Enforce Policy on Endpoints and Users Behind an Upstream
Device
Where Can I Use This?
What Do I Need?
NGFW (PAN-OS & Panorama Managed)
Prisma Access (Managed by Panorama)
Check for any license or role requirements for the products you're using.
If you have an upstream device, such as an explicit
proxy server or load balance, deployed between the users on your
network and the firewall, the firewall might see the upstream device
IP address as the source IP address in HTTP/HTTPS traffic that the proxy
forwards rather than the IP address of the client that requested
the content. In many cases, the upstream device adds an X-Forwarded-For
(XFF) header to HTTP requests that include the actual IPv4 or IPv6
address of the client that requested the content or from whom the
request originated.
In such cases, you can configure the firewall to extract the
IP address from the XFF field and map it to a user with User-ID
or apply Security policy based on the IP address.
Use X-Forwarded-For Header in User-ID—This enables
you enforce user-based policy to safely enable access to web-based
applications for your users behind a proxy server. In addition,
if User-ID is able to map the XFF IP address to a username, the
firewall displays that username as the Source user in Traffic, Threat,
WildFire Submissions, and URL Filtering logs for visibility into
the web activity of users behind the proxy.
Use X-Forwarded-For Header in Security Policy—This
enables you to enforce Security policy based on source IP address using
the IP address in the XFF field of the HTTP header. Additionally,
when policy is applied to traffic that includes an IP address in
the XFF field, you can configure the Traffic, Threat, Data Filtering,
and Wildfire Submission logs to assist in troubleshooting and remediation.
To ensure that attackers can’t read and exploit the XFF values
in web request packets that exit the firewall to retrieve content from
an external server, you can also configure the firewall to strip
the XFF values from outgoing packets. Using the XFF IP address for
User-ID or in policy and stripping the XFF value are not mutually
exclusive: if you configure both, the firewall zeroes out XFF values
only after using them in policy enforcement and logging.
You cannot configure the firewall to use the IP address
in the XFF field in User-ID and Security policy at the same time.