Skip to main content
rohitkc007
rohitkc007
Visitor III
October 15, 2024
Solved

FortiGate isn't logging the original visitor IP

  • October 15, 2024
  • 1 reply
  • 2440 views

Dear Team, My firmware version is 7.4.4. We are routing our webservers behind through cloudflare proxy. Here what are we getting in logs are the cloudflare proxy Ip address ranges. Pls guide me how to configure the fortigate to get the Original ip of the source traffic or how to Include the original visitor IP in fortigate logs.

 

I have already done as per the process defined - https://docs.fortinet.com/document/fortiproxy/7.4.4/administration-guide/764110/logging-client-ip-for-forward-traffic-and-https-transaction

 

FGT (global) # sh full-configuration

config web-proxy global

set ssl-cert "Fortinet_Factory"

set ssl-ca-cert "Fortinet_CA_SSL"

set fast-policy-match enable

set ldap-user-cache disable

set proxy-fqdn "default.fqdn"

set max-request-length 8

set max-message-length 32

set strict-web-check disable

set forward-proxy-auth disable

set forward-server-affinity-timeout 30

set max-waf-body-cache-length 32

set webproxy-profile "default"

set learn-client-ip enable

set always-learn-client-ip disable

set learn-client-ip-from-header true-client-ip x-real-ip x-forwarded-for (I have tried all of these single also, now its multiple)

set learn-client-ip-srcaddr "all"

set policy-category-deep-inspect enable

set log-policy-pending disable

set log-forward-server disable

set log-app-id disable

set proxy-transparent-cert-inspection disable end

 

Pls help

Thanks

Rohit

Best answer by johnathan

Just wanna confirm, it goes from Cloudflare Reverse Proxy, then to the FortiGate, then the Web Servers?
If this is the case, Cloudflare would have to be the one attaching those headers to the client's HTTP request. 
The FortiGate would have no visibility of the client's IP if it is hitting Cloudflare first. 
Once the client's IP is in the headers, you can use 'set learn-client-ip-from-header' to log the true IP of the user. 

1 reply

johnathan
Staff
johnathanAnswer
Staff
October 15, 2024

Just wanna confirm, it goes from Cloudflare Reverse Proxy, then to the FortiGate, then the Web Servers?
If this is the case, Cloudflare would have to be the one attaching those headers to the client's HTTP request. 
The FortiGate would have no visibility of the client's IP if it is hitting Cloudflare first. 
Once the client's IP is in the headers, you can use 'set learn-client-ip-from-header' to log the true IP of the user. 

Never trust a computer you can't throw out a window.
    rohitkc007
    rohitkc007Author
    Visitor III
    October 17, 2024

    Hi, Thanks for the reply.

    You got it correct. Traffic flow is from client to cloudflare proxy, then fortigate and then Web servers.

    Cloudflare support is saying to set up to read the CF-Connecting-IP header. This header, added by Cloudflare, contains the original client's IP, bypassing the proxy’s IP.

    Is there any option to do this ?

    Anyways i understand what you said. I will try to configure the said headers from cloudflare proxy directly at webservers.

     

    Thanks for support.

     

    johnathan
    Staff
    johnathan
    Staff
    October 17, 2024

    Looks like if you configure a Web Filter for the policy from Cloudflare to the Webserver, you can log all of the HTTP headers with 'web-extended-all-action-log’ enabled. See: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-view-log-actual-client-IP-on-FortiGate-when/ta-p/216084

    Never trust a computer you can't throw out a window.
    Terms & ConditionsAccessibility statement