How to test XFF for Security Policy feature?
12294
Created On 11/17/22 15:18 PM - Last Modified 11/27/24 21:17 PM
Objective
XFF in Security Policy mode allows Security Policy to be enforced on the XFF IP instead of the source IP. This feature was introduced in PAN-OS 10.0
This knowledge article will help a reader to have a clear understanding of XFF for Security Policy
- What is XFF?
- How XFF is used?
- Which configuration is required to enable XFF for security rule?
- How to configure security rule for controlling packet by XFF
- How to monitor XFF information on traffic log and url filtering log
- HTTPS Sessions
Environment
- PAN-OS 10.0 or later
- X-Forwarded-For (XFF)
Procedure
- What is XFF?
X-Forwarded-For is a header used to disclose information about the client that initiated a HTTP request, such as an IP Address
- How is XFF used?
Webservers, Firewalls, etc, can use this to determine what the original Client IP is
- Which configuration is required to enable XFF for security rule?
XFF Logging can be enabled in the URL Filtering Profile. This cannot be added to the ‘default’ URL Filtering profile. I created defaul-1.
- How we configure Security rule for controlling packet by XFF?
- How we can monitor XFF information on traffic log and url filtering log?
# curl -H "X-Forwarded-For: 10.1.1.1" http://portquiz.net
Now there is an XFF IP of 10.1.1.1, so it matches the rule for “XFF_IP_Rule”.
Traffic log shows x-fwd-for: 10.1.1.1 as ‘X-FORWARDED-FOR IP’
URL Filtering log shows x-fwd-for: 10.1.1.1 as ‘Source User’. This only logs if the traffic hits an action which alerts (like Block, Continue or Alert)
If there is no XFF IP, so it matches the rule “SRC_IP_Rule” as usual.
- HTTPS Sessions
If I send a HTTPS request with an XFF IP of 10.1.1.1:
# curl -k --header "X-Forwarded-For: 10.1.1.1" https://portquiz.takao-tech.com