IP range for User and X-Forwarded-For HTTP header

Document ID : KB000125760
Last Modified Date : 04/02/2019
Show Technical Document Details
User >> Manage Users >> Select a specific user and click Update button >> Administration tab >> [IP Range that is accessible] has 2 kind of type "NAT/Proxy address". When it selects the "Allow the user connection IP range", May I understand the limitation is performed by the "NAT/Proxy address" side. 
She tested and it worked as it is. But she would like to know the design is so as the double check.
The understanding is correct. 

Also, the customer asked us about the below Note in the DocOps that the scenario that the user accesses the PAM. 

Section Title: Configure Administration Settings for the User Record 
Note: If your CA PAM server sits behind a networking device, such as a proxy, load balancer, or router, ensure that the device prevents against IP spoofing of the X-Forwarded-For HTTP header. 

If the device does not prevent against the IP Spoofing, the X-Forwarded-For HTTP header will reach the device. Then, she thinks PAM recognizes the "sender IP address" by the TCP/IP level, not from the X-Forwarded-For HTTP like ClientIP, ProxyIP... 

The reason why she asked it is that there is the "IP range" field in the User settings >> Administration, it may possible to set the IP address based on the real IP address by checking the X-Forwarded-For header. 

As a result, PAM get the IP address from the X-Forwarded-For header.