Help
FortiProxy
FortiProxy provides enterprise-class protection against internet-borne threats and Advanced Web Content Caching
Ted
Staff
Staff

Created on ‎07-23-2025 01:28 AM

Article Id 403188

Technical Tip: How to Detect Originating IP Address within XFF Header Using Proxy Address

 

Description This article describes how to use the Proxy Address to detect an IP address hidden within the X-Forwarded-For header of an HTTP request. Proxy Address provides several address types, and the article will cover the HTTP Header address type.
Scope FortiProxy.
Solution

Create a proxy address object with a desired IP address within the X-Forwarded-For header, that is referred to an explicit web proxy policy.

 

config firewall proxy-address

    edit "xff-addr1"

        set type header
        set host "all"
        set header-name "X-Forwarded-For"
        set header "10.0.1.250"

     next

end

 

config firewall policy

    edit 3

        set type explicit-web
        set name "explicit-policy"
        set dstintf "port2"
        set srcaddr "xff-addr1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "webproxy"
        set explicit-web-proxy "web-proxy"
        set logtraffic all
        set logtraffic-start enable
        set log-http-transaction enable
        set ssl-ssh-profile "custom-deep-inspection"

    next

end

 

When a client initiates a connection to 'www.google.com' by sending an HTTP request containing the X-Forwarded-For header, FortiProxy processes the session based on the action specified in the explicit web proxy policy.

 

xff.png

 

Forward Traffic event:


date=2025-07-22 time=23:49:26 eventtime=1753253365578883205 tz="-0700" logid="0000000010" type="traffic" subtype="forward" level="notice" vd="root" srcip=10.0.1.11 srcport=55186 srcintf="port1" srcintfrole="undefined" dstcountry="United States" srccountry="Reserved" dstip=142.251.42.132 dstport=443 dstintf="port2" dstintfrole="undefined" sessionid=92 service="HTTPS" proxyapptype="web-proxy" proto=6 action="accept" policyid=3 policytype="proxy-policy" poluuid="f34dedc0-3a02-51f0-eba9-4829401f8ffe" policyname="explicit-policy" trandisp="snat" transip=10.200.2.249 transport=49740 clientip=10.0.1.11 duration=646 wanin=24438 rcvdbyte=24438 wanout=712 lanin=987 sentbyte=987 lanout=23303 appcat="unscanned"

 

In the case of multiple addresses in the X-Forwarded-For header, the header regex pattern can be constructed as follows:

 

  • To match a specific IP address:

 

"\b10\.0\.1\.250\b"

  • To match either IP address regardless of order:

 

"\b(?:10\.0\.1\.250|192\.168\.0\.250)\b"

  • To match any IPv4 address:

 

"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(?:, (?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))*$"

 

82
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.