IP range for User and X-Forwarded-For HTTP header

Document ID : KB000125760
Last Modified Date : 04/02/2019
Show Technical Document Details
Question:
User >> Manage Users >> Select a specific user and click Update button >> Administration tab >> [IP Range that is accessible] has 2 kind of type "NAT/Proxy address". When it selects the "Allow the user connection IP range", May I understand the limitation is performed by the "NAT/Proxy address" side. 
She tested and it worked as it is. But she would like to know the design is so as the double check.
Answer:
The understanding is correct. 

Also, the customer asked us about the below Note in the DocOps that the scenario that the user accesses the PAM. 

http://bit.ly/2DN9864 
==== 
Section Title: Configure Administration Settings for the User Record 
Note: If your CA PAM server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header. 
==== 

If the device does not prevent against the IP Spoofing, the X-Forwarded-For HTTP header will reach the device. Then, she thinks PAM recognizes the "sender IP address" by the TCP/IP level, not from the X-Forwarded-For HTTP like ClientIP, ProxyIP... 

The reason why she asked it is that there is the "IP range" field in the User settings >> Administration, it may possible to set the IP address based on the real IP address by checking the X-Forwarded-For header. 

As a result, PAM get the IP address from the X-Forwarded-For header.