XFF will appear in network events, as the Data Privacy setting does not affect the XFF display of network events. To test this, refer to the following steps:
- In the "Data Privacy" section of "Agent settings" on the management console, set "Allow packet data capture in network events:" to “No”.
- Prepare DSA Server with Web Service (e.g: Port:80).
- DSA enables IPS functionality.
- Apply the following IPS Rules:
- 1000474 - Allowed Resources
- 1000128 - HTTP Protocol Decoding
- 1006540 - Enable X-Forwarded-For HTTP Header Logging
- Trigger IPS Rules from another client using the following command:
curl --header "X-Forwarded-For: 8.8.8.8" http:///not_allow_resource
- Check the DSA IPS Event, it will appear in the field called XFF.
In the Deep Security Agent (DSA), "Advanced Logging Policy" should be set to "bypass" first because default log aggregate may cause unexpected results.