Use Effective IP to Determine the Origin IP

If you rely on a deployment model where the client’s real IP address is obscured by a load balancer or HTTP proxy, such as a reverse proxy indirect or forward proxy indirect deployment, you can configure the appliance to use the value contained in the X-Forwarded-For header field or another custom header to identify the originating IP address.

To configure the appliance to extract the effective IP address from the request header, you need to specify the request header variable within policy. Keep in mind that the ProxySG appliance can only extract the effective IP address where so defined in the request header. If the request header is not present or is an invalid IP, the request will use the client IP instead.

To configure the ProxySG appliance to extract the first IP address presented in the X-Forwarded-For header variable as the effective IP address:

client.address=<ip_address> \ client.effective_address("$(request.header.X-Forwarded-For)")


  • ip_address specifies the HTTP proxy or load balancer IP address.
  • ("$(request.header.X-Forwarded-For)") is the effective IP address.


Alternatively, you can also use the VPM (visual policy manager) to configure the ProxySG appliance to use the effective IP address of a client.