Skip to main content
vibrant
vibrant
New Member
October 21, 2014
Solved

Retrieve Client IP on web server behind Fortigate 90D, FortiOS v5.2.0,build0589

  • October 21, 2014
  • 3 replies
  • 35309 views

Hi,

Is there a way to get the real client IP behind the Fortigate Device, by adding the add x-forwarded header? I can see it is possible using FortiWeb, but not using Fortigate in the documentation.

 

Vinodh

    Best answer by Dave_Hall

    None of the fgt devices we manage have web servers behind them, so not familiar any of those load-balancing options -- I was going to just post the same info Ede just posted, but figure I'll include the source material (on load-balancing) in case you need to do more than just enabling that one option...which btw is done via CLI to the VIP itself (not on a VIP group).  If you haven't set up anything fancy -- just port-forwarding to a single web server, you might be able to get away with disabling NAT on the firewall policy where you have the VIP set (WAN->web server).  Perhaps someone else can chime in here with a better solution.

     

    3 replies

    Dave_Hall
    Dave_Hall
    New Member
    October 21, 2014

    See page 22 of the Load Balancing Handbook.

     

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    October 21, 2014

    This is a CLI command only option:

    config firewall vip
       edit <name_str>
          set http-ip-header {enable | disable}

    vibrant
    vibrantAuthor
    New Member
    October 21, 2014

    Hi,

     

    Thank you guys for replying. Do I need to enable load balancing on a particular Virtual IP groupto get this option enabled? When I try to edit the Virtual IP group, I am not getting the option 'http-ip-header'.

    ede_pfau wrote:

    This is a CLI command only option:

    config firewall vip
       edit <name_str>
          set http-ip-header {enable | disable}

     

    Vinodh

    Dave_Hall
    Dave_HallAnswer
    New Member
    October 21, 2014

    None of the fgt devices we manage have web servers behind them, so not familiar any of those load-balancing options -- I was going to just post the same info Ede just posted, but figure I'll include the source material (on load-balancing) in case you need to do more than just enabling that one option...which btw is done via CLI to the VIP itself (not on a VIP group).  If you haven't set up anything fancy -- just port-forwarding to a single web server, you might be able to get away with disabling NAT on the firewall policy where you have the VIP set (WAN->web server).  Perhaps someone else can chime in here with a better solution.

     

    sarahP
    sarahP
    New Member
    May 25, 2018

    Hello

    I am new with FortiGate.I have the same problem with AWS FortiGate 5.6.3 Mode NAT. I put our web servers behind FortiGate and now web server just show FortiGate IP as client IP on log.

    Do you have any advise or experience for this?

    Thanks

      mhe
      mhe
      Explorer II
      May 25, 2018

      Disable NAT on the Policy WAN -> Webserver

      sarahP
      sarahP
      New Member
      May 25, 2018

      Thanks a lot mhe 

       

      Is it ok if I disable NAT? I afraid it may effects on our live service . 

      And I have a weird problem. I have multiple websites with different domain names behind my FortiGate. Now even Nat is enabled on "WAN->webserver" policy, I enabled x-forwarder-for in Logformat in apache and then my web server can still get IP client for some websites/virtualhosts. 

      - If client access via Cloudfront--> FortiGate --> Web server : can get client IP

      - If client access to Fortigate direclty --> Web server: canNOT get client IP

      - However, only one site which without via Cloudfront still can get client IP

       

      Do you know why this happens? 

       

       

       

       

       

        Terms & ConditionsAccessibility statement