![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 70%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDF%3C/text%3E%3C/svg%3E)
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
721 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 60%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUK%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 17%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERV%3C/text%3E%3C/svg%3E)
Hi
Greetings!
X-Forwarded-For headers are part of HTTP/S traffic (Layer 7). This capability is only available in the Premium SKU of Azure Firewall. Since premium tier supports TLS inspection and IDPS, it can inspect HTTP/S traffic and thus handle XFF headers whereas Basic SKU operates at Layer 3/4, so it supports basic stateful firewall rules (IP/port filtering) but cannot inspect/modify HTTP headers like XFF.
Refer this link:https://learn.microsoft.com/en-us/azure/firewall/premium-deploy#tls-inspection-with-url-filtering
How do I verify the client IP is passing to VM(apache2)?
In the Application rule logs you can the see the client ip.
If you require XFF header then upgrade to Azure Firewall Premium for native XFF support, TLS inspection and advanced threat protection. If cost is a concern, you can try to use Azure Application Gateway (WAF feature) behind Basic SKU Azure Firewall for hybrid Layer 3/4 and Layer 7 traffic inspection.
If above is unclear and/or you are unsure about something add a comment below.
Please don’t forget to close the thread by clicking "Accept the answer" wherever the information provided helps you, as this can be beneficial to other community members.