Suricata block X-Forwarded-For IPs
According to the Suricata docs (http://suricata.readthedocs.io/en/suricata-4.0.0/), the eve-log and and unified2-alert output plugins support overwriting the source or destination IP (depending on flow direction) with the IP address obtained from the X-Forwarded-For HTTP header. It is enabled by adding the necessary xff params to the output plugin configurations. This is useful when Suricata is inspecting traffic for a Web server behind a reverse proxy, especially when you want to offload SSL at the reverse proxy so Suricata can inspect the decrypted traffic. The xff functionality in Suricata avoids having to use a more complicated transparent reverse proxy in order to inspect SSL traffic.
For alerts, can Suricata be configured to block IPs in pfSense obtained from the X-Forwarded-For header?
No, Suricata on pfSense can't do that (block the X-Forwarded-For address).