Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP

Forum|Forum|5 years ago
November 30, 2020
1 reply
1987 views

Hello.. I already read all posts about the same problem, but

As the title of this post, we implement a load balancer after fortigate.

We used NAT on Fortigate to translate Public IP to Private IP. And then the HTTPS is offloaded on Load balancer.

Because of that topology, we cannot get the real IP/client IP address. It just shows the FW IP.

We cannot disable NAT because our servers using private IP.

Because of NAT, adding the "x-forwarded-for" header is not works.

We also cannot offloading SSL on FW because that is our load balancer's job.

Is there any solution based on our topology ?

lobstercreed

New Member

You should not use NAT on an incoming (from Internet) policy for precisely the reasons you're describing. The VIP object does the NAT from public IP to private. Enabling NAT on the policy only affects the source, not the destination. So you don't want NAT on the incoming policy. You DO want NAT on the outbound policies.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded