CAM uses the X-Forwarded-For header in the Session consistency check (where it checks that each request on an existing session continues to come from the same location).
Due to the ease of use of the XFF header in man-in-the-middle attacks it is not reliable or automatically trusted and only the client IP address is passed on to the SAE for risk analysis. CAM doesn't use this header value in the Security Analytics Engine when calculating risk - the SAE is only passed the value of the client IP address to evaluate risk.
It is our recommendation that customers set the client IP address as the original source IP address in the Load Balancer and do not replace it with the Load Balancer's IP address. This is more reliable and secure than trusting the value of the XFF header since this header could already exist when the request arrives at the Load balancer.
The Load Balancer should be a Layer 4 device and that its configuration may need to be updated to preserve the original client IP address rather than using its own.