The X-Forwarded-For entry should be used automatically:

From p.829 of the 7.1 Admin Guide:

"When a Juniper Networks DX appliance or similar load balancer is deployed in front of

the SA Series Appliance in proxy mode, the real client IP address can be preserved in a

DX custom HTTP header and passed to the SA Series Appliance. This real client IP address

can be recorded within the SA Series ApplianceÕs logs when a user logs into the SA (or

a user roams), allowing you to audit and report on the username/real source IP pair using

the SA Series Appliance logs.

Chapter 31: Logging and Monitoring

The remainder of this topic refers to Juniper NetworksÕ DX appliance. See your load

balancerÕs documentation for information on sending an X-Forwarded-ForÓ log header.

The real source IP address is retrieved from the DX custom header when a user logs in

and is placed into the session record. The real source IP address is used in place of the

DX IP address in the event, user, admin, and sensors log if it is present in the context data.

Otherwise, the source IP address in the context data is used."

Anyone know if this feature was deprecated in new versions of PCS (8.x 9.x) ?

I can not find in new documentation.

This feature was not deprecated, just wasn't working as expected and not documentated in newer releases.

At least in version 9.1R7, this features is working again, check PRS-382777.

In new documentation, it is not documented how this works, but take care, because as in release 7.4, client IP is just showed in 3 message IDs

• AUT24326 (user and admin login)
• AUT20919 (user roaming)
• ADM22896 (admin roaming)

and do not substitute sourceip variable.

The new AUT24326 should have the text

Primary authentication successful for <user>/<auth server> from <LB IP> forwarded for <client IP>