FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
Robin_McDonald_FTNT
Article Id 190404

Description

 

This article describes how to configure FortiWeb to add an 'X-Forwarded-For' (XFF) header and/or other X-headers to incoming traffic.

Scope

 

FortiWeb v7.4 and earlier.


Solution

 

Table of Contents:

  1. Create a new X-Forwarded-For profile.
  2. Configure X-Forwarded-For profile parameters.
  3. Add the X-Forwarded-For profile to an Inline Protection Profile.
  4. Assign the Inline Protection Profile to a Server Policy.
  5. Confirm that XFF is working.
  6. Sample Nginx Log Files.
  7. Lab topology Overview.

 

1. Create a new X-Forwarded-For.

Navigate to Server Objects -> X-Forwarded-For.

serverobjects_xff.jpg

 

2. X-Forwarded-For profile parameters.

 

  1. Assign the profile a name.
  2. Enable adding an X-Forwarded-For header with the connection's source IP. Requires reverse proxy mode or True Transparent Proxy.
  3. Enable adding an X-Real-IP header with the connection's source IP. Requires reverse proxy mode or True Transparent Proxy. Use this X-Header to Identify the original client's IP. The IP address of the client will be read from this header, if it exists, and not from the IP packet.
  4. When enabled, the IP address received in the X-header will be used for blocking.
  5. If configured, the X-Header will only be read if coming from the defined IP address.

 

xff_profile.jpg

 

It is possible to configure additional settings, such as adding the Source Port information or deleting any previous XFF header. For an exhaustive list of options, refer to Defining your proxies, clients, & X-headers - FortiWeb Administration Guide.

 

 

3. Add an X-Forwarded-For profile to an Inline Protection Profile.

Navigate to Policy -> Web Protection Profile.

inline_pp.jpg

 

 

  1. Give the profile a name
  2. From the list, select the X-Forwarded-For profile that was created.


inline_pp_details.jpg

 


4. Assign an Inline Protection Profile to a Server Policy.

 

  1. Navigate to Policy > Server Policy
  2. Edit an Existing Policy or create a New One.
  3. Select 'edit'.


serverpolicy.jpg

 

Select the Inline Protection Profile from the list.


serverpolicy_detail.jpg

 


5. Confirm that XFF is working.

The following test uses an Nginx server and uses FortiWeb inbuilt Packet Capture feature to sniff on the outbound interface.

 

  1. Navigate to Network -> Packet Capture and select Create New.


packetcapture.jpg

 

  1. Choose a port where the backend server resides.
  2. Add a filter for the backend server IP and host.

packetcapture_details.jpg

  1. Start the packet capture, then generate the traffic from the client (i.e. access the server policy).

 

packetcapture_start.jpg

 

  1. Stop the capture once done.

pcap_detail.jpg

 

  1. Go to Packet Data.
  2. Find the packet with the HTTP request.
  3. Confirm the X-Forwarded-For header is added by the FortiWeb.

pcap_confirm.jpg

 

It is also possible to download the packet capture for offline analysis with tool such as Wireshark.


6. Sample Nginx Log Files.

nginxlog.jpg

 

Nginx Access log files will still show the FortiWeb IP as expected.
XFF will only Append the Packet header.

7. Lab topology Overview.

172.26.52.5 -> Test Workstation
10.109.30.9 -> FortiWeb Virtual IP
10.198.3.13 -> FortiWeb internal IP 
10.198.3.30 -> Nginx Web Server