Cisco Cisco Firepower Management Center 4000

Specify the IP address used by the destination host involved in the intrusion events.

Specify the source or destination IP address used by the host whose intrusion events you want to 
view.

Specify the country of the source host involved in the intrusion events.

Specify the country of the destination host involved in the intrusion events.

Specify the country of the source or destination host involved in the intrusion events you want to 
view.

Specify the continent of the source host involved in the intrusion events.

Specify the continent of the destination host involved in the intrusion events.

Specify the continent of the source or destination host involved in the intrusion events you want to 
view.

The original client IP address that was extracted from an X-Forwarded-For (XFF), True-Client-IP, 
or custom-defined HTTP header. To display a value for this field, you must enable the HTTP 
preprocessor Extract Original Client IP Address option in the network analysis policy. Optionally, 
in the same area of the network analysis policy, you can also specify up to six custom client IP 
headers, as well as set the priority order in which the system selects the value for the Original Client 
IP event field See 

 for more 

information.

When Extract Original Client IP Address is enabled, specifies the order in which the system 
processes original client IP HTTP headers. If, on your monitored network, you expect to encounter 
original client IP headers other than X-Forwarded-For (XFF) or True-Client-IP, you can click 

 to 

add up to six additional Client IP header names to the priority list. Note that if multiple XFF headers 
appear in an HTTP request, the value for the Original Client IP event field is the header with the 
highest priority. You can use the up and down arrow icons beside any header type to adjust its 
priority.