https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65247#M12366 If you're doing this with NAT, no.<BR />I believe you can achieve this with MAB Reverse Proxy.<BR />See: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110348" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110348</A><BR /><BR />However that SK says it doesn't add XFF.<BR />However, you can add it by editing the reverse proxy conf file<BR />$CVPNDIR/conf/ReverseProxy_conf/httpd_common.conf<BR />Add the line -<BR />CvpnAddHeader "X-Forwarded-For" "$CLIENTIP" – to the end of the file.<BR />Save changes and run ReverseProxyCLI apply config<BR /> Thu, 17 Oct 2019 23:37:56 GMT PhoneBoy 2019-10-17T23:37:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65049#M12365 <P>Hi,&nbsp;</P><P>below is the scenario</P><P>Internet -- &gt; Checkpoint Firewall (any internet Nat'd to firewall external interface ip hide nat) ---- &gt; Load balancer -- &gt; backend server</P><P>Need to identify the inbound public ip post performing Nat in checkpoint firewall for analysis.</P><P>Is there a way to see this original inbound public ip in packet captures with different header name like xff etc....</P><P>thanks&nbsp;</P><P>BSB</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 16 Oct 2019 02:55:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65049#M12365 bsb 2019-10-16T02:55:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65247#M12366 If you're doing this with NAT, no.<BR />I believe you can achieve this with MAB Reverse Proxy.<BR />See: <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110348" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110348</A><BR /><BR />However that SK says it doesn't add XFF.<BR />However, you can add it by editing the reverse proxy conf file<BR />$CVPNDIR/conf/ReverseProxy_conf/httpd_common.conf<BR />Add the line -<BR />CvpnAddHeader "X-Forwarded-For" "$CLIENTIP" – to the end of the file.<BR />Save changes and run ReverseProxyCLI apply config<BR /> Thu, 17 Oct 2019 23:37:56 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65247#M12366 PhoneBoy 2019-10-17T23:37:56Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65363#M12367 <P>Hi,&nbsp;</P><P>This is for inbound connection.</P><P>below is the scenario.</P><P>&nbsp;</P><P>1. ISP --- &gt; inbound traffic -- &gt; FW (incoming interface 1 and exit interface 2) --- &gt; Load balancer --- &gt; backend servers.</P><P>2. Same ISP -- &gt; inbound traffic -- &gt; FW (same firewall - incoming interface 1 and exit interface 5 ) -- &gt; Load balancer(same LB) -- &gt; backend servers.</P><P>&nbsp;</P><P>problem is already we have a default route pointing towards firewall interface 2 from load balancer.</P><P>having one more default towards different different interface is not feasible.<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="scenario.png" style="width: 200px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/2780iD38B20B4BE0DFFE2/image-size/small?v=v2&amp;px=200" role="button" title="scenario.png" alt="scenario.png" /></span></P><P>hence inbound public ip is natted, nat ip reaches LB, where LB has the comfort of routing nat'd ip towards different interface.</P> Sat, 19 Oct 2019 03:11:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65363#M12367 bsb 2019-10-19T03:11:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65367#M12368 MAB Reverse Proxy will proxy the connection, originating it from the Security Gateway so NAT will not be required.<BR />It can also add the XFF header, assuming you configure it as described.<BR />Check Point does not provide a mechanism to add an XFF header when using NAT alone. Sat, 19 Oct 2019 12:32:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/header-to-identify-inbound-original-ip-after-nat-hide-nat/m-p/65367#M12368 PhoneBoy 2019-10-19T12:32:04Z