Technical Tip: Adding x-forwarded-for header to explicit proxy traffic

pradeepb · ‎12-14-2020

Description

This article describes how to add x-fowarded-for header to all HTTP traffic handled by an explicit proxy policy.

Scope

FortiGate.

Solution

When FortiGate is configured as explicit proxy, add x-forwarded-for header to all HTTP traffic accepted by the proxy policy is possible.
Create explicit web proxy profiles that can add x-forwarded-for header is possible.

Note: Since FortiOS v7.4.4 (Proxy-related features no longer supported on FortiGate 2 GB RAM models v7.4.4), units with 2GB of RAM or less will no longer support proxy features. The option 'config web-proxy profile' will no longer be available to configure.

Create a web proxy profile from the CLI:

config web-proxy profile
edit <name>
set header-x-forwarded-for add <- This command will add x-forwarded-for header.
end

Use the following command to add the above web proxy profile to an running explicit proxy policy:

config firewall proxy-policy
   edit <id>
        set webproxy-profile <name>
end

Note: The x-forwarded-for header is a standard header for identifying the original IP address of a client connecting to FortiGate proxy. After learning the original client IP from the X-Forwarded-For header, the FortiGate will use this original client IP to match against the explicit proxy policy.

This header can be useful when FortiGate is placed below an existing proxy (3rd party Proxy) and that proxy unit needs to enforce action based on the IP address kept in the 'X-Forwarded-For' header instead of the actual source IP address - which is the address of the FortiGate.

Any FortiGate running FortiOS v5.6 or above with a 3.2x IPS engine can process the 'X-Forwarded-For' IPs into the IPS logs.

Related documents:

Technical Tip: Adding x-forwarded-for header to explicit proxy traffic

You are leaving our website