X-FORWARDED-FOR Feature in PAN-OS 6.1 and later.

X-FORWARDED-FOR Feature in PAN-OS 6.1 and later.

41302
Created On 09/25/18 19:20 PM - Last Modified 02/07/19 23:34 PM


Symptom
 
 


Environment
 
 


Cause
 
 


Resolution

Overview

X-Forwarded-For is the header field option that preserves the IP address of the user who requested the web page. It allows the identification of the IP address of the user particularly if there is a proxy server on the network, where all requests might seem to originate from the proxy server’s IP address.

 

This feature is used when to see the client IP address. When the web traffic is coming via a proxy server, the source IP address of the proxy server under URL filtering logs is seen. Once this feature is enabled the client IP address can be seen under URL filtering logs ( x-forwarded-for column).

 

Details

This feature must be enabled on a proxy server and on the Palo Alto Networks firewall. The proxy server will add “x-forwarded-for” in the GET request from the client and client IP address to this field. When the firewall receives the GET request, it will look for the “x-forwarded-for” field to check client IP address and populate it under URL filtering log.

 

Example configuration

  1. Create a proxy server with IP address 192.168.171.100.
  2. Enable X-FORWARDED-FOR on the proxy server.
    The default gateway is the firewall inside interface (TRUST) – 192.168.163.1/16
    IPv4 Address. . . . . . . . . . . : 192.168.171.100
    Subnet Mask . . . . . . . . . . . : 255.255.0.0
    Default Gateway . . . . . . . . . : 192.168.163.1
  3. TRUST PC as 192.168.163.100 with proxy configured in IE browser.
  4. Enable X-FORWARDED-FOR on the firewall under URL filtering profile used in a security policy.

 

Example flow

  1. Initiate web traffic for the website www.icicibank.com from the client with IP address 192.168.163.100.
  2. The traffic reached proxy server 192.168.171.100
  3. Proxy server will add the field “X-FORWARDED-FOR” in the GET request from the client.
  4. When the GET request reached firewall, the firewall will check the “X-FORWARDED-FOR” field and populate the same under URL filtering logs.


    In the above log snapshot, the client IP address is displayed as 192.168.163.100 under the “x-forwarded-for” column along with source IP address as 192.168.171.100 (Proxy Server).

 

owner: rsingh

 


Additional Information
 
 


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClViCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language