Additional XFF Logging for VM-Series firewall on GCP
The XFF (X-Forwarded-For) logging feature for Google Cloud Platform (GCP) provides
enhanced visibility by introducing a X-Forwarded-For field specifically in Threat Logs .
This new field captures up to two additional IP addresses from the XFF header and works
alongside the existing X-Forwarded-For IP field, which continues to log the last IP
address, allowing for a combined total of the last three IPs to be recorded . For VM-Series
firewalls in GCP (including general, IPS, and IDS modes), this feature is enabled by default
.
To provide enhanced visibility into the original client source IP in
proxied environments, the VM-Series firewall can now log up to the last three
IP addresses from the X-Forwarded-For (XFF) header. This enhancement addresses
scenarios in Google Cloud Platform (GCP) where load balancers add multiple IPs to
the XFF header, and the original client IP is not the last entry.
A new X-Forwarded-For field is populated in Threat Logs, displaying
up to two additional IP addresses. The existing XFF IP field continues to log the
last IP address in the header.
This feature is
disabled by default. To use it, you must first
manually enable the feature's operational command. To also use the XFF IPs for
security policy enforcement, you must manually enable Use X-Forwarded-For
Header in the Content-ID settings, which
requires a commit. For more
information, see
Configuring GCP Loadbalancer.
