Hi,    We would suggest you to follow below steps to verify if IPS policy is working fine or not.   - Modify the intrusion policy in use and enabled the portscan detection / ICMP detection snort id 408. - Assign a Network Analysis to the Access Contr...

It depends of the size of GET request forwarded to source fire, if the size of GET request is larger than that default value then you might not able to see the original client IP though you have enabled "x-forwarded for" option under the HTTP preproc...