HTTP traffic not matching the expected security policy rule when using X-Forwarded-For (XFF) headers
12718
Created On 02/02/22 10:03 AM - Last Modified 12/07/22 20:21 PM
Symptom
- HTTP traffic is not matching the expected security policy rule.
- The global counter "ctd_x_fwd_sec_pol" will increment, as every time the firewall parses a XFF header for security policy lookup, this counter increments.
> show counter global | match ctd_x_fwd_sec_pol :Global counters: :name value rate :------------------------------------------------------------------------------- :ctd_x_fwd_sec_pol 1864 0 --- :ctd_x_fwd_sec_pol 2070 0 --- :ctd_x_fwd_sec_pol 2100 0
Environment
- Palo Alto Firewall
- PAN-OS 10.0 and above
- XFF IP Address Values in Security Policy and Logging
Cause
The firewall uses the IP address in the X-Forwarded-For (XFF) field of the HTTP header to enforce security policies. If the packet passes through a single proxy server before reaching the firewall, the XFF field contains the IP address of the originating endpoint and the firewall can use that IP address to enforce a security policy. However, if the packet passes through multiple upstream devices, the firewall uses the most recently added IP address to enforce policies or uses other features that rely on IP information.
Resolution
- The first option is to modify the security policy rule to be compliant with the X-Forwarded-For headers of the traffic that the firewall receives:
- Go to the Monitor > Traffic tab
- Display the X-Forwarded-For IP column to find the source IP address from the X-Forwarded-For header.
- Modify the configuration of the security policy rule with the X-Forwarded-For source IP.
- The second option is to disable the X-Forwarded-For Header utilization from security policy evaluation:
- Go to the Device > Setup > Content-ID > X-Forwarded-For Headers tab and click the edit icon.
- Select "Use X-Forwarded-For Header: Disabled".
Additional Information
Use XFF IP Address Values in Security Policy and Logging