Audit Logs on a Firewall Resource
- View Audit Logs on Resource Groups
- What's New
- Cloud NGFW for Azure Known Issues
- Cloud NGFW for Azure Addressed Issues
Use XFF IP Address Values in Policy
Learn how to use X-Forwarded-For header values in policy.
If you have an upstream device, such as a load balancer, deployed between the users
on your network and you Cloud NGFW instance, the Cloud NGFW might see the upstream
device IP address as the source IP address in HTTP/HTTPS traffic that the proxy
forwards rather than the IP address of the client that requested the content. In
many cases, the upstream device adds an X-Forwarded-For (XFF) header to HTTP
requests that include the actual IPv4 or IPv6 address of the client that requested
the content or from whom the request originated.
In Microsoft Azure, by default, an application gateway inserts the original source IP
address and port in the XFF header. To use XFF headers in policy on your firewall,
you must configure the application gateway to omit the port from the XFF header. See
Azure documentation to learn how to
configure your application gateway.
This feature is supported on Panorama-managed Cloud NGFW for
Azure only.
When configuring security policy rules on Panorama, you can enable Cloud NGFW to use
the source IP address in an XFF HTTP header field to enforce security policy. When a
packet passes through a single proxy server before reaching the firewall, the XFF
field contains the IP address of the originating endpoint. However, if the packet
passes through multiple upstream devices, the firewall uses the most recently added
IP address to enforce policy or use other features that rely on IP information.
- Log in to Panorama.Select your Cloud NGFW for Azure cloud device group.Select DeviceSetupContent IDX-Forwarded-For Headers.Click the edit icon.Select Enabled for Security Policy from the Use X-Forwarded-For Header drop-down.You cannot enable Use X-Forwarded-For Header for security policy and User-ID at the same time.Optional Select Strip X-Forwarded-For Header to remove the XFF field from outgoing HTTP requests.Selecting this option does not disable the use of XFF headers in policy. The Cloud NGFW for Azure strips the XFF field from client requests after using it to enforce policy.Click OK.Commit your changes.