|
Azure Application Gateway (AGW) may reuse a session when sending requests for the same destination server.
In the current implementation, when learn_client_ip is enabled, WAD learns client IP from XFF header only once per session (the first request), hence client IP is not learnt for subsequent requests.
Also, policy matching only occurs once for the learn_client_ip case, since the same policy will be reused that was matched for the first request in the session.
As a result, when the first request was allowed by FortiGate, the subsequent requests that were sent by AGW through the same session were allowed through, even though FortiGate should have blocked the traffic.
On the logs below, the traffic to the same website is being denied first and then allowed.
date="2025-06-27" time="07:58:00" id=7520643556709498907 bid=16590248 dvid=1046 itime=1751036280 euid=3 epid=1189 dsteuid=3 dstepid=101
logver=704062726 type="utm" subtype="webfilter" level="warning" action="blocked" sessionid=223429630 policyid=1 srcip="10.10.10.1"
dstip="10.20.20.1" srcport=41384 dstport=443 proto=6 logid="0315012544" service="HTTPS" eventtime=1751036279897880257 urlfilteridx=14
sentbyte=1406 rcvdbyte=141 craction=8 crscore=30 crlevel="high" srcintfrole="wan" dstintfrole="lan" direction="outgoing" reqtype="referral"
url="https://test.com/favicon.ico" urlfilterlist="Auto-webfilter-urlfilter_jtig6rdqm" hostname="test.com"
profile="WEB_XFFPROFILE-Deny" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KH" eventtype="urlfilter"
srcintf="port1" dstintf="port2" referralurl="https://test.com/Able/Guide.pdf"
forwardedfor="10.10.20.1" urlsource="Local URLfilter Block" msg="URL was blocked because it is in the URL filter list"
rawdata="[REQ] X-Forwarded-For=10.10.20.1" tz="-0700"
srcuuid="210a8fd4-5038-51f0-e78c-c2ddc8cff6d3" dstuuid="d052f3c0-f499-51ed-556d-a63eaee3ffc9" policytype="proxy-policy"
srccountry="Reserved" dstcountry="Reserved" poluuid="cd5ae080-362b-51f0-bdb2-0bfd67aa026d" httpmethod="GET" devid="FGT"
vd="root" devname="FGT"
date="2025-06-27" time="07:58:29" id=7520643681263550601 bid=16590260 dvid=1046 itime=1751036309 euid=3 epid=1189 dsteuid=3 dstepid=101
logver=704062726 type="utm" subtype="webfilter" level="notice" action="passthrough" sessionid=223430825 policyid=2 srcip="10.10.10.1"
dstip="10.20.20.1" srcport=46950 dstport=443 proto=6 cat=255 logid="0319013317" service="HTTPS" eventtime=1751036309761240557
sentbyte=2758 rcvdbyte=1738 srcintfrole="wan" dstintfrole="lan" direction="outgoing" ratemethod="ip" reqtype="direct"
url="https://test.com/Able/Guide.pdf" hostname="test.com"
profile="Clone of PROFILE" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KH" eventtype="urlmonitor" srcintf="port1" dstintf="port2" forwardedfor="10.10.20.1"
msg="URL has been visited" rawdata="[REQ] X-Forwarded-For=10.10.20.1" tz="-0700" srcuuid="dcf7310a-bd7f-51ed-814c-50b03b8e3e7f"
dstuuid="741e605a-362b-51f0-681a-56b4cb991eba" policytype="proxy-policy" srccountry="Reserved" dstcountry="Reserved"
poluuid="bcbd6ed6-362c-51f0-51b2-89d68470bc88" httpmethod="GET" devid="FGT" vd="root" devname="FGT"
The following has to be enabled so that the client IP and re-match policy for every request.
FortiGate-VM64 (global) (Interim)# show
config web-proxy global
set proxy-fqdn "default.fqdn"
set learn-client-ip enable
set always-learn-client-ip enable <----
set learn-client-ip-from-header x-forwarded-for
set learn-client-ip-srcaddr "all"
end
The option appears if learn-client-ip is enabled. The default for always-learn-client-ip is set to disable.
|
