Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Sachin_Alex_Cherian_
Staff
Staff

Created on ‎06-28-2022 01:30 AM Edited on ‎01-22-2025 12:40 AM By Community Manager

Article Id 216084

Technical Tip: How to view/log actual client IP on FortiGate when traffic is received from a proxy server

 

Description

This article describes how to view the actual client IP details in the FortiGate logs when the FortiGate receives traffic from a proxy device connected to its LAN segment.

Scope

FortiGate v.6.0.0 or higher.

FortiGate is handling pass-through traffic, FortiGate is not acting as the proxy.

Solution

Network layout:

Users-----Proxy server----FortiGate-----Internet.

 

When extended logging is enabled, the following HTTP header information can be added to the raw data field in UTM logs:

 

  • Method.
  • X-Forwarded-For.
  • Request-Content-Type | Response-Content-Type.
  • Referer.
  • User-Agent.

 

Note that the UTM log will show the x-forwarded-for data only if the proxy server includes this field in the GET request. Web filter profile extended logging is used to view/log from the x-forwarded-for filed in the GET request.

 

The below settings need to be applied in the corresponding web filter profile:

 

conf webfilter profile

    edit <profile-name>

        set log-all-url enable

        set extended-log enable

        set web-extended-all-action-log enable

    end

 

Apply this web filter profile in the FLOW mode firewall policy.

 

config firewall policy
    edit <id>
        set inspection-mode flow
        set logtraffic all
        set logtraffic-start disable
    next
end

 

The above setting makes sure that all traffic (both pass-through and blocked) gets logged.

 

When the ‘extended-log’ option is enabled for UTM profiles, all HTTP header information for denied traffic is logged.

 

When the ‘web-extended-all-action-log’ option is enabled for the web filter profile, all HTTP header information for allowed traffic as well is logged.

 

If the traffic is HTTPS, Deep Packet Inspection must be enabled on the firewall to decrypt the traffic and log the HTTP header information.

Verification:

The web filter logs will now record the actual client IP as seen against the x-forwarded-for field:

 

date=2022-06-24 time=11:16:22 eventtime=1656054982230315333 tz="+0400" logid="0318012801" type="utm" subtype="webfilter" eventtype="ftgd_err" level="warning" vd="root" policyid=1 sessionid=51415 srcip=172.16.1.1 srcport=16717 srcintf="port10" srcintfrole="undefined" dstip=63.137.229.1 dstport=80 dstintf="port1" dstintfrole="undefined" proto=6 service="HTTP" hostname="support.fortinet.com" forwardedfor="10.1.15.1" profile="mon-all-prxy" action="passthrough" reqtype="direct" url="http://support.fortinet.com/" sentbyte=377 rcvdbyte=0 direction="outgoing" msg="A rating error occurs" error="invalid license" rawdata=" Method=GET|X-Forwarded-For= 10.1.15.1|User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:72.0) Gecko/20100101 Firefox/72.0"
6628
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.