Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

KhalYous
New Contributor

Reflection of Client IP on Fortiweb WAF

I have a Fortiweb WAF in my environment that routes traffic to my Apps. But my app only sees the IP of the WAF. How can i set up the WAF so that my apps can see the clients IPs.

Thank you.
8 REPLIES 8
Rafael_LEHMANI_FTNT

Hi Khalid,

You need to enable "Client Real IP" on your Server Policy.
Rafael LEHMANI
Ferry_k

Hi Kalid,

If your WAF is not inline, or return path routing doesn't go through FortiWeb, you could also forward the client IP-address per X-Forwarded-For header.
Most applications can use XFF-header for policy or logging purposes.

Regards,
Ferry

Ferry
Sr. Director Consulting Systems Engineering
KhalYous

Hi Ferry,

I have tried this but didnt work. but will try it again, maybe I missed something.

Thank you.
KhalYous

Hi Rafael,

Thank you for your response. Does the policy exists on the WAF or the server itself.
Rafael_LEHMANI_FTNT

Server Policy is on FWB configuration (Reverse Proxy Mode). Backend server must point their DFGW to the FWB. Can you share your network diagram?

------------------------------
Best Regards
Rafael LEHMANI
CSE INTL
------------------------------
Rafael LEHMANI
KhalYous

Hi Rafael,

Please see the attached network diagram, its a simple client-server kind of setup but with a WAF in between.

I just need the WAF to be able pass the User IP to the Load Balancer, instead of the WAF IP.

Thank you.
Rafael_LEHMANI_FTNT

Ok Khalid.
As I said previously, you just need to enable ""Client Real IP" on the Server Policy.
Did you try it?
BR

Rafael



------------------------------
Best Regards
Rafael LEHMANI
CSE INTL
------------------------------
Rafael LEHMANI
Rafael_LEHMANI_FTNT

In case you also need to track source IPs from webapp, you do need to  add an XFF policy on FWB and on LB that track AND add source IP/Proxy IP.
Can you share FWB and LB configs?

------------------------------
Best Regards
Rafael LEHMANI
CSE INTL
------------------------------
Rafael LEHMANI