Enterprise internet set ups incorporate systems like Proxy Servers.
Such systems help cache internet data and eventually save a lot of internet bandwidth and cost.
What do proxy servers additionally do?
a. Source NAT (SNAT) client IPs and source internet traffic from itself.
Here you are hiding/masking client IP address. Such mechanism prevents client IP addresses from being spoofed.
To sum this up, when IP packet passes through a proxy server, source IP field of the IP packet is modified and source is changed to be IP address of proxy server.
b. Along with this, the proxy server will add “x-forwarded-for” in the http GET request from the client and client IP address to this field.
So the original client IP information is retained in the IP packet using x-forwarded-for field.
Picture this now, your internet destined traffic coming out of the proxy server now flows through Palo Alto firewall deployed in transparent mode.
And the traffic flow is something like this
Client system – Proxy Server – Palo Alto firewall (transparent mode) – Internet Router – Internet Cloud.
And the return traffic will be
Internet Cloud – Internet router – Palo Alto firewall (transparent mode) – Proxy server – Client system
Now with a proper Security Incident & Event Management (SIEM) solution in place, traffic flowing through Palo Alto firewalls could now be logged.
And the x-forwarded-for option will reveal the actual client IP on the logging system.
The x forwarded for feature on Palo Alto is covererd here: