Technical Tip: How to configure FortiWeb to add X-headers such as 'X-Forwarded-For'

Description

 

This article describes how to configure FortiWeb to add an 'X-Forwarded-For' (XFF) header and/or other X-headers to incoming traffic.

Scope

 

FortiWeb v7.4 and earlier.

Solution

 

Table of Contents:

1. Create a new X-Forwarded-For profile.
2. Configure X-Forwarded-For profile parameters.
3. Add the X-Forwarded-For profile to an Inline Protection Profile.
4. Assign the Inline Protection Profile to a Server Policy.
5. Confirm that XFF is working.
6. Sample Nginx Log Files.
7. Lab topology Overview.

 

1. Create a new X-Forwarded-For.
   
   Navigate to Server Objects -> X-Forwarded-For.
   
   

 

2. X-Forwarded-For profile parameters.
   

 

1. Assign the profile a name.
2. Enable adding an X-Forwarded-For header with the connection's source IP. Requires reverse proxy mode or True Transparent Proxy.
3. Enable adding an X-Real-IP header with the connection's source IP. Requires reverse proxy mode or True Transparent Proxy. Use this X-Header to Identify the original client's IP. The IP address of the client will be read from this header, if it exists, and not from the IP packet.
   this HTTP header can vary, for example, the Akamai Service uses True-Client-IP instead of X-Forwarded-For.
4. When enabled, the IP address received in the X-header will be used for blocking.
5. If configured, the X-Header will only be read if coming from the defined IP address.

 

 

It is possible to configure additional settings, such as adding the Source Port information or deleting any previous XFF header. For an exhaustive list of options, refer to Defining your proxies, clients, & X-headers - FortiWeb Administration Guide.

 

3. Add an X-Forwarded-For profile to an Inline Protection Profile.

Navigate to Policy -> Web Protection Profile.

 

 

1. Give the profile a name
2. From the list, select the X-Forwarded-For profile that was created.

 

4. Assign an Inline Protection Profile to a Server Policy.

    

1. Navigate to Policy -> Server Policy
2. Edit an Existing Policy or create a New One.
3. Select 'Edit'.

 

Select the Inline Protection Profile from the list.

 

5. Confirm that XFF is working.
   
   The following test uses an Nginx server and FortiWeb's inbuilt Packet Capture feature to sniff on the outbound interface.

 

1. Navigate to Network -> Packet Capture and select Create New.

 

2. Choose a port where the backend server resides.
3. Add a filter for the backend server IP and host.

4. Start the packet capture, then generate the traffic from the client (i.e. access the server policy).

 

 

5. Stop the capture once done.
   
   

 

6. Go to Packet Data.
7. Find the packet with the HTTP request.
8. Confirm the X-Forwarded-For header is added by the FortiWeb.

 

 

It is also possible to download the packet capture for offline analysis with tools such as Wireshark.

 

6. Sample Nginx Log Files.

   
   

   
   Nginx Access log files will still show the FortiWeb IP as expected.
   XFF will only Append the Packet header.
   
   

    

7. Lab topology Overview.

172.26.52.5 -> Test Workstation.
10.109.30.9 -> FortiWeb Virtual IP.
10.198.3.13 -> FortiWeb internal IP.
10.198.3.30 -> Nginx Web Server.