>
    Strata Copilot
    Enforce Policy on Endpoints and Users Behind an Upstream Device
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Enforce Policy on Endpoints and Users Behind an Upstream Device
    Download PDF
    Network Security

    Enforce Policy on Endpoints and Users Behind an Upstream Device

    Table of Contents

    Enforce Policy on Endpoints and Users Behind an Upstream Device

    Where Can I Use This?What Do I Need?
    • NGFW (PAN-OS & Panorama Managed)
    • Prisma Access (Managed by Panorama)
    Check for any license or role requirements for the products you're using.
    If you have an upstream device, such as an explicit proxy server or load balance, deployed between the users on your network and the firewall, the firewall might see the upstream device IP address as the source IP address in HTTP/HTTPS traffic that the proxy forwards rather than the IP address of the client that requested the content. In many cases, the upstream device adds an X-Forwarded-For (XFF) header to HTTP requests that include the actual IPv4 or IPv6 address of the client that requested the content or from whom the request originated.
    In such cases, you can configure the firewall to extract the IP address from the XFF field and map it to a user with User-ID or apply Security policy based on the IP address.
    • Use X-Forwarded-For Header in User-ID—This enables you enforce user-based policy to safely enable access to web-based applications for your users behind a proxy server. In addition, if User-ID is able to map the XFF IP address to a username, the firewall displays that username as the Source user in Traffic, Threat, WildFire Submissions, and URL Filtering logs for visibility into the web activity of users behind the proxy.
    • Use X-Forwarded-For Header in Security Policy—This enables you to enforce Security policy based on source IP address using the IP address in the XFF field of the HTTP header. Additionally, when policy is applied to traffic that includes an IP address in the XFF field, you can configure the Traffic, Threat, Data Filtering, and Wildfire Submission logs to assist in troubleshooting and remediation.
    To ensure that attackers can’t read and exploit the XFF values in web request packets that exit the firewall to retrieve content from an external server, you can also configure the firewall to strip the XFF values from outgoing packets. Using the XFF IP address for User-ID or in policy and stripping the XFF value are not mutually exclusive: if you configure both, the firewall zeroes out XFF values only after using them in policy enforcement and logging.
    You cannot configure the firewall to use the IP address in the XFF field in User-ID and Security policy at the same time.

    © 2026 Palo Alto Networks, Inc. All rights reserved.