Some networks have a network device, such as a child proxy or load balancer, that performs Network Address Translation (NAT) on traffic behind it, making the client IP impossible to use for policy. In some configurations, the device adds an X-Forwarded-For HTTP header that contains the original client IP, but the device does not decrypt SSL traffic to insert the X-Forwarded-For header into all requests. This makes it difficult to make policy solely on the X-Forwarded-For header.
The solution is to use the Effective Client IP object.
Open up the Visual Policy Manager (Management Console> Configuration > Policy > Visual Policy Manager > Launch), and from the Visual Policy Manager (VPM):
1) Create a Web Access Layer and move it to before the other Web Layers you want to apply policy to. Create a new rule, right click on Service, and select Set.
2) Select New
3) Then select Client Protocol
4) Select HTTP from the top drop down menu
5) Select All HTTP from the bottom drop down menu
6) Select OK
7) You should now be in the first pop up menu, and see an new object called 'All HTTP', Select this and
8) Select OK, you should now have All HTTP as the Service for this rule
9) Right click on Action, and select Set
10) On the menu that pops up, select New
11) Select 'Set Effective Client IP'
12) From the drop down on the following pop up, select $(request.header.X-Forwarded-For)
13) Select Add
14) Select OK
You should now see a rule that sets the Effective Client IP as the X-Forwarded-For header for all HTTP traffic
15) In a new or existing layer, select a rule you want to be triggered by the effective client ip, right click, and select Set
16) Select New
17) Select Client IP Address/Subnet
18) On the following menu, type in the effective client ip you want
19) Select 'Look up effective client IP (if configured)
20) Click Add
Use this object as the Source for your rule, and adjust other rules as necessary
21) Install Policy