Focus

Enforce Policy on Endpoints and Users Behind an Upstream Device

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
AIOps
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

CLI Commands for Dynamic IP Addresses and Tags

Use XFF Values for Policy Based on Source Users

Enforce Policy on Endpoints and Users Behind an Upstream Device

If you have an upstream device, such as an explicit proxy server or load balance, deployed between the users on your network and the firewall, the firewall might see the upstream device IP address as the source IP address in HTTP/HTTPS traffic that the proxy forwards rather than the IP address of the client that requested the content. In many cases, the upstream device adds an X-Forwarded-For (XFF) header to HTTP requests that include the actual IPv4 or IPv6 address of the client that requested the content or from whom the request originated.

In such cases, you can configure the firewall to extract the IP address from the XFF field and map it to a user with User-ID or apply security policy based on the IP address.

Use X-Forwarded-For Header in User-ID—This enables you enforce user-based policy to safely enable access to web-based applications for your users behind a proxy server. In addition, if User-ID is able to map the XFF IP address to a username, the firewall displays that username as the Source user in Traffic, Threat, WildFire Submissions, and URL Filtering logs for visibility into the web activity of users behind the proxy.
Use X-Forwarded-For Header in Security Policy—This enables you to enforce security policy based on source IP address using the IP address in the XFF field of the HTTP header. Additionally, when policy is applied to traffic that includes an IP address in the XFF field, you can configure the Traffic, Threat, Data Filtering, and Wildfire Submission logs to assist in troubleshooting and remediation.

To ensure that attackers can’t read and exploit the XFF values in web request packets that exit the firewall to retrieve content from an external server, you can also configure the firewall to strip the XFF values from outgoing packets. Using the XFF IP address for User-ID or in policy and stripping the XFF value are not mutually exclusive: if you configure both, the firewall zeroes out XFF values only after using them in policy enforcement and logging.

You cannot configure the firewall to use the IP address in the XFF field in User-ID and security policy at the same time.

CLI Commands for Dynamic IP Addresses and Tags

Use XFF Values for Policy Based on Source Users

Next-Generation Firewall Docs

Enforce Policy on Endpoints and Users Behind an Upstream Device

Next-Generation Firewall Docs

Enforce Policy on Endpoints and Users Behind an Upstream Device

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner