The ingress traffic to your applications might pass through AWS load balancers or proxy servers before it reaches the NGFW. Because these devices intercept traffic between the source and destination, the NGFW sees the IP address of the load balancer or proxy server instead of the IP address of the source. These devices add the X-Forwarded-For (XFF) header to HTTP requests and add the actual IPv4 or IPv6 address of the client accessing your application.

Traffic to your applications might have passed more than one proxy server before it reaches the NGFW. The XFF request header might contain multiple IP addresses that are separated by commas. NGFW always uses the most recently added address in the XFF header to enforce policy.

When configuring your rulestack, you can enable Cloud NGFW to use the source IP address in an XFF HTTP header field to enforce security policy.