If you have a proxy server deployed between the users
on your network and the firewall, the firewall might see the proxy
server IP address as the source IP address in HTTP/HTTPS traffic
that the proxy forwards rather than the IP address of the client
that requested the content. In many cases, the proxy server adds
an X-Forwarded-For (XFF) header to traffic packets that includes
the actual IPv4 or IPv6 address of the client that requested the
content or from whom the request originated. In such cases, you
can configure the firewall to extract the end user IP address from
the XFF so that User-ID can map the IP address to a username. This
enables you to
Use
XFF Values for Policies and Logging Source Users so that
you can enforce user-based policy to safely enable access to web-based
for your users behind a proxy server.