Technical Tip: How to learn Client-IP from X-Forwarded-For and apply them to firewall policy

When Application Gateway (AGW) sits behind FortiGate and sends traffic to FortiGate, all source IPs coming from AGW are translated by AGW's external IP. It makes FortiGate impossible to identify the user's real IP.
In this case, AGW adds an X-Forwarded-For header including client-IP, and sends traffic to FortiGate.

In order for FortiGate to learn client-IP and apply it to firewall policy, FortiGate needs additional configurations.

1. Diagram.
   1. All traffic coming from AGW is translated by 20.249.24.75.
   2. AGW adds an XFF header including client-IP and sends traffic to two FortiGates which are UTM1 and UTM2.
   3. FortiGates learns client-IP from XFF and makes a decision based on learned client-IP.
   4. If client-IP is allowed, FortiGates do SNAT by P2's IP and forward traffic to INT NNB which is 10.0.0.71.
   5. INT NLB does load balancing to WEB 1 and WEB 2.
      
      

2. Configure web-proxy to learn client-IP from XFF.
                                                

   

    

    

3. Configure firewall policy that redirects all HTTP traffic to proxy policy.
                                                                   

   

    

    

4. Based on learned client-IP, proxy policies check newly learned client-IP and make a decision.

   1. 'policy_id 3' allows all pre-defined srcaddr to be forwarded to 'INT NLB'.

   2. 'policy_id 1' denies all pre-defined srcaddr to be forwarded to 'INT NLB'.

   3. 'policy_id 2' allows all srcaddr except for pre-defined srcaddr to be forwarded to 'INT NLB'.

   4. webfilter-profile 'X-Forwarded-For' allows all.

       

   5. webfilter-profile 'X-Forwarded-Deny' denies all.

5. Check logs if FortiGates learns client-IP and makes a decision.