Skip to main content
Ted
Staff
Ted
Staff
July 23, 2025

Technical Tip: How to Detect Originating IP Address within XFF Header Using Proxy Address

  • July 23, 2025
  • 0 replies
  • 226 views

 

Description This article describes how to use the Proxy Address to detect an IP address hidden within the X-Forwarded-For header of an HTTP request. Proxy Address provides several address types, and the article will cover the HTTP Header address type.
Scope FortiProxy.
Solution

Create a proxy address object with a desired IP address within the X-Forwarded-For header, that is referred to an explicit web proxy policy.

 

config firewall proxy-address

    edit "xff-addr1"

        set type header
        set host "all"
        set header-name "X-Forwarded-For"
        set header "10.0.1.250"

     next

end

 

config firewall policy

    edit 3

        set type explicit-web
        set name "explicit-policy"
        set dstintf "port2"
        set srcaddr "xff-addr1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set ssl-ssh-profile "custom-deep-inspection"

    next

end

 

When a client initiates a connection to 'www.google.com' by sending an HTTP request containing the X-Forwarded-For header, FortiProxy processes the session based on the action specified in the explicit web proxy policy.

 

xff.png

 

Forward Traffic event:


date=2025-07-22 time=23:49:26 eventtime=1753253365578883205 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.11 srcport=55186 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=142.251.42.132 dstport=443 dstintf="port2" dstintfrole="undefined" sessionid=92 service="HTTPS" proxyapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="f34dedc0-3a02-51f0-eba9-4829401f8ffe" policyname="explicit-policy" trandisp="snat" transip=10.200.2.249 transport=49740 clientip=10.0.1.11 duration=646 wanin=24438 rcvdbyte=24438 wanout=712 lanin=987 sentbyte=987 lanout=23303 appcat="unscanned"

 

In the case of multiple addresses in the X-Forwarded-For header, the header regex pattern can be constructed as follows:

 

  • To match a specific IP address:

 

"\b10\.0\.1\.250\b"

  • To match either IP address regardless of order:

 

"\b(?:10\.0\.1\.250|192\.168\.0\.250)\b"

  • To match any IPv4 address:

 

"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:, (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))*$"

 

      Terms & ConditionsAccessibility statement