Idea ID: 2872943

Rule Definitions - Improvement in the treatment of strings for HTTP Headers

Status : New Idea

When we define a risk rule, if we select HTTP Header, it only allows the condition to be defined by "Equals" "Not equals" "Contains" or "Not contains".
When we use it for X-Forwarded-For, these conditions make it difficult to analyze if the source IP is from a specific subnet.
For example, if we want to identify everything coming from the network as internal access, we can't just put "Contains 10." since that would encompass IPs like
Only if you could put "Starts with" it would do. In that case it would be "Starts with 10."


  • Since you'd like to differentiate clients on source IP address, have you considered using IP Address rule? If AM is behind NAT and IP addresses are in X-Forwarded-For headers, you can always instruct AM to extract client's IP address from header (Risk-based Policies->NAT Settings)