Forwarded-For (XFF) Configuration

To assign multiple policies for a single Network identity (an egress IP) and identify internal IP addresses in reports, you must configure XFF. You can do this by using an on-premise proxy, or by using a browser plugin such as (for Firefox) the Simple Modify Headers plugin. This configuration is not required for proxy chaining.

Table of Contents

On-Premise X-Forwarded-For Header Configuration (No Plug-In)

For information on how to configure an X-Forwarded-For (XFF) to HTTP headers, see your proxy documentation.

For the XFF header to be properly written to HTTPS packets, internal clients must be configured for an explicit proxy (that is, configured to forward web traffic to the proxy’s internal network interface, or a PAC file) and HTTPS decryption or for transparent proxy deployments the proxy must provide Man-in-the-Middle (MitM) decryption.

For HTTPS decryption to work correctly you need to import your Umbrella certificate into your proxy. Refer to your proxy documentation for more information.

Browser PluginX-Forwarded-For Header Configuration (No Proxy Chaining)

The browser plug-in approach is not scalable for production deployments and should be used for testing and troubleshooting only.


XFF and HTTPS Decription

If you are not using XFF headers (using SAML or only external IP for identity), HTTPS decryption does not need to be performed on the on-premises proxy, but only in the cloud.

Manage Proxy Chaining < Forwarded-For (XFF) Configuration > Customize Block and Warn Pages