Created on 07-13-2018 08:36 AM Edited on 10-10-2023 01:11 AM By Stephen_G
Description
This article describes the cases in which it may be helpful to see the 'X-Forwarded-For' and 'True-Client' IPs in IPS logs on FortiOS 5.6.
Scope
FortiGate 5.6+.
Solution
FortiGates running on 5.6 with a 3.2x IPS engine (at least) are able to process the 'X-Forwarded-For' and 'True-Client' IPs into the logs.
A common scenario where it can be useful to have a look at them occurs when FortiGate is placed after an existing proxy (3rd party Proxy) and it needs to enforce action based on the IP address kept in the 'X-Forwarded-For' header instead of the actual source IP address - which is the address of the 3rd party Proxy.
For example, when a Data Center FortiGate is put in Transparent or Sniffer mode for IPS (Reference link on how to configure this option), and the traffic is being proxy'd from a delivery network, the logs (sent to FortiAnalyzer or syslogs) can still show the real source IPs in the 'forwardedfor' and 'trueclntip' variables. This way the SOC team can track real source IP addresses - those potentially responsible for attacks.
One log example:
date=2018-03-21 time=14:18:30 logid=0419016123 type=utm subtype=ips eventtype=signature level=alert vd=root severity=info srcip=192.18.62.35 srccountry="Reserved" dstip=10.6.6.1 srcintf="port23" dstintf="port22" policyid=1 sessionid=77088 action=dropped proto=6 service="HTTP" attack="Eicar.Virus.Test.File" srcport=80 dstport=13668 hostname="192.18.62.35" direction=incoming attackid=29844 profile="sensor-1" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=444479349 msg="file_transfer: Eicar.Virus.Test.File," forwardedfor="10.1.100.11" trueclntip="10.1.100.11"
For more information, refer to the FortiOS v5.6 Handbook-CLI Reference, which can be found in the Fortinet Documentation Library.
If these logging features are needed, an upgrade to FortiOS 5.6 is necessary (5.6 normally runs IPS engine 3.4).
Related articles:
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.