If you have a proxy server deployed between the users
on your network and the firewall, in HTTP/HTTPS requests the firewall
might see the proxy server IP address as the source IP address in
the traffic that the proxy forwards rather than the IP address of
the client that requested the content. In many cases, the proxy
server adds an X-Forwarded-For (XFF) header to traffic packets that
includes the actual IPv4 or IPv6 address of the client that requested
the content or from whom the request originated. In such cases,
you can configure the firewall to read the XFF header values and
determine the IP addresses of the client who requested the content.
The firewall matches the XFF IP addresses with usernames that your
policy rules reference so that those rules can control access for
the associated users and groups. The firewall also uses the XFF-derived
usernames to populate the source user fields of logs so you can
monitor user access to web services.
You can also configure the firewall to add XFF values to URL
Filtering logs. In these logs, an XFF value can be the client IP
address, client username (if available), the IP address of the last
proxy server traversed in a proxy chain, or any string of up to 128
characters that the XFF header stores.
XFF user identification applies only to HTTP or HTTPS traffic,
and only if the proxy server supports the XFF header. If the header
has an invalid IP address, the firewall uses that IP address as
a username for group mapping references in policies. If the XFF
header has multiple IP addresses, the firewall uses the first entry
from the left.