We're using Palo Alto's VM Firewall's with ELB's sandwich topology and are unable to get the correct X-Forwarded-Proto to make it all the way back to the web server. HTTPS termination is happening on the external load balancer, then running as HTTP through the rest of the stack. Using a single load balancer we have no issue retrieving the correct X-Forwarded-Proto header whether it's HTTP or HTTPS. However, in the sandwich topology we get HTTP as the X-Forwarde-Proto no matter what.
Our primary issue for needing the header is to redirect all requests to HTTPS, which might be able to be done on the PAN Firewall, but that has also proven elusive.
This is the expected behavior, and most likely by design -- if ALB passed-through X-Forwarded-Proto it could be forged, and they didn't build in any ability to allow exceptions... so it's always overwritten.
You could instead use a Network Load Balancer internally. Since these run at Layer 4, they don't manipulate headers.
Or, if the external-facing balancer is an ALB, you can create a rule, there, to redirect all HTTP requests to HTTPS, within the balancer.
With redirect actions, the load balancer can redirect incoming requests from one URL to another URL. This includes the capability to redirect HTTP requests to HTTPS requests, which allows you to meet your compliance goal of secure browsing, achieve better search ranking and high SSL/TLS score for your site.
One minor "gotcha" about ALB redirects is that you have to explicitly specify the destination port as 443, otherwise the balancer will retain the original port and write a redirect to https://example.com:80/ which of course will not work.