IPS Geo protection based on "X-Forwarded-For" HTTP header in Check Point vSEC for AWS / vSEC for Azure
According to https://en.wikipedia.org/wiki/X-Forwarded-For:
The X-Forwarded-For (XFF) HTTP header field is a common method for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or load balancer.
Additional information can be found here:
IPS Geo protection
The IPS Geo protection allows customers to filter and/or log traffic based on the country, from which traffic is arriving.
External Elastic Load Balancers (ELBs) deployed in front of the Check Point vSEC gateway hide the originating IP address, and the traffic arrives at the Security Gateways with a source IP address belonging to the load balancers.
If the traffic is HTTP/HTTPS, then the Elastic Load Balancers can be set up to add an "X-Forwarded-For" header that includes the originating client IP address.
Note that if an HTTP request goes through multiple proxies or load balancers, the "X-Forwarded-For" header is expected to contain multiple IP addresses.
Starting with Check Point vSEC BYOL R77.30-035.142, the Check Point Security Gateway can enforce the IPS Geo protection against the client IP address found in the "X-Forwarded-For" headers.
All IPv4 addresses contained in the "X-Forwarded-For" header would be inspected against the IPS Geo protection.
For each such IP address, if it matches an IPS Geo protection rule requiring logging, a log would be generated.
Consider the following "X-Forwarded-For" header:
X-Forwarded-For: 198.51.100.10, 203.0.113.10
- 198.51.100.10 is Geo located in the imaginary country Utopia
- 203.0.113.10 is Geo located in the imaginary country Dystopia
- The IPS Geo protection policy dictates that:
- All traffic from Utopia is to be logged
- All traffic from Dystopia should be logged and dropped
Then, when presented with the above "X-Forwarded-For" header, the Security Gateway will:
- Generate a log indicating that an IP address from Utopia was seen in an "X-Forwarded-For" header
- Generate a log indicating that an IP address from Dystopia was seen in an "X-Forwarded-For" header
- Drop the HTTP request as originating from Dystopia
- Any IPv6 address in the "X-Forwarded-For" header would be ignored.