How to granularly append X-Forwarded-For header based on source, destination or service objects.

book

Article ID: 184883

calendar_today

Updated On:

Products

Advanced Secure Gateway Software - ASG ProxySG Software - SGOS

Issue/Introduction

Need to control X-Forwarded-For (XFF) header granularly based on source, destination or service objects vs enabling the global setting for XFF.

Note: SSL Interception/Decryption of traffic is required to perform the discussed functions.

 

Resolution

Following is an example on how to append an XFF header to include the original client IP. In the example below, the proxy will only append the header if that the original source IP matches 10.10.10.10. All other traffic would not append the XFF header. The main takeaway from the article is the "Action Object" in which we add the header and append the $(client.address) substitution variable.

 

 

 

 

NOTE: Best practice would be to remove this header from the packet before it leaves the network through firewall etc.

Attachments