If we have downward proxies sending client IP in the X-Forwarded-For, the downward proxy's own IP address is not recorded in the threat dashboard and in the log database at all.
This heavily affects our incident investigation attempts, as we have many thousand of users and dozens of child proxies and the same client can use multiple child proxies.
Because obviously the child proxy's own IP address is sent during each http request, it would be easy to record that in a new column along with the client IP from the inserted x-forwarded-for so we can:
a) quickly find out from behind which child proxy the client sent the request
b) create reports and measure traffic and events broken down to child proxies (bandwidth, etc.)
G. B.