Jump to content
Welcome to our new Citrix community!
  • 0

Enable WAF and IP reputation behind NAT

Rafael Sanchez Torres


Hello there, 


I'm in the process to enable WAF and IP reputation on an ADC, but the appliance is behind a Palo Alto NAT, so the appliance received the source private IP from the PA and obviously for IP reputation and WAF that is not the best scenario, I was thinking in something like enable x-forwarded-for on PA but I don't know if this is possible or if there are another options, any idea?


Hope you guy could help me. Regards.

Link to comment

2 answers to this question

Recommended Posts

  • 0

Header insertion by the proxy is the best way to do this. 


For AppFw, configure the logging header with the header name to use to extract actual client ip for insertion into appfw logs. Under AppFw Engine Settings: Security > Application Firewall. Right pane: Global Engine Settings. Look for and configure logging header.


For IPREP filters, instead of using a client.ip.src.iprep_is_malicious expression use http.req.header("x-forwarded-for").typecast_ip_addres_at.iprep_is_malicious 



Link to comment
  • 0

You are right, it's not a perfect implementation.

Having a Citrix ADC behind a NAT firewall is an usual thing, but having this Firewall also NATting the source address is unusual. Usually you will see something like that:

outside: ->

inside: ->


If you Palo Alto is able to add a header (I don't see how this could be possible in an SSL connection), you could use IP reputation feature by doing something like HTTP.REQ.HEADER("X-Forwarded-For").VALUE("ip").TYPECAST_IP_ADDRESS_AT.IPREP_IS_MALICIOUS




Johannes Norz



Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...