Does this support non-HTTP traffic blocking?

PaloAltoNetworks / terraform-templates

This repo contains Terraform templates to deploy infrastructure on AWS and Azure and to secure them using the Palo Alto Networks Next Generation Firewalls

Apache License 2.0

147 stars 151 forks source link

Does this support non-HTTP traffic blocking? #18

Open bganderson opened 6 years ago

bganderson commented 6 years ago

It's my understanding that the PA behind the ELB will not be able to see the original client IP (other than X-Forwarded-For for HTTP traffic), so is this solution only for HTTP based traffic or is there something I'm not understanding?

vinayvenkat commented 6 years ago

Hi @bganderson Looks like you are talking about two different scenarios if I understand your question.

So the architecture for using the ELB is primarily for HTTP/HTTPS traffic.
To answer the second question, yes will be able to see the original client IP by using the XFF header. However, to enforce using the original IP from the XFF, you will need to map that IP into a userid field before setting up the policy. Hope this helps and apologies for the slow response.