https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7119#M3965 <HTML><HEAD></HEAD><BODY><P>I have the same question.<IMG src="https://community.checkpoint.com/legacyfs/online/checkpoint/emoticons/grin.png" /></P></BODY></HTML> Fri, 18 Jan 2019 07:40:41 GMT Haichao_Xie 2019-01-18T07:40:41Z https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7118#M3964 <HTML><HEAD></HEAD><BODY><P>I am interested to know if there is a way to enable vSEC to apply the&nbsp;X-Forwarded Headers to traffic destined for Logical Server objects and, subsequently, to ELB, so that the target servers could identify the origin IP of the client.</P><P></P><P>Otherwise, servers identify ELBs as origins for all sessions.</P><P></P><P>Thank you,</P><P>Vladimir</P></BODY></HTML> Wed, 04 Oct 2017 16:26:15 GMT https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7118#M3964 Vladimir 2017-10-04T16:26:15Z https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7119#M3965 <HTML><HEAD></HEAD><BODY><P>I have the same question.<IMG src="https://community.checkpoint.com/legacyfs/online/checkpoint/emoticons/grin.png" /></P></BODY></HTML> Fri, 18 Jan 2019 07:40:41 GMT https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7119#M3965 Haichao_Xie 2019-01-18T07:40:41Z https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7120#M3966 <HTML><HEAD></HEAD><BODY><P>This is discussed in this SK:&nbsp;<A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112575" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112575">CloudGuard Auto Scaling for AWS</A>:</P><P></P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">The connections arriving at the Security Gateways have a source IP address belonging to the proxy ELB rather than the web client.</SPAN><BR style="color: #000000; background-color: #ffffff; font-size: 14px;" /><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">Because the ELB is acting as a TCP proxy and not as an HTTP proxy, no "X-Forwarded-For" HTTP header is present to identify and log the original client.</SPAN><BR style="color: #000000; background-color: #ffffff; font-size: 14px;" /><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">Instead, the ELB is set up by the CloudFormation Template to add a Proxy Protocol header.</SPAN><BR style="color: #000000; background-color: #ffffff; font-size: 14px;" /><SPAN style="color: #000000; background-color: #ffffff; font-size: 14px;">This allows the Security Gateways to log the original client address.</SPAN></P></BLOCKQUOTE><P></P><P>My guess is if you set up the ELB correctly, it should add the appropriate header (thus we can use it).&nbsp;</P></BODY></HTML> Fri, 18 Jan 2019 22:39:02 GMT https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7120#M3966 PhoneBoy 2019-01-18T22:39:02Z https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7121#M3967 <HTML><HEAD></HEAD><BODY><P>What I am reading in the section you are quoting is that there is a way to set it up, but it is alluding to a CloudFormation template.</P><P>Is there a breakdown of the configuration used by said template that will allow us to replicate same in the ELBs or a template for the ELB on its own with the proxy protocol header function added?</P></BODY></HTML> Fri, 18 Jan 2019 23:18:28 GMT https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7121#M3967 Vladimir 2019-01-18T23:18:28Z https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7122#M3968 <HTML><HEAD></HEAD><BODY><P>When in doubt, <A href="https://s3.amazonaws.com/CloudFormationTemplate/autoscale.json">read the CloudFormation Script</A>, which is just JSON.</P><P>Guessing this is the relevant bit:</P><P></P><BLOCKQUOTE class="jive_macro_quote jive-quote jive_text_macro"><P></P>"Policies": [<BR /> {<BR /> "PolicyName": "EnableProxyProtocol",<BR /> "PolicyType": "ProxyProtocolPolicyType",<BR /> "Attributes": [<BR /> {<BR /> "Name": "ProxyProtocol",<BR /> "Value": "true"<BR /> }<BR /> ],<BR /> "InstancePorts": [<BR /> {<BR /> "Ref": "ELBPort"<BR /> }<BR /> ]<BR /> }<BR /> ],</BLOCKQUOTE></BODY></HTML> Fri, 18 Jan 2019 23:27:36 GMT https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7122#M3968 PhoneBoy 2019-01-18T23:27:36Z https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7123#M3969 <HTML><HEAD></HEAD><BODY><P>Thanks!</P><P>Got to try it some times soon.</P></BODY></HTML> Sat, 19 Jan 2019 14:31:04 GMT https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/7123#M3969 Vladimir 2019-01-19T14:31:04Z https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/56980#M3971 <P>Hi,</P> <P>&nbsp;</P> <P>XFF support is currently in the pipeline - my best guess is that it will probably be added in a future R80.30 JHF or possibly in R80.40.</P> <P>Not sure exactly when, but it's coming.</P> <P>&nbsp;</P> <P>Regards,</P> <P>Yonatan</P> Fri, 28 Jun 2019 18:25:02 GMT https://community.checkpoint.com/t5/Cloud-Firewall/X-Forwarded-Headers-for-Logical-Server-in-vSEC-for-AWS/m-p/56980#M3971 Yonatan_Philip 2019-06-28T18:25:02Z