Description
This article describes how to add x-fowarded-for header to all HTTP traffic handled by an explicit proxy policy.
Scope
FortiGate.
Solution
When FortiGate is configured as explicit proxy, add x-forwarded-for header to all HTTP traffic accepted by the proxy policy is possible.
Create explicit web proxy profiles that can add x-forwarded-for header is possible.
Note: Since FortiOS 7.4.4, units with 2GB of RAM or less will no longer support proxy features. The option 'config web-proxy profile' will no longer be available to configure.
Create a web profile profile from the CLI:
config web-proxy profile
edit <name>
set header-x-forwarded-for add <- This command will add x-forwarded-for header.
end
Use the following command to add above web proxy profile to an running explicit proxy policy:
config firewall proxy-policy
edit <id>
set webproxy-profile <name>
end
NOTE: The x-forwarded-for header is a standard header for identifying the original IP address of a client connecting to FortiGate proxy.
This header can be useful when FortiGate is placed below an existing proxy (3rd party Proxy) and that proxy unit needs to enforce action based on the IP address kept in the 'X-Forwarded-For' header instead of the actual source IP address - which is the address of the FortiGate.
Any FortiGate running FortiOS v5.6 or above with a 3.2x IPS engine is able to process the 'X-Forwarded-For' IPs into the IPS logs.
Related articles:
