Skip to main content
wasfi
wasfi
New Member
May 6, 2021
Question

How does a Fortigate firwall behave if inserting XFF header to encrypted content

  • May 6, 2021
  • 1 reply
  • 3382 views

Hi;

 

I have a Fortigate firewall that is setup to "preserve client IP" at a virtual server defined on it.

 

This virtual server load balances traffic destined to two explicit forward proxies on port 8080. 

 

When the explicit proxy traffic is http, XFF is inserted and the load balancing and proxy connection to server works perfectly. However, when the explicity proxy traffic is https, the connection to server does not work.

 

My question is, if the Fortigate fails to insert XFF to the https encrypted stream, does it drop the connection as a result?

 

Kindly

Wasfi

 

 

    1 reply

    emnoc
    emnoc
    New Member
    May 6, 2021

    Run "diag debug flow" when doing HTTPS and HTTP and monitor. That will tell you every thing about if it drops the sessions.

     

    Since this is explicit proxy I'm not sure how your inserting the XFF header, but if the tunnel is built to a HTTPS proxy, i do see how your inserting the XFF if the fortigate is not MiTM.

     

    Do you have "config firewall ssl-server"  setup etc........ or doing something else? Basically what is your firewall vip setup?

     

     

    Ken Felix

     

    wasfi
    wasfiAuthor
    New Member
    May 6, 2021

    Thank you for your reply Emnoc. I don't have config firewall ssl-server 

     

    My virtual server is very basic. It is doing round robin load balancing with source IP hash persistence. However, since it does source IP Natting, the original client IP is not seen by the Proxies, thus the need for XFF.

     

    You are right, it is listening on port 8080 for explicit proxy traffic and as you know whether the traffic is http or https as the browser is set explicitly, the original datagram is always encapsulated in a http datagram destined to port 8080.

     

    Now, when the encapsulated datagram is http the fortigate passes it through after inserting the XFF. Also, when the encapsulating datagram is a mere "CONNECT" method, XFF is inserted without any issues. 

     

    The issue arises when the encapsulated datagram is a TLS one like a "client hello", then the Fortigate drops the datagram despite the encapsulating http datagram. My aim is to have the Fortigate setup in a way to pass it through untouched if it cannot insert the XFF.

     

    Kindly

    Wasfi

    Terms & ConditionsAccessibility statement