Skip to main content
wasfi
wasfi
New Member
September 8, 2020
Solved

Can a Fortigate with version 5.4 or 5.2 insert an XFF Header

  • September 8, 2020
  • 1 reply
  • 7007 views

Hi;

 

Can a Fortigate Firewall running version 5.2.x or 5.4.x insert an XFF header? 

 

If yes, how exactly can this be done?

 

Does it apply to the following models? or it will apply no matter the models?

1500D, 600C, 1000C, 300D, 2000E

 

Kindly

Wasfi

 

 

 

 

Best answer by localhost

Hi Wasfi

 

Yes this is possible. The KB article Yurisk posted already contains all the information you need. But it can be configured in the CLI only.

The firewall policy must be in proxy mode (6.2) otherwise it won't work.

This example adds the x-forwarded-for value to all outgoing HTTP Urls. You can also limit it to specific URL's in the webfilter urlfilter setting.

 

 

config web-proxy profile
    edit "1"
        set header-x-forwarded-for add
    next
end

 

 

 

config webfilter urlfilter
    edit 1
        set name "add-header"
        config entries
            edit 1
                set url "*"
                set type wildcard
                set action monitor
                set web-proxy-profile "1"
            next
        end
    next
end

config webfilter profile
    edit "add-header-webprofile"
        config web
            set urlfilter-table 1
        end
            set rate-image-urls disable
        end
    next
end

config firewall policy
    edit 20
        set srcintf "INTERN-LAB"
        set dstintf "EXTERN"
        set srcaddr "TEMP_10.1.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "add-header-webprofile"
        set logtraffic all
        set nat enable
    next
end

 

 

EDIT: Ah.. just noted you want to do this in 5.2 or 5.4. No idea.. looks like these CLI commands don't exist yet.

1 reply

Yurisk
SuperUser
Yurisk
SuperUser
September 8, 2020

Hi, according to the Fortinet documentation it can: 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109

 

wasfi
wasfiAuthor
New Member
September 8, 2020

Hi Yuri

 

the FortiGate Firewall will not be load balancing. It is just acting as an Internet gateway doing Source IP Natting. Furthermore, it will not be handling https but rather http only, thus no need for loading the certificate on the FortiGate. 

 

I need to Fortigate Firewall to insert the XFF header in the header of HTTP requests as it does Natting of the Source IP address. No VIPs needed and no SSL offload. Can this be done?

 

Kindly

Wasfi

localhost
localhostAnswer
Visitor III
September 8, 2020

Hi Wasfi

 

Yes this is possible. The KB article Yurisk posted already contains all the information you need. But it can be configured in the CLI only.

The firewall policy must be in proxy mode (6.2) otherwise it won't work.

This example adds the x-forwarded-for value to all outgoing HTTP Urls. You can also limit it to specific URL's in the webfilter urlfilter setting.

 

 

config web-proxy profile
    edit "1"
        set header-x-forwarded-for add
    next
end

 

 

 

config webfilter urlfilter
    edit 1
        set name "add-header"
        config entries
            edit 1
                set url "*"
                set type wildcard
                set action monitor
                set web-proxy-profile "1"
            next
        end
    next
end

config webfilter profile
    edit "add-header-webprofile"
        config web
            set urlfilter-table 1
        end
            set rate-image-urls disable
        end
    next
end

config firewall policy
    edit 20
        set srcintf "INTERN-LAB"
        set dstintf "EXTERN"
        set srcaddr "TEMP_10.1.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "add-header-webprofile"
        set logtraffic all
        set nat enable
    next
end

 

 

EDIT: Ah.. just noted you want to do this in 5.2 or 5.4. No idea.. looks like these CLI commands don't exist yet.

Terms & ConditionsAccessibility statement