Created on 02-24-2015 08:48 AM Edited on 10-20-2023 07:36 AM By Stephen_G
Description
This article describes how to configure FortiWeb to add an 'X-Forwarded-For' (XFF) header and/or other X-headers to incoming traffic.
Scope
FortiWeb v7.4 and earlier.
Solution
Table of Contents:
1. Create a new X-Forwarded-For.
Navigate to Server Objects -> X-Forwarded-For.
2. X-Forwarded-For profile parameters.
It is possible to configure additional settings, such as adding the Source Port information or deleting any previous XFF header. For an exhaustive list of options, refer to Defining your proxies, clients, & X-headers - FortiWeb Administration Guide.
3. Add an X-Forwarded-For profile to an Inline Protection Profile.
Navigate to Policy -> Web Protection Profile.
4. Assign an Inline Protection Profile to a Server Policy.
Select the Inline Protection Profile from the list.
5. Confirm that XFF is working.
The following test uses an Nginx server and uses FortiWeb inbuilt Packet Capture feature to sniff on the outbound interface.
It is also possible to download the packet capture for offline analysis with tool such as Wireshark.
6. Sample Nginx Log Files.
Nginx Access log files will still show the FortiWeb IP as expected.
XFF will only Append the Packet header.
7. Lab topology Overview.
172.26.52.5 -> Test Workstation
10.109.30.9 -> FortiWeb Virtual IP
10.198.3.13 -> FortiWeb internal IP
10.198.3.30 -> Nginx Web Server
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.