You receive the error "Late Condition Guards Early Action" when you attempt to install policy that contains the client.effective_address condition. This error means that the policy contains a condition that does not exist before the required action needs to be taken.
Note: This issue can occur using other conditions and actions, but this article focuses on client.effective_address.
The ProxySG appliance dynamically takes the X-Forwarded-For (XFF) header value and set it as the client.effective_address. You could then use the client.effective_address to control the traffic. This is useful in environments such as load balancing to multiple appliances where the load balancer sets the original client IP address as the XFF header, and all packets to the appliance show the load balancer for the client IP address.
Because the policy to move the XFF header into the client.effective_address requires evaluation, client.effect_address cannot be used as a condition for any action that occurs before ECP_CLIENT_EFFECTIVE_ADDRESS_READY.
The following is the complete list of actions before ECP_CLIENT_EFFECTIVE_ADDRESS_READY: