cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Vladimir
Pearl

X-Forwarded Headers for Logical Server in vSEC for AWS

I am interested to know if there is a way to enable vSEC to apply the X-Forwarded Headers to traffic destined for Logical Server objects and, subsequently, to ELB, so that the target servers could identify the origin IP of the client.

Otherwise, servers identify ELBs as origins for all sessions.

Thank you,

Vladimir

6 Replies
Employee
Employee

Re: X-Forwarded Headers for Logical Server in vSEC for AWS

I have the same question.

0 Kudos
Admin
Admin

Re: X-Forwarded Headers for Logical Server in vSEC for AWS

This is discussed in this SK: CloudGuard Auto Scaling for AWS:

The connections arriving at the Security Gateways have a source IP address belonging to the proxy ELB rather than the web client.
Because the ELB is acting as a TCP proxy and not as an HTTP proxy, no "X-Forwarded-For" HTTP header is present to identify and log the original client.
Instead, the ELB is set up by the CloudFormation Template to add a Proxy Protocol header.
This allows the Security Gateways to log the original client address.

My guess is if you set up the ELB correctly, it should add the appropriate header (thus we can use it). 

0 Kudos
Vladimir
Pearl

Re: X-Forwarded Headers for Logical Server in vSEC for AWS

What I am reading in the section you are quoting is that there is a way to set it up, but it is alluding to a CloudFormation template.

Is there a breakdown of the configuration used by said template that will allow us to replicate same in the ELBs or a template for the ELB on its own with the proxy protocol header function added?

0 Kudos
Admin
Admin

Re: X-Forwarded Headers for Logical Server in vSEC for AWS

When in doubt, read the CloudFormation Script, which is just JSON.

Guessing this is the relevant bit:

"Policies": [
{
"PolicyName": "EnableProxyProtocol",
"PolicyType": "ProxyProtocolPolicyType",
"Attributes": [
{
"Name": "ProxyProtocol",
"Value": "true"
}
],
"InstancePorts": [
{
"Ref": "ELBPort"
}
]
}
],
0 Kudos
Highlighted
Vladimir
Pearl

Re: X-Forwarded Headers for Logical Server in vSEC for AWS

Thanks!

Got to try it some times soon.

Employee+
Employee+

Re: X-Forwarded Headers for Logical Server in vSEC for AWS

Hi,

 

XFF support is currently in the pipeline - my best guess is that it will probably be added in a future R80.30 JHF or possibly in R80.40.

Not sure exactly when, but it's coming.

 

Regards,

Yonatan