Cloud NGFW for Azure
    : Use XFF IP Address Values in Policy
    Focus
    Download PDF
    Focus
    1. Home
    2. Azure
    3. Cloud NGFW for Azure
    4. Panorama Policy Management
    5. Use XFF IP Address Values in Policy
    Download PDF

    Cloud NGFW for Azure

    Use XFF IP Address Values in Policy

    Table of Contents

    Use XFF IP Address Values in Policy

    Learn how to use X-Forwarded-For header values in policy.
    If you have an upstream device, such as a load balancer, deployed between the users on your network and you Cloud NGFW instance, the Cloud NGFW might see the upstream device IP address as the source IP address in HTTP/HTTPS traffic that the proxy forwards rather than the IP address of the client that requested the content. In many cases, the upstream device adds an X-Forwarded-For (XFF) header to HTTP requests that include the actual IPv4 or IPv6 address of the client that requested the content or from whom the request originated.
    In Microsoft Azure, by default, an application gateway inserts the original source IP address and port in the XFF header. To use XFF headers in policy on your firewall, you must configure the application gateway to omit the port from the XFF header. See
    Azure documentation
     to learn how to configure your application gateway.
    This feature is supported on Panorama-managed Cloud NGFW for Azure only.
    When configuring security policy rules on Panorama, you can enable Cloud NGFW to use the source IP address in an XFF HTTP header field to enforce security policy. When a packet passes through a single proxy server before reaching the firewall, the XFF field contains the IP address of the originating endpoint. However, if the packet passes through multiple upstream devices, the firewall uses the most recently added IP address to enforce policy or use other features that rely on IP information.
    1. Log in to Panorama.
    2. Select your Cloud NGFW for Azure cloud device group.
    3. Select
      Device
      Setup
      Content ID
      X-Forwarded-For Headers
      .
    4. Click the edit icon.
    5. Select
      Enabled for Security Policy
       from the
      Use X-Forwarded-For Header
       drop-down.
      You cannot enable
      Use X-Forwarded-For Header
       for security policy and User-ID at the same time.
    6. Optional
       Select
      Strip X-Forwarded-For Header
       to remove the XFF field from outgoing HTTP requests.
      Selecting this option does not disable the use of XFF headers in policy. The Cloud NGFW for Azure strips the XFF field from client requests after using it to enforce policy.
    7. Click
      OK
      .
    8. Commit
       your changes.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.