Unable to view X-Forwarded-For IP in traffic monitor logs

Unable to view X-Forwarded-For IP in traffic monitor logs

4941
Created On 01/16/23 01:40 AM - Last Modified 04/17/25 21:26 PM


Symptom


  • Under GUI: Monitor > Traffic Logs > Column "X-Forwarded-For IP" is showing blank
  • X-Forwarded-For IP is received by firewall and it is verified by the receive stage packet capture
  • There is also a port number associated with the XFF IP
Screenshot 2023-01-17 at 9.43.05 AM.png
 
 

Environment


  • Palo Alto VM firewall hosted in AWS
  • Client port preservation is enabled in AWS

Cause


  • Retrieving the IP address does not work when the input string contains a port number in XFF field.
  • It also does not work when the input string is an IPv6 address in the HTTP header (in the form [ipv6 address]).

Resolution


  1. Disable client port preservation in AWS

or

  1. Upgrade  PAN-OS to one of the fixed versions (10.1.10, 10.2.4, 11.0.1). The issue is fixed under PAN-209069

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kGHaCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language