This repo contains Terraform templates to deploy infrastructure on AWS and Azure and to secure them using the Palo Alto Networks Next Generation Firewalls
It's my understanding that the PA behind the ELB will not be able to see the original client IP (other than X-Forwarded-For for HTTP traffic), so is this solution only for HTTP based traffic or is there something I'm not understanding?
Hi @bganderson Looks like you are talking about two different scenarios if I understand your question.
So the architecture for using the ELB is primarily for HTTP/HTTPS traffic.
To answer the second question, yes will be able to see the original client IP by using the XFF header. However, to enforce using the original IP from the XFF, you will need to map that IP into a userid field before setting up the policy.
Hope this helps and apologies for the slow response.
It's my understanding that the PA behind the ELB will not be able to see the original client IP (other than X-Forwarded-For for HTTP traffic), so is this solution only for HTTP based traffic or is there something I'm not understanding?