Showing results for 
Search instead for 
Did you mean: 

x-forwarded-for - SA6000 SSL VPN

New Contributor

x-forwarded-for - SA6000 SSL VPN

Does anyone have any ideas if its possible to pass through XFF headers to the SA for the purpose of logging the originating client address. What do others do around this? Match up LB logs with the SA logs?

Frequent Contributor

Re: x-forwarded-for - SA6000 SSL VPN

The X-Forwarded-For entry should be used automatically:

From p.829 of the 7.1 Admin Guide:

"When a Juniper Networks DX appliance or similar load balancer is deployed in front of

the SA Series Appliance in proxy mode, the real client IP address can be preserved in a

DX custom HTTP header and passed to the SA Series Appliance. This real client IP address

can be recorded within the SA Series ApplianceÕs logs when a user logs into the SA (or

a user roams), allowing you to audit and report on the username/real source IP pair using

the SA Series Appliance logs.

Chapter 31: Logging and Monitoring

The remainder of this topic refers to Juniper NetworksÕ DX appliance. See your load

balancerÕs documentation for information on sending an X-Forwarded-ForÓ log header.

The real source IP address is retrieved from the DX custom header when a user logs in

and is placed into the session record. The real source IP address is used in place of the

DX IP address in the event, user, admin, and sensors log if it is present in the context data.

Otherwise, the source IP address in the context data is used."

Frequent Contributor

Re: x-forwarded-for - SA6000 SSL VPN

Anyone know if this feature was deprecated in new versions of PCS (8.x 9.x) ?


I can not find in new documentation.

Frequent Contributor

Re: x-forwarded-for - SA6000 SSL VPN

This feature was not deprecated, just wasn't working as expected and not documentated in newer releases.


At least in version 9.1R7, this features is working again, check PRS-382777.


In new documentation, it is not documented how this works, but take care, because as in release 7.4, client IP is just showed in 3 message IDs


  • AUT24326 (user and admin login)
  • AUT20919 (user roaming)
  • ADM22896 (admin roaming)

and do not substitute sourceip variable.


The new AUT24326 should have the text

Primary authentication successful for <user>/<auth server> from <LB IP> forwarded for <client IP>