IP Range and Subnet Support in Dynamic Address
Dynamic address groups were previously limited
to tagging single IP address for membership; only the first address
in an IP group or subnet was included in the dynamic address group.
You can now populate dynamic address group membership
based on IP address ranges or IP subnets. This allows you
to build and enforce policy based on changes in a specific range
of IP addresses or on a particular subnet. For example, in a VMware
NSX environment, if you run similar types of workloads on a dedicated
IP range or subnet, it may not be efficient to tag every workload
that joins the IP range. Now, you no longer need to tag each workload
to ensure security. Additionally, you can see source and destination
dynamic address groups in the firewall logs. This gives you additional
visibility in your traffic logs for auditing and troubleshooting.
And you can now take automated security actions on IP ranges and subnets,
such as quarantining infected devices.
X-Forwarded-For HTTP Header Data Support
To help you enforce security policy on an
endpoint that originates a request when it is behind an upstream
device, such as an explicit HTTP proxy server or load balancer,
the firewall can now use the source IP address contained in the X-Forwarded-For (XFF) field
in the packet HTTP header. With the IP address of the original initiator
of the request, you can ensure that the correct security policy
rules are applied and use other features such as geoblocking, IP blocking,
and DoS protection. For example, if you want to block traffic originating
in North Korea, so you create policy based on North Korean IP addresses.
The firewall can identify those location-based IPs and enforce policy,
even if that traffic passes through a explicit HTTP proxy. Additionally,
the firewall now displays the endpoint IP address and upstream device
IP address in logs to aid troubleshooting and remediation.