The understanding is correct.
Also, the customer asked us about the below Note in the DocOps that the scenario that the user accesses the PAM. http://bit.ly/2DN9864
Section Title: Configure Administration Settings for the User Record
Note: If your CA PAM server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header.
If the device does not prevent against the IP Spoofing, the X-Forwarded-For HTTP header will reach the device. Then, she thinks PAM recognizes the "sender IP address" by the TCP/IP level, not from the X-Forwarded-For HTTP like ClientIP, ProxyIP...
The reason why she asked it is that there is the "IP range" field in the User settings >> Administration, it may possible to set the IP address based on the real IP address by checking the X-Forwarded-For header.
As a result, PAM get the IP address from the X-Forwarded-For header.