FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 258740
Description This article describes a common issue encountered when configuring a FortiGate virtual server in Azure where the original source IP of the traffic is not preserved and offers a solution.
Scope FortiGate in Public Cloud.

When traffic flows from internal hosts to a server using the virtual server, the FortiGate performs SNAT (Source Network Address Translation) using the FortiGate's internal port, resulting in the loss of the original source IP. This article provides an explanation of how to retain the original source IP by enabling the 'Preserve client IP' feature in the virtual server configuration.


When utilizing a FortiGate virtual server on Azure to allow and forward traffic to internal hosts, the FortiGate's outgoing traffic is subjected to SNAT with the FortiGate's internal port as the source, thereby altering the original source IP. This can pose a challenge, particularly when dealing with HTTP or HTTPS traffic, where preserving the original source IP is crucial for various purposes.

To overcome this limitation and retain the original source IP for HTTP or HTTPS traffic, enable the 'Preserve client IP' option in the virtual server configuration.




Enabling this feature allows the FortiGate to copy the original IP address into the X-Forwarded-For header, ensuring the preservation of the source IP throughout the traffic flow.