How to Use the X-Forwarded-For Header from the CONNECT Request to Apply Policy to HTTPS Traffic
Last Updated November 09, 2018
Some networks have a network device, such as a child proxy or load balancer, that performs Network Address Translation (NAT) on traffic behind it, making the client IP impossible to use for policy. In some configurations, the device adds an X-Forwarded-For HTTP header that contains the original client IP, but the device does not decrypt SSL traffic to insert the X-Forwarded-For header into all requests. This makes it difficult to make policy solely on the X-Forwarded-For header.
Network device such as a load balancer or child proxy NATs the client IP address of HTTP/HTTPS traffic
Network device inserts original client IP address into the X-Forwarded-For header of HTTP transactions
Network device initiates HTTP CONNECT request to ProxySG
The solution is to use the Effective Client IP object.
Open up the Visual Policy Manager (Management Console> Configuration > Policy > Visual Policy Manager > Launch), and from the Visual Policy Manager (VPM):
1) Create a Web Access Layer and move it to before the other Web Layers you want to apply policy to. Create a new rule, right click on Service, and select Set.
2) Select New
3) Then select Client Protocol
4) Select HTTP from the top drop down menu 5) Select All HTTP from the bottom drop down menu 6) Select OK
7) You should now be in the first pop up menu, and see an new object called 'All HTTP', Select this and 8) Select OK, you should now have All HTTP as the Service for this rule
9) Right click on Action, and select Set 10) On the menu that pops up, select New 11) Select 'Set Effective Client IP'
12) From the drop down on the following pop up, select $(request.header.X-Forwarded-For) 13) Select Add 14) Select OK
You should now see a rule that sets the Effective Client IP as the X-Forwarded-For header for all HTTP traffic
15) In a new or existing layer, select a rule you want to be triggered by the effective client ip, right click, and select Set 16) Select New 17) Select Client IP Address/Subnet
18) On the following menu, type in the effective client ip you want 19) Select 'Look up effective client IP (if configured) 20) Click Add
Use this object as the Source for your rule, and adjust other rules as necessary
21) Install Policy
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe