If you have a proxy server deployed between the users on your network and the firewall, the
firewall might see the proxy server IP address as the source IP address in HTTP/HTTPS
traffic that the proxy forwards rather than the IP address of the client that requested
the content. In many cases, the proxy server adds an X-Forwarded-For (XFF) header to
traffic packets that includes the actual IPv4 or IPv6 address of the client that
requested the content or from whom the request originated. In such cases, you can
configure the firewall to extract the end user IP address from the XFF so that User-ID
can map the IP address to a username. This enables you to
use XFF values for policies and logging source
users.so that you can enforce user-based policy to safely enable access to
web-based for your users behind a proxy server.