How to Capture IP Address with XFF Header Enabled
If the traffic is coming to the firewall (e.g firewall sits between the load balancer and webserver), enabling the XFF feature on the Palo Alto Networks device will show the ip address in the username column of the URL log.
To enable XFF:
# set deviceconfig setting ctd x-forwarded-for yes|no
Or, it can be changed from operational command (not-persistent):
# set ctd x-forwarded-for yes|no