Troubleshooting Tip: Behavior of explicit proxy for adding X headers (e.g. header-x-forwarded-for and header-x-authenticated-user) when the website is part of 'ssl-exempt' category of the 'ssl-ssh-profile'
| Description | This article describes how the HTTP X headers such as header-x-forwarded-for and header-x-authenticated-user will not get added if the website matches the 'ssl-exempt' of the SSL deep inspection profile assigned to the matching policy. |
| Scope | FortiGate - with explicit proxy configuration. |
| Solution | When FortiGate is configured as explicit proxy, it is possible to add headers such as header-x-forwarded-for and header-x-authenticated-user to HTTP traffic. To do so, the ssl-ssh-profile needs to be configured to do deep inspection. So the policy matching the HTTP traffic should have 'webproxy-profile' (which is configured to add x-headers) and ssl-ssh-profile (which is configured in deep inspection mode).
It is important to make sure that the target websites for adding the X-headers are not part of ssl-exempt, as in that case, even if the SSL inspection profile is configured with deep inspection, the websites matching the ssl-exempt address/category will be skipped.
For example:
config firewall ssl-ssh-profile edit "ssl-deepinspection" end config web-proxy profile
The policy for matching HTTP traffic:
config firewall proxy-policy set ssl-ssh-profile "ssl-deepinspection"
In the example above, for any website that matches category 31 (Finance and Banking), the FortiGate (WAD process) will not add the X-Forwarded-For header.
To verify whether the website matches the exemption, 'Log SSL exemption' in the SSL deep inspection profile can be enabled. Additionally, WAD debug can indicate the match:
diagnose wad filter clear
Example of WAD debug:
wad_url_choose_cate :2125 cate=31 (ftgd) url-cates=[31,]; url=[ # 196,31,],ip=[ # 0,]; conf sslexempt_rating '':[87,33,31,] |