Support Center > Search Results > SecureKnowledge Details
How to enable stripping of X-Forward-For (XFF) field
Solution

Table of Contents:

  • Why to use X-Forward-For (XFF)
  • Stripping the X-Forward-For (XFF) field
  • Troubleshooting
  • Related solutions

 

Click Here to Show the Entire Article

 

Note: Different vendors refer to this HTTP header field either as "X-Forwarded-For (XFF)", or as "X-Forward-For (XFF)". These names refer to the same HTTP header field and can be used interchangeably.

 

Why to use X-Forward-For (XFF)

For organizations that use a Proxy server to connect to the Internet, some security features, such as Anti-Virus and Anti-Bot, will send alerts (logs) on the Proxy server instead of the true IP address behind it. Therefore, it is recommended to configure the Proxy to include the XFF field, so the XFF will be displayed in the log.

 

Stripping the X-Forward-For (XFF) field

You can configure the Security Gateway to strip the XFF field in outgoing traffic, so that internal IP addresses will not be seen in requests to the Internet.

  1. If Identity Awareness blade is enabled and also Application Control / URL Filtering / DLP blade is enabled, you can activate this feature in the SmartConsole.

    Show / Hide instructions
    1. Open Security Gateway / Cluster object properties.

    2. Go to Identity Awareness -> Proxy pane.

    3. In the 'Proxy configuration for supported blades' section:

      1. Select the box 'Detect users located behind http proxy configured with X-Forwarded-For...'.

      2. Select the box 'Hide X-Forwarded-For in outgoing traffic'.

      Example:

    4. Click on 'OK' to apply the changes.

    5. Save the changes and install policy onto Security Gateway / Cluster.



  2. If Identity Awareness blade is disabled, but Application Control / URL Filtering / DLP blade is enabled, then you can activate this feature in the GuiDBedit Tool.

    Important Note: If Identity Awareness blade is disabled, at least one of these Software Blades must inspect the connection in order for XFF stripping to work.

    Show / Hide instructions
    1. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

    2. Connect with GuiDBedit Tool to Security Management Server / Domain Management Server.

    3. In the upper left pane, go to 'Table' - 'Network Objects' - 'network_objects'.

    4. In the upper right pane, select the relevant Security Gateway / Cluster object.

    5. Press CTRL+F (or go to 'Search' menu - 'Find') - paste hide_xff_header - click on 'Find Next'.

    6. In the lower pane, right-click on the hide_xff_header - 'Edit...' - choose "true" - click on 'OK'.

      Example:

    7. Save the changes: go to 'File' menu - click on 'Save All'.

    8. Close the GuiDBedit Tool.

    9. Connect with SmartConsole to Security Management Server / Domain Management Server.

    10. Install the policy onto the relevant Security Gateway / Cluster object.

 

Troubleshooting

It has been observed that XFF stripping may still not function, even if all the above steps are performed correctly, when the value of kernel parameter 'ws_remove_proxy_connection_header' is set to 0 (zero).

Follow these steps:

  1. Check the current value of 'ws_remove_proxy_connection_header':

    [Expert@HostName]# fw ctl get int ws_remove_proxy_connection_header
  2. If this command returns 'ws_remove_proxy_connection_header = 0', then permanently set the value of this kernel parameter to 1 (one).
    Follow sk26202 - Changing the kernel global parameters for Check Point Security Gateway.

    Note: When the value of this parameter is set to 1, Security Gateway will remove 'Proxy-Connection' header from the packet.

    Show / Hide instructions for Gaia / SecurePlatform OS
    1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

      [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
    2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

      [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
    3. Add the following line (spaces are not allowed):

      ws_remove_proxy_connection_header=1
    4. Save the changes and exit from Vi editor.

    5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

      [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
    6. Reboot the Security Gateway.

    7. Verify that the new value was set:

      [Expert@HostName]# fw ctl get int ws_remove_proxy_connection_header

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment