Use an anonymous IP in the X-Forwarded-For (XFF) Header Field
search cancel

Use an anonymous IP in the X-Forwarded-For (XFF) Header Field

book

Article ID: 176177

calendar_today

Updated On:

Products

Cloud Secure Web Gateway - Cloud SWG

Issue/Introduction

To maintain privacy, use an anonymized IP in the X-Forwarded-For (XFF) field.

Environment

Cloud SWG (formerly known as WSS)

Resolution

The anonymized IP is an IPv6 address that consists of a randomized version of the tenant ID, source IP, and the hour. The anonymized IP will be consistent for that hour and then it will change every hour on the hour. When the "Anonymize IP" address option has been selected, the IP address sent in the XFF header will change to an anonymous IPv6 address, regardless of whether the source IP address is IPv4 or IPv6. 

The default option set in the Cloud SWG (formerly known as WSS) portal is to use the original source IP.

To use anonymous IPs in the XFF header:

  1. Log into the Cloud SWG portal
  2. Select Policy > Header Modification
  3. Click on Global rules and select Anonymize IP
  4. Click Activate policy

 

Additional Information

Note: Some sites might have a problem with the fact that the X-Forwarded-For has an IPv6 address.

If the site returns an HTTP error code such as 403 Forbidden or 400 Bad Request, The following options should be followed to help address the issue. 

    • Switchback from Anonymize IP to Original Source IP under Policy > Header Modification > Global Rules, or
    • Exempt the domain from SSL Interception. See Exempt traffic from SSL Interception.
      When you exempt the domain from SSL interception, the proxy will not intercept and insert the X-forwarded-For header.

Attachments

Powered by Wolken Software