Cisco Systems OL-15491-01 appendix Ip csg content, 251

Appendix A CSG2 Command Reference

subscriber-ip http-header forwarded-for

To prevent exposure of potentially sensitive IP addresses, the CSG2 can obscure the contents of X-Forwarded-For headers, overwriting the contents with blanks.

•If you want to obscure the contents of the X-Forwarded-For header, enter the subscriber-iphttp-headerx-forwarded-forcommand with the obscure keyword.

•If you do not want to obscure the contents of the X-Forwarded-For header, enter the subscriber-iphttp-headerx-forwarded-forcommand without the obscure keyword (the default setting).

•When obscuring the IP address in X-Forwarded-For headers, keep the following considerations in mind:

–The CSG2 does not obscure the IP address in fragmented request packets that have X-Forwarded-For headers, because the CSG2 does not reassemble the fragments and therefore cannot modify the packets.

–The CSG2 does not obscure the X-Forwarded-For header for traffic that is downgraded from Layer 7 inspection to Layer 4 inspection.

–If the active CSG2 fails over to the standby CSG2, the standby CSG2 does not obscure the IP address in X-Forwarded-For header for existing HTTP sessions. However, the standby CSG2 does obscure the IP address in X-Forwarded-For headers for new HTTP sessions.

–If the subscriber sends more than one GET request with X-Forwarded-For headers, and the content host fails to send a TCP acknowledgement within five seconds, the CSG2 resets the subscriber side connection.