XFF Headers

If you have a proxy server deployed between the users on your network and the firewall, the firewall might see the proxy server IP address as the source IP address in HTTP/HTTPS traffic that the proxy forwards rather than the IP address of the client that requested the content. In many cases, the proxy server adds an X-Forwarded-For (XFF) header to traffic packets that includes the actual IPv4 or IPv6 address of the client that requested the content or from whom the request originated. In such cases, you can configure the firewall to extract the end user IP address from the XFF so that User-ID can map the IP address to a username. This enables you to Use XFF Values for Policies and Logging Source Users so that you can enforce user-based policy to safely enable access to web-based for your users behind a proxy server.

Related Documentation