Skip to main content
vsimoesbh
vsimoesbh
New Member
June 17, 2018
Question

X-Forwarded-For (Get Client IP)

  • June 17, 2018
  • 1 reply
  • 22175 views

Hello, I am using FortiGateVM on AWS, we are currently using CloudFront to receive traffic, then forwarding it to AWS Elastic Load Balancer and finally to our FortiGate which route traffic to our webservers on EC2. The problem is, i am not beeing able to get my clients IP, all connections that i get logged on FortiGate and FortiAnalyzer are with the ELB local IP address. As i could research, the solution for this would be using the header X-Forwarded-For, which CloudFront it already forward to its origin, but i could not find on fortigate where i do set that to happens. Researching on the web, it seems that in FortiOS 5.6 and below it was possible to do this:

config firewall vip    edit <name_str>       set http-ip-header {enable | disable}

But i could not find that option or anything like it o FortiOS 6.

Thank you.

    1 reply

    Markus
    Markus
    New Member
    June 18, 2018

    Hello, Welcome to the Forums. It seems, that in FoS 6.0.x this option is only avayable if you use server loadbalancing. I couldn't verify, as I haven't FoS 6.x installed. http-ip-header {disable | enable}

    In HTTP multiplexing is enabled, set http-ip-header to enable to add the original client IP address in the XForwarded-For HTTP header. This can be useful in an HTTP multiplexing configuration if you want to be able to see the original client IP address in log messages on the destination web server. If this option is disabled,  the HTTP header. This can be useful in an HTTP multiplexing configuration if you want to be able to see the original client IP address in log messages on the destination web server. If this option is disabled,  the XForwarded-For header will contain the IP address of the FortiGate unit. Disabled by default. If enabled the http-ip-header-name option appears and you can specify a different header to add the client IP address to. This option appears only if type is server-load-balance, server-type is http or https and http-multiplex is enabled

     

    http://help.fortinet.com/cli/fos60hlp/60/index.htm#FortiOS/fortiOS-cli-ref/config/firewall/vip+vip6.htm%3FTocPath%3Dfirewall%7C_____51

     

    Best,

    Markus

    neonbit
    neonbit
    New Member
    June 18, 2018

    I'm not sure but I have a feeling that the FortiGate can't actually read X-Headers from an upstream web service. It can add them to allow the web servers to see the real IP addresses but as far as it's concerned the connections are all coming from one IP address.

     

    I know that the FortiWeb is able to read the X-Headers, if the FGT you're using in AWS is just there to protect the web sessions for the web servers you'd probably be better off swapping it with a FortiWeb instead (or putting a FortiWeb behind the FGT).

    YM_Shin
    YM_Shin
    New Member
    July 6, 2018

    Dear

     

    If you setting on FortiGate with XFF, you should be change Flow to Proxy inspection mode.

     

    Thanks

    Terms & ConditionsAccessibility statement