Strata Copilot
    VM-Series Deployment Guide
    : XFF Logging for GCP
    Focus
    Download PDF
    Focus
    1. Home
    2. VM-Series
    3. VM-Series Deployment Guide
    4. Set Up the VM-Series Firewall on Google Cloud Platform
    5. Configuring GCP Load Balancer
    6. XFF Logging for GCP
    Download PDF

    VM-Series Deployment Guide

    XFF Logging for GCP

    Table of Contents

    XFF Logging for GCP

    The XFF (X-Forwarded-For) logging feature for Google Cloud Platform (GCP) provides enhanced visibility by introducing a X-Forwarded-For field specifically in Threat Logs. This new field captures up to two additional IP addresses from the XFF header and works alongside the existing X-Forwarded-For IP field, which continues to log the last IP address, allowing for a combined total of the last three IPs to be recorded.ß
    The XFF (X-Forwarded-For) logging feature for Google Cloud Platform (GCP) provides enhanced visibility by introducing a X-Forwarded-For field specifically in Threat Logs. This new field captures up to two additional IP addresses from the XFF header and works alongside the existing X-Forwarded-For IP field, which continues to log the last IP address, allowing for a combined total of the last three IPs to be recorded. This feature is designed for firewalls deployed behind GCP load balancers, allowing them to log the original client's IP instead of just the load balancer's IP.
    This feature is disabled by default. To use it, you must manually enable both an operational command for logging and a configuration command for policy enforcement. The policy enforcement command requires a commit.

    Prerequisites

    • Threat Prevention license
    • PAN-OS version 11.1 and above

    Important Considerations

    The XFF feature is controlled by two separate commands:
    • XFF Logging (Operational Command): This command enables the firewall to extract and populate the X-Forwarded-For field in threat logs.
      • CLI Command: set system setting ctd additional-xff-logging <enable|disable>
      • Commit Required: No.
    • XFF for Policy (Configuration Command): This command allows the firewall to use the extracted XFF IPs for Security Policy enforcement.
      • CLI Command: set deviceconfig setting ctd x-forwarded-for-client-ip 2
      • UI Path: Go to Devices > Content-ID and select Use X-Forwarded-For Header.
      • Commit Required: Yes.

    Configuration steps for GCP IPS Mode

    For VM-Series firewalls in GCP-IPS mode, the goal is logging only, and this feature is enabled by default.
    The XFF Logging operational command is already enabled by default. The new log fields will be populated automatically.
    For security policies, you must enable ctd X-Forwarded-for option running the following command:
    set deviceconfig setting ctd x-forwarded-for 2
    (Optional) Bootstrap: If bootstrapping a new firewall for GCP IPS mode, include the parameter IPS=true. The required XFF Logging setting is already enabled by default.
    Manually run the following operation command:
    set system setting ctd additional-xff-logging enable
    Following is the configuration snippet that shows Syslog config on GCP-IPS for XFF Logging:
    syslog_server_profile { format { traffic "{'src': '$src', 'dst': '$dst', 'sport':
          '$sport', 'dport': '$dport', 'proto': '$proto', 'type': '$type', 'app': '$app', 'natsrc':
          '$natsrc', 'natdst': '$natdst', 'vpc_id': '$vpc_id', 'security_key': '$security_key',
          'endpoint_id': '$endpoint_id'}"; threat "{'threat_id': '$threatid', 'type': '$subtype',
          'alert_severity': '$severity', 'alert_time': '$time_received', 'source_ip_address':
          '$src', 'destination_ip_address': '$dst', 'source_port': '$sport', 'destination_port':
          '$dport', 'ip_protocol': '$proto', 'direction': '$direction', 'session_id': '$sessionid',
          'repeat_count': '$repeatcnt', 'application': '$app', 'uri_or_filename': '$misc',
          'xff': '$xff', 'xff_ip': '$xff_ip'}"; } }
    Verify your GCP-IPS for XFF in the Panorama Monitor tab. Go to Logs > Threat.
    The syslog output verifies that the XFF fields are successfully extracted and sent to the syslog server as part of the threat log. ​​This log will now include the new XFF fields. You can verify GCP-IPS for XFF in the syslog server.

    Configuration steps for General/Marketplace GCP VM-Series (Logging and Policy)-

    For VM-Series deployments where you need to both log the additional XFF IPs and use them for Security Policy enforcement, you must manually enable the policy setting.
    Manually run the following operation command:
    set system setting ctd additional-xff-logging enable
    Enable XFF for Policy: Manually enable the setting to use XFF headers for security policies.
    1. In the VM-Series web interface,go to Devices > Content-ID. In the Content-ID settings section, select Use X-Forwarded-For Header.
    2. Run the following CLI command:
      set deviceconfig setting ctd x-forwarded-for-client-ip 2
      Run the following command to verify the configuration:
      show system setting ctd state
      ​​Confirm that the output shows XFF logging is enabled and security policy enabled for XForwarded for is set to 2.
    3. Commit your changes.

    Verification

    You can verify the configuration and view the logs.
    1. Verify Configuration (CLI): Run the following command to verify the settings:
      show system setting ctd state
      Confirm that the output shows XFF logging is enabled and security policy enabled for XForwarded for is set to 2.
    2. View Logs (UI): Once configured, you can view the populated X-Forwarded-For and XFF IP fields in the Monitor > Logs > Threat log viewer. You can also configure a Syslog Server Profile to forward these logs.

    © 2025 Palo Alto Networks, Inc. All rights reserved.