IP range for User and X-Forwarded-For HTTP header


Article ID: 125760


Updated On:


CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)


User >> Manage Users >> Select a specific user and click Update button >> Administration tab >> [IP Range that is accessible] has 2 kind of type "NAT/Proxy address". When it selects the "Allow the user connection IP range", May I understand the limitation is performed by the "NAT/Proxy address" side. 
She tested and it worked as it is. But she would like to know the design is so as the double check.


Component: CAPAMX


The understanding is correct. 

Also, the customer asked us about the below Note in the DocOps that the scenario that the user accesses the PAM. 

Section Title: Configure Administration Settings for the User Record 
Note: If your CA PAM server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header. 

If the device does not prevent against the IP Spoofing, the X-Forwarded-For HTTP header will reach the device. Then, she thinks PAM recognizes the "sender IP address" by the TCP/IP level, not from the X-Forwarded-For HTTP like ClientIP, ProxyIP... 

The reason why she asked it is that there is the "IP range" field in the User settings >> Administration, it may possible to set the IP address based on the real IP address by checking the X-Forwarded-For header. 

As a result, PAM get the IP address from the X-Forwarded-For header.