How to granularly append X-Forwarded-For header based on source, destination or service objects.


Article ID: 184883


Updated On:


Advanced Secure Gateway Software - ASG ProxySG Software - SGOS


Need to control X-Forwarded-For (XFF) header granularly based on source, destination or service objects vs enabling the global setting for XFF.

Note: SSL Interception/Decryption of traffic is required to perform the discussed functions.



Following is an example on how to append an XFF header to include the original client IP. In the example below, the proxy will only append the header if that the original source IP matches All other traffic would not append the XFF header. The main takeaway from the article is the "Action Object" in which we add the header and append the $(client.address) substitution variable.





NOTE: Best practice would be to remove this header from the packet before it leaves the network through firewall etc.