Skip to main content
dairu
dairu
New Member
February 11, 2023
Question

Fortiweb X-Forwarded-For not Showing Original IP of visitor from Web Server

  • February 11, 2023
  • 3 replies
  • 4841 views

We have are deploying Fortiweb in between our Fortigate and Web Server, in one-arm reverse proxy mode. Our webserver needs to capture the original IP of web visitors, but the webserver could only see the IP of the FortiWeb. I have already enabled X-Forwarded-For options on the Fortiweb.

From the packet capture of Fortiweb, we could see that the X-Forwarded-For IP is seen on the extracted packet logs. However, original IP is not appearing on the source of "Attack Logs" also, while not sure if this has any effects.

And from the backend programming of the webserver, we have tried all the method to capture headers like REMOTE_ADDR, HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP, etc. Still it is showing the IP of Fortiweb only.

 

For example:

8.8.4.4 (sample public IP of web visitor) -> [10.10.10.5 (Fortigate WAN) -> 10.0.2.5 (Fortigate LAN) ] -> 10.0.2.6 (Fortiweb) -> 10.0.2.7 (webserver)

 

With the above, our web server is working but should be able to log the 8.8.4.4 as the original IP of visitor. But it could only see the IP of fortiweb 10.0.2.6 as value or x-forwarded-for or remote-addr.

 

Hopefully someone could have an insight to this. Our webserver do really need to log the Original IP of visitor.

3 replies

Anthony_E
Staff
Anthony_E
Staff
February 14, 2023

Hello dairu,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Best Regards
Anthony_E
Staff
Anthony_E
Staff
February 17, 2023

Hello dairu,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Best Regards
kmak
Staff
kmak
Staff
February 17, 2023

Hello Dairu,

 

Hope you are doing fine. In regards to the "X-Forwarded-For" header, if you are able to capture the header in the pcap, then it would be a correct setup in FortiWeb.

While the next thing will be the webserver to capture the "X-Forwarded-For" header value and log as the clients' IP. There're example for webserver like IIS and Apache that you can probably check it out. Hope it'll help.

 

- IIS

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Log+the+IP+of+the+client+in+Apache+using+the+CloudStack+LoadBalancer

- Apache

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Log+the+IP+of+the+client+in+Apache+using+the+CloudStack+LoadBalancer

 

Thanks

dairu
dairuAuthor
New Member
February 19, 2023

Hi kmak,

 

The two link you forwarded are similar, it was for Apache. Do have for IIS?

 

There was a progress, X-Forwarded-For is appearing when on HTTP. But on not HTTPS. Even the Fortiweb's attack log is showing Original IP on  HTTP but internal IP on HTTPS.  As it only happens on HTTPS, I did check if there is anything wrong with the SSL/certs, but it is correctly configured. Do you have insight on this?

 

 

kmak
Staff
kmak
Staff
February 20, 2023

Hi Dairu,

 

Sorry for pasted the duplicate link. Here's the link for IIS.

 

https://techcommunity.microsoft.com/t5/iis-support-blog/how-to-use-x-forwarded-for-header-to-log-actual-client-ip/ba-p/873115

 

HTTPS packet should have been encrypted where you might not be able to see the web packet contents in pcap, it requires to be decrypted in order to view the content header.

 

Thanks

Terms & ConditionsAccessibility statement