Skip to main content
Richie086
Richie086
New Member
May 10, 2021
Solved

Fowarding external IP address information through our fortigate firewall to haproxy

  • May 10, 2021
  • 1 reply
  • 7795 views

We need the ability to see the external IP address of clients that are browsing sites that we are hosting behind the Fortigate firewall.   Here is a brief overview of our setup    [image][/image]   What we need to be able to do is see the actual external IP address (1.2.3.4) of customers that are browsing web sites that we are hosting internally.    As of right now, if a customer is browsing a site that is internet facing, if we view the logs on our load balancer, all external traffic looks like it is coming from the Fortigate firewall (10.50.1.1).  Here is an example log output from our HAProxy load balancer    Mar 10 00:04:03 haproxy2 haproxy[2166293]: 10.50.1.1:62232 [10/Mar/2021:00:04:03.640] localhost~ titu_cluster/titu11 0/0/0/2/3 200 64577 - - ---- 28/28/3/63/0 0/0 "GET /images/base_models/18865.jpg HTTP/1.1" Mar 10 00:04:03 haproxy2 haproxy[2166293]: 10.50.1.1:62235 [10/Mar/2021:00:04:03.639] localhost~ titu_cluster/titu12 0/0/1/2/5 200 95530 - - ---- 28/28/2/47/0 0/0 "GET /images/base_models/18867.jpg HTTP/1.1"     Is there some way to forward the traffic from the Fortigate firewall to our load balancer (10.6.9.53) so we capture the external IP address?  Here is an example of what we would like to be able to see on our end:   Mar 10 00:04:03 haproxy2 haproxy[2166293]: 1.2.3.4:62232 [10/Mar/2021:00:04:03.640] localhost~ titu_cluster/titu11 0/0/0/2/3 200 64577 - - ---- 28/28/3/63/0 0/0 "GET /images/base_models/18865.jpg HTTP/1.1" Mar 10 00:04:03 haproxy2 haproxy[2166293]: 1.2.3.4:62235 [10/Mar/2021:00:04:03.639] localhost~ titu_cluster/titu12 0/0/1/2/5 200 95530 - - ---- 28/28/2/47/0 0/0 "GET /images/base_models/18867.jpg HTTP/1.1" Mar 10 00:04:03 haproxy2 haproxy[2166293]: 1.2.3.4:62234 [10/Mar/2021:00:04:03.640] localhost~ titu_cluster/titu13 0/0/1/4/6 200 73454 - - ---- 28/28/3/105/0 0/0 "GET /images/base_models/18869.jpg HTTP/1.1"        We have configured our load balancer to forward the external IP address of visitors to our website, but we are still seeing 10.50.1.1 as the source IP in the logs on the load balancer.    Thanks!

Best answer by Yurisk

The image is not uploaded correct. 

Guessing you are using VIP to allow access to the server, consider enabling X-Forwarded-For on the Fortigate, haproxy can use it for real IP addresses of the clients:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109 

 

1 reply

Markus
Markus
New Member
May 11, 2021
Disable nat on the incoming firewall policy...
emnoc
emnoc
New Member
May 11, 2021

yeah it would help to see your diag and the policy but something tell me you have egress interface NAt going on. So for traffic hitting the WAN the original src.ip is nat'd to the egress interface after the route-lookup.

 

diag debug flow , will show this and the policy fwiw

 

Ken Felix

 

Yurisk
SuperUser
YuriskAnswer
SuperUser
May 13, 2021

The image is not uploaded correct. 

Guessing you are using VIP to allow access to the server, consider enabling X-Forwarded-For on the Fortigate, haproxy can use it for real IP addresses of the clients:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109 

 

Terms & ConditionsAccessibility statement