forward-header-lookup
Syntax
forward-header-lookup {
trusted-proxy IP;
verify-proxy-chain;
}Hierarchy Level
[edit services user-identification]
Description
Identify user IP addresses behind proxies to improve user tracking for security policies. When an XFF header is present, the device uses the client IP from that header as the source identity. When no header is present, the device uses the source IP address.
Options
| trusted-proxy |
Configure to allow header-lookup only for sessions from specified IPs. If an untrusted IP exists in the proxy chain, the session's source-identity becomes UNKNOWN. |
| verify-proxy-chain |
Validates every proxy for a session to ensure trust, even when multiple proxies exist between the client and the firewall. |
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
Statement introduced in Junos OS Release 25.4R1.