Palo Alto Networks Knowledgebase: Known Issue When Applying Strip X-Forwarded-For (XFF)
Known Issue When Applying Strip X-Forwarded-For (XFF)
Created On 02/07/19 23:47 PM - Last Updated 02/07/19 23:47 PM
Palo Alto Networks has identified an issue in PAN-OS affecting the stripping of X-Forwarded-For (XFF) HTTP headers in outgoing HTTP requests.
When the “Strip X-Forwarded-For Header” feature is enabled, the XFF header may not be reliably stripped from certain outgoing HTTP request headers. This can result in complete or partial exposure of the contents of the XFF header field, typically an internal IP address. This issue is being addressed in the next PAN-OS 6.1 maintenance release (6.1.1) scheduled for release in mid-December. A fix for the issue is also being investigated for PAN-OS 6.0. Until an update is available, customers concerned about this issue are advised to review their XFF header insertion configuration on proxies, load
balancers, and other devices to determine if XFF insertion can be temporarily disabled or restricted to only apply to internal traffic.