How to Enable Support for the X-Forwarded-For HTTP Header
- Palo Alto Firewall
- PAN-OS 8.1, 9.0
- The X-Forwarded-For (XFF) HTTP header is used to identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
- This is a non-RFC-standard, which means there is no defined standard as to how the information needs to be presented in the header. Usually, this is the format being used :
X-Forwarded-For: client1, proxy1, proxy2
- The value is a comma+space separated list of IP addresses, the left-most being the farthest downstream client.
- Each successive proxy that passed the request adding the IP address where it received the request from.
- In this above example, the request passed proxy1, proxy2 and proxy3 (proxy3 appears as the source IP address of the request).
- By default, the X-Forwarded-For attribute will NOT be parsed in HTTP traffic. To enable parsing of this attribute, run the following command:
> configure # set deviceconfig setting ctd x-forwarded-for yes|no # commit # exit
- Or change it via the operational command (not-persistent)
> set system setting ctd x-forwarded-for yes|no
If the option is enabled, the source user of the machine is unknown and the HTTP header contains the X-Forwarded-For attribute. The leftmost IP address (i.e. the client IP address) is stored in the source user column of the URL log with the format: x-fwd-for: a.b.c.d
where a.b.c.d is the IPv4 address.
- The source user column is overloaded because it is assumed this attribute should only exist for traffic coming from a proxy server and the source user will not be known. If the source user is not "unknown", it will not be overwritten by this attribute.
- It is expected that all of the existing reports that use the source user values will continue to function and will display the x-fwd-for value if it is present. In addition, it should be possible to filter on this value in both the logs and custom reports.
- Only IPv4 address are supported. It will only work with URL filtering logs, and not with Threat or Traffic logs. Also, the information in the source user column cannot be used in a policy.
For PAN-OS 10.0 and above, refer to the documentation below: