Forwarded-For (XFF) Configuration

You can configure the X-Forwarded-For (XFF) request header by using an on-premises proxy or a browser plugin such as Firefox's Simple Modify Headers plugin.

When configured, the XFF header sets the internal IP address for traffic on a Registered Network (an egress IP). You must add these Registered Networks as sources in your internet access rules. Then, for traffic on the Registered Networks, the Activity Search report includes the internal IP addresses.

Note: Cisco Secure Access does not require the XFF header for deploying proxy chaining.

Table of Contents

On-Premises XFF Header Configuration (No Plug-In)

For information about configuring the X-Forwarded-For (XFF) request header, see your proxy documentation.

Guidelines

To write the XFF header on HTTPS packets, configure internal clients for an explicit proxy and HTTPS decryption.

  • Configure internal clients to forward web traffic to the proxy’s internal network interface or a PAC file.
  • For transparent proxy deployments, the proxy must provide Man-in-the-Middle (MitM) decryption.
  • For HTTPS decryption to work correctly, import your Secure Access root certificate to your proxy. For more information, see Manage Certificates. Also, refer to your proxy documentation.

Note: If you are not using XFF headers (and instead using SAML or only external IP addresses to identify sources), you only have to enable HTTPS decryption on the proxies deployed in your cloud environments.

Browser Plugin XFF Header Configuration (No Proxy Chaining)

The browser plug-in approach is not scalable for production deployments and should be used for testing and troubleshooting only.


Manage Proxy Chaining < Forwarded-For (XFF) Configuration > Manage Registered Networks