The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
The XFF header (X-Forward-For) is not added to web traffic when Security Gateway is in Transparent Mode
Technical Level
Solution ID
sk120360
Technical Level
Product
Quantum Security Gateways
Version
R77.30 (EOL)
OS
Gaia
Date Created
09-Oct-2017
Last Modified
22-Nov-2019
Symptoms
HTTP/HTTPS transparent proxy is enabled on the Security gateway with the XFF header option enabled, but the next hop device cannot see the XFF header attached.
Debugs on the gateway (fw ctl debug -m fw + conn drop packet packval and fw ctl debug -m WS + all) shows:
[cpu_X];[fwY_Z];###:{module} fw_http_proxy_inspection: not internal interface X.X.X.X not match to proxy;
Cause
Incoming interface for web traffic is not defined as "internal", which makes the traffic uneligible for the XFF header.