Use XFF IP Address Values in Security Policy and Logging

You can configure the firewall to use the IP address in the X-Forwarded-For (XFF) field of the HTTP header to enforce security policy. If the packet passes through a single proxy server before reaching the firewall, the XFF field contains the IP address of the originating endpoint and the firewall can use that IP address to enforce security policy. However, if the packet passes through multiple upstream devices, the firewall uses the most-recently added IP address to enforce policy or use other features that rely on IP information.
x-forwarded-for-diagram.png

Use XFF Values in Policy

Complete the following procedure to use the client IP address in the XFF header when enforcing security policy.
In Microsoft Azure, by default, an application gateway inserts the original source IP address and port in the XFF header. To use XFF headers in policy on your firewall, you must configure the application gateway to omit the port from the XFF header. For more information, see Azure documentation.
  1. Log in to your firewall.
  2. Select
    Device
    Setup
    Content-ID
    X-Forwarded-For Headers
    .
  3. Click the edit icon.
  4. Select
    Enabled for Security Policy
    from the
    Use X-Forwarded-For Header
    drop-down.
    You cannot enabled Use X-Forwarded-For Header for security policy and User-ID at the same time.
    enabled-xff-for-security-policy.png
  5. (
    Optional
    ) Select
    Strip X-Forwarded-For Header
    . Selecting this option removes the XFF header before the firewall forwards the request. This option does not disable the use of XFF headers; the firewall uses the XFF header for policy enforcement and logging.
  6. Click
    OK
    .
  7. Commit
    your changes.

Display XFF Values in Logs

In addition to XFF header usage in security policy, you can view the XFF IP address in various logs, reports, and the Application Command Center (ACC) to aide in monitoring and troubleshooting. You can add the X-Forwarded-For column in Traffic, Threat, Data Filtering, and Wildfire Submissions logs.
To view the XFF IP address in your logs, complete the following steps.
  1. Log in to your firewall.
  2. Select
    Monitoring
    Logs
    .
  3. Select
    Traffic
    ,
    Threat
    ,
    Data Filtering
    , or
    Wildfire Submissions
    .
  4. Click the arrow to the right of any column header and select
    Columns
    .
  5. Select
    X-Forwarded-For IP
    to display the XFF IP in your log.
    xff-column-threat-log.png

Display XFF Values in Reports

Predefined reports generate the firewall do not contain XFF values. To view XFF IP addresses in reports, the firewall includes built-in report templates that include XFF information.
  1. Log in to your firewall.
  2. Select
    Monitor
    Manage Custom Reports
    Add
    .
  3. Click
    Load Template
    .
  4. Enter XFF into the search bar and click the search button to locate the built-in XFF report templates.
    x-forwarded-for-report-templates.png
  5. Click
    Load
    .
  6. Configure your custom report
    Time Frame
    ,
    Sort By
    , and
    Group By
    to display the XFF information in the manner best suited to your needs.
  7. (Optional) Click
    Run Now
    to generate your report on demand instead of, or in addition to, a
    Scheduled Time
    .

Recommended For You