Technical Tip: Preserve client IP in Virtual servers

Description

This article explains what preserve client IP means and how it works.

Scope

FortiGate v6.2+ 7.X+

Note:

 The 'Preserve Client IP' option is only supported for virtual servers of type HTTP or HTTPS.

Solution

In the below screenshot, there is a virtual server and two back-end real servers:

When a client tries to access the Virtual server i.e 10.5.21.53, the traffic will be forwarded either to 172.31.133.94 or 172.31.133.89 (Round robin algorithm method) .

Enable preserve client IP from the web-based manager or enable the http-ip-header option from the CLI to preserve the IP address of the client in the X-Forwarded-For HTTP header.
This can be useful in an HTTP multiplexing configuration if log messages are required on the real servers to the client’s original IP address.

Via CLI:

config firewall VIP

    edit "Virtual server"

        set id 0

        set uuid b17c7658-0b8e-51ea-37a3-db3c7f04ecab

        set comment ''

        set type server-load-balance

        set extip 10.5.21.53

        set extintf "port1"

        set arp-reply enable

        set server-type HTTP

        set nat-source-vip disable

        set gratuitous-arp-interval 0

        set http-ip-header enable   

Below is the sniffer output when 'Preserve Client IP is enabled':