WSS Service accessed from users running WSS agent (although issue visible with all access methods)

Some (not all) users reporting issues with reported egress IP addresses 

Web Servers accessed via WSS reporting XFF (X-Forwarded-For) headers reporting RFC1918 IP addresses and not users public egress IP address

WSS HTTP logs and forensic logs also reporting user IP address as RFC1918 IP address

Only subset of requests from the same user seem to log the RFC1918 IP address

All access methods

Policy execution triggers update of customer egress IP address to an internal WSS IP address

Code change needed to address this

WSS was patched with a fix to this issue July 6-9 2021. No longer visible after these dates.

Whenever traffic is tunneled on the WSS Proxy (TRUE for Financial websites as an example), the traffic ends up with a WSS NAT'd IP address when policy is finished executing.
Policy evaluated is resetting the connection parameters (including users real-ip among others) causing us to include the RFC1918 NATed IP address
Solution does not clear the "real" ip address under the above conditions when evaluating a policy.