	US 12,069,102 B2
	Security policy enforcement and visibility for network traffic with masked source addresses
Thomas Arthur Warburton, San Jose, CA (US); Ashwath Sreenivasa Murthy, San Francisco, CA (US); and Jeffrey James Fitz-Gerald, Jr., Campbell, CA (US)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Jan. 3, 2022, as Appl. No. 17/646,857.
Application 17/646,857 is a continuation of application No. 16/399,783, filed on Apr. 30, 2019, granted, now 11,218,512.
Prior Publication US 2022/0131906 A1, Apr. 28, 2022
Int. Cl. H04L 9/40 (2022.01); H04L 47/20 (2022.01); H04L 67/52 (2022.01)

CPC H04L 63/205 (2013.01) [H04L 47/20 (2013.01); H04L 63/0236 (2013.01); H04L 67/52 (2022.05)]

14 Claims

1. A method comprising:

determining location of a firewall within a network as inline or downstream with respect to an edge network device, wherein determining location of the firewall within the network comprises determining that a first network address is indicated in a source field of a number of packets that exceeds a threshold;

for each of a plurality of packets received by the firewall,

updating a database of network traffic data to indicate a first network address from a source address field of the packet;

determining that the packet indicates a second network address in a X-Forward-For (XFF) field;

based on determining that the firewall is inline or downstream from the edge network device and that the packet indicates a second network address in the XFF field of the packet, updating the database to indicate the second network address in association with indication of the XFF field; and

enforcing security on network traffic traversing the firewall based, at least in part, on second source network addresses associated with indication of the XFF field in the database.