This article describes the process the system uses to evaluate and identify the client IP address from an X-Forwarded-For (XFF) IP chain. It clarifies how the system distinguishes between the originating client IP and trusted proxy addresses within the network configuration.
- Network Zones
- IP Forwarding
- Client IP Extraction
- Okta Identity Engine (OIE)
- Okta Classic Engine
The issue occurs when the application and network service layers do not have IP forwarding applied, or when service layer IP addresses are not correctly registered in the Gateway and Proxies fields of the network zone.
To ensure the system extracts the real client IP from the X-Forwarded-For (XFF) chain, perform the following configuration:
-
Go to Security > Networks.
-
Select the appropriate Network Zone to edit.
-
Clear the Gateway field to ensure it is empty.
-
Enter the trusted proxy IP ranges into the Proxies field.
5. Click Save.
Example IP Chain Configuration
When an IP chain contains three addresses (e.g., 192.168.1.1, 10.0.0.1, 10.0.0.2), the system processes them as follows:
-
192.168.1.1: This is the first IP in the chain and represents the real client IP.
-
10.0.0.1, 10.0.0.2: These are the second and third IPs in the chain. Register these addresses in the Proxies field of the Network Zone to establish them as trusted proxies.
| Field | Purpose | Usage |
| gateway | Defines which client IP ranges are allowed to match this Network Zone | Used for Zone-based policies such as Sign-On Policy or Multi-Factor Authentication (MFA) policies. |
| proxies | Defines which proxy IP ranges are trusted for XFF validation | Used for extracting the real client IP from the X-Forwarded-For chain. |
