Decryption policy configuration is not working when traffic is sent through proxy server which adds XFF header
15298
Created On 02/04/20 02:57 AM - Last Modified 02/05/25 21:07 PM
Symptom
- Decryption is enabled on firewall.
- Valid decryption certificate is present on the client.
- X-Forwarded-For (XFF) header is added to the packet by the proxy, and identification is enabled on the firewall.
- Traffic is hitting firewall but it is not getting decrypted.
Environment
Palo Alto Networks firewall configured for Decryption as per below article using actual source address of the client as match condition in Decryption policy:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0
X-Forwarded-For (XFF) is enabled as per below article:
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/user-id/user-id-concepts/user-mapping/xff-headers
Cause
- Due to use of actual source IP address of the client instead of proxy address as source in the decryption rule, it is not possible to decrypt based on actual source ip when traffic hits firewall with source address of proxy
- The Palo Alto Firewall will know the XFF value ( Actual Source IP address of the client ) only after inspecting the HTTP header coming from the Proxy.
- For the firewall to see the HTTP header, that session needs to be decrypted first.
- Hence, it is not possible to make use of the XFF value as match condition in Decryption Policy as the Palo Alto Firewall doesn't know about it yet.
Resolution
Use Source IP address of proxy in your decryption rule instead of actual source IP address of the client.
Additional Information
How to identify users connecting through Proxy and restrict access through Security Policy:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CletCAC