Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vshahrokhkhani
Staff
Staff

Created on ‎11-05-2024 08:19 AM

Article Id 355676

Troubleshooting Tip: Behavior of explicit proxy for adding X headers (e.g. header-x-forwarded-for and header-x-authenticated-user) when the website is part of 'ssl-exempt' category of the 'ssl-ssh-profile'

Description This article describes how the HTTP X headers such as header-x-forwarded-for and header-x-authenticated-user will not get added if the website matches the 'ssl-exempt' of the SSL deep inspection profile assigned to the matching policy.
Scope FortiGate - with explicit proxy configuration.
Solution

When FortiGate is configured as explicit proxy, it is possible to add headers such as header-x-forwarded-for and header-x-authenticated-user to HTTP traffic. To do so, the ssl-ssh-profile needs to be configured to do deep inspection. So the policy matching the HTTP traffic should have 'webproxy-profile' (which is configured to add x-headers) and ssl-ssh-profile (which is configured in deep inspection mode).

 

It is important to make sure that the target websites for adding the X-headers are not part of ssl-exempt, as in that case, even if the SSL inspection profile is configured with deep inspection, the websites matching the ssl-exempt address/category will be skipped.

 

For example:

 

config firewall ssl-ssh-profile

     edit "ssl-deepinspection"
          config ssl
               set inspect-all deep-inspection
               set unsupported-ssl-version allow
               set untrusted-server-cert block
          end
          config https
          end
          config ssl-exempt
               edit 1
                    set fortiguard-category 31
               next

                    end

config web-proxy profile
     edit "XFF-add"
          set header-x-forwarded-for add
     next
end

 

The policy for matching HTTP traffic:

 

config firewall proxy-policy
     edit 1
         set proxy explicit-web
         set dstintf "port3"
         set srcaddr "all"
         set dstaddr "all"
         set service "web"
         set action accept
         set schedule "always"
         set logtraffic all
         set users "localuser"
         set webproxy-profile "XFF-add"

                   set ssl-ssh-profile "ssl-deepinspection"
     next
end

 

In the example above, for any website that matches category 31 (Finance and Banking), the FortiGate (WAD process) will not add the X-Forwarded-For header.

 

To verify whether the website matches the exemption, 'Log SSL exemption' in the SSL deep inspection profile can be enabled. Additionally, WAD debug can indicate the match:

 

diagnose wad filter clear
diagnose wad filter src <ip address of the client you are sending http/https request from>
diagnose wad debug enable all
diagnose debug enable

 

Example of WAD debug:

 

wad_url_choose_cate :2125 cate=31 (ftgd) url-cates=[31,]; url=[ # 196,31,],ip=[ # 0,]; conf sslexempt_rating '':[87,33,31,]
wad_http_ssl_urlfilter_check :627 ssl.deep_scan=1/1/1 exempt_type=x_ftgd_cat cate-rating=0
384
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.