Description | This article describes the steps to enable an X-Forwarded-For header for an L7 HTTP virtual server. |
Scope |
FortiADC in a virtual server.
The FortiADC Virtual Server operates in Layer 7.
It is available for FortiADC Virtual Server’s Application Profile type HTTP, HTTPS, and Explicit HTTP. |
Solution |
1) Go to Application Resources under the Server Load Balance tab. Create a new profile for the L7 HTTP type or clone from an existing L7 HTTP Profile type.
2) Enable the option X-Forwarded-For in the Application Profile. The X-Forwarded-For Header box appears once the X-Forwarded-For option is enabled. Leave it empty to use the default header name X-Forwarded-For, or specify the header name if the real server needs to read a different X-Forwarded-For header name.
4) To verify if the X-Forwarded-For header is working, use Wireshark to sniff through the web traffic. The header line in the HTTP GET request should be the same as the X-Forwarded-For header:
5) As the L7 HTTP load balance is operating in reverse proxy mode, web servers behind the load balance do not log the source IP addresses of clients. Instead, they capture the web requests due to the fact that the source came from the load balancer (FortiADC) IP address.
While enabling the X-Forwarded-For header only appends the web request header, web servers require to be re-configured to log the client's source IP addresses by referring to the 'X-Forwarded-For' header.
Example guide of common Web Servers to log X-Forwarded-For IP addresses for: - IIS
- Apache
Related documentation: https://docs.fortinet.com/document/fortiadc/7.0.2/handbook/559628/configuring-application-profiles |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.