I'm using a Backend Security Policy attached to a Backend Service (External Application Load Balancer) to restrict access by IP.

Recently, I needed to use the IP address from the X-Forwarded-For header instead of the standard client IP, as requests may come from multiple devices behind the same proxy. To address this, I updated the policy’s User IP request headers configuration to include X-Forwarded-For.

However, when I try to add a rule in Advanced mode using the expression:

origin.user_ip == "some.ip"
I consistently receive the error:

1:1: user_ip is currently not supported.
Does anyone know why this might be happening? Is origin.user_ip not supported for backend service–level policies, even when the documentation indicates it should be when userIpRequestHeaders are configured?

Any insight or suggestions would be greatly appreciated!