This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Vladimir
Champion
Champion
‎2017-10-04 09:26 AM

X-Forwarded Headers for Logical Server in vSEC for AWS

I am interested to know if there is a way to enable vSEC to apply the X-Forwarded Headers to traffic destined for Logical Server objects and, subsequently, to ELB, so that the target servers could identify the origin IP of the client.

Otherwise, servers identify ELBs as origins for all sessions.

Thank you,

Vladimir

6 Replies
Haichao_Xie
Employee Alumnus
Employee Alumnus
‎2019-01-17 11:40 PM

I have the same question.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-18 02:39 PM

This is discussed in this SK: CloudGuard Auto Scaling for AWS:

The connections arriving at the Security Gateways have a source IP address belonging to the proxy ELB rather than the web client.
Because the ELB is acting as a TCP proxy and not as an HTTP proxy, no "X-Forwarded-For" HTTP header is present to identify and log the original client.
Instead, the ELB is set up by the CloudFormation Template to add a Proxy Protocol header.
This allows the Security Gateways to log the original client address.

My guess is if you set up the ELB correctly, it should add the appropriate header (thus we can use it). 

0 Kudos
Vladimir
Champion
Champion
‎2019-01-18 03:18 PM
In response to PhoneBoy

What I am reading in the section you are quoting is that there is a way to set it up, but it is alluding to a CloudFormation template.

Is there a breakdown of the configuration used by said template that will allow us to replicate same in the ELBs or a template for the ELB on its own with the proxy protocol header function added?

0 Kudos
PhoneBoy
Admin
Admin
‎2019-01-18 03:27 PM
In response to Vladimir

When in doubt, read the CloudFormation Script, which is just JSON.

Guessing this is the relevant bit:

"Policies": [
{
"PolicyName": "EnableProxyProtocol",
"PolicyType": "ProxyProtocolPolicyType",
"Attributes": [
{
"Name": "ProxyProtocol",
"Value": "true"
}
],
"InstancePorts": [
{
"Ref": "ELBPort"
}
]
}
],
0 Kudos
Vladimir
Champion
Champion
‎2019-01-19 06:31 AM
In response to PhoneBoy

Thanks!

Got to try it some times soon.

Yonatan_Philip
Employee Alumnus
Employee Alumnus
‎2019-06-28 11:25 AM
In response to Vladimir

Hi,

 

XFF support is currently in the pipeline - my best guess is that it will probably be added in a future R80.30 JHF or possibly in R80.40.

Not sure exactly when, but it's coming.

 

Regards,

Yonatan

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events