Enabling Strip X-Forward-For Feature Blocks Communications to Certain Websites

Enabling Strip X-Forward-For Feature Blocks Communications to Certain Websites

29799
Created On 09/25/18 19:52 PM - Last Modified 05/31/23 20:26 PM


Resolution


Issue

Some websites block incoming communications from host computers when Strip-X FF feature is enabled on the Palo Alto Networks firewall.

For example:

http://www.kwap.gov.my

http://www.tcu.edu

http://www.calepa.ca.gov

http://www.boe.ca.gov

http://arb.ca.gov/

http://www.acs.org

http://www.publix.com

 

Cause

The strip x-forward-for option (Device > Setup > Content-ID) for the header provides security by removing the IP address in this field of the client when sending out a request to a web site in the GET request. With sites that use IDP/IDS this is being seen as an invalid value because there is no value in this field. When this happens the GET request will be dropped by the remote site.

 

Here is a sample text export of the GET packet showing the XFF field is blanked out on transmit by Palo Alto Networks firewall:

Host: www.publix.com\r\n

Via: 1.1 linux2.pantac3.org:3128 (squid/2.7.STABLE7)\r\n

X-Forwarded-For: \r\n   <<<----

 

Resolution

The functionality of this feature is working as designed. Contact impacted websites so their IDS/IPS devices can be configured to accept communications from host computers.

 

owner: kadak
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgJCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language