Use an anonymous IP in the X-Forwarded-For (XFF) Header Field
Article ID: 176177
Updated On:
Products
Issue/Introduction
To maintain privacy, can I use an anonymized IP address in the X-Forwarded-For (XFF) header field?
Two options for: Policy > Header Modification > Global Rules
- "Original Source IP": uses an IPv4 address
- "Anonymize IP": uses an IPv6 address (IPv6 addresses in the XFF may potentially cause auth failures with some sites, see below)
Resolution
The anonymized IP is an IPv6 address that consists of a randomized version of the tenant ID, source IP, and the hour. The anonymized IP will be consistent for that hour and then it will change every hour on the hour. When the "Anonymize IP" address option has been selected, the IP address sent in the XFF header will change to an anonymous IPv6 address, regardless of whether the source IP address is IPv4 or IPv6.
The default option set in the Cloud SWG (formerly known as WSS) portal is to use the original source IP.
To use anonymous IPs in the XFF header:
- Log into the Cloud SWG portal
- Select Policy > Header Modification
- Click on Global rules and select Anonymize IP
- Click Activate policy
Additional Information
Note: Some sites might have a problem with the fact that the X-Forwarded-For has an IPv6 address.
If the site returns an HTTP error code such as 403 Forbidden or 400 Bad Request, The following options should be followed to help address the issue.
-
- Switchback from Anonymize IP to Original Source IP under Policy > Header Modification > Global Rules, or
- Exempt the domain from SSL Interception. See Exempt traffic from SSL Interception.
When you exempt the domain from SSL interception, the proxy will not intercept and insert the X-forwarded-For header.
Documentation: Anonymize Source IP Addresses in the XFF Header
"Anonymizing the XFF header...is an IPv6 address and is changed every hour."
Similar problem (failure due to IPv6 address in the XFF header):
https://knowledge.broadcom.com/external/article?articleId=264580
Feedback
