Description
How to configure FortiWeb to add an "x-forwarded-for" (XFF) header and other X-headers to incoming traffic.
Scope
a. Create a new x-forwarded-for profile
b. Configure x-forwarded-for profile parameters
c. Add the x-forwarded-for profile to an Inline Protection Profile
d. Assign the Inline Protection Profile to a Server Policy
e. Confirm that XFF is working
f. Sample Apache Log Files
g. Lab topology Overview
Solution
a. Create a new x-forwarded-for
Click “x-Forwarded-For” >> “Create New”
b. X-Forwarded-For profile parameters
Step 1. Assign the profile a name.
Step 2. Enable to add an X-Forwarded-For: header with the connection's source IP. Requires reverse proxy mode or True Transparent Proxy.
Step 3. Enable to add an X-Real-IP: header with the connection's source IP. Requires reverse proxy mode or True Transparent Proxy.
Step 4. Enable to add an X-Forwarded-Proto: header with the connection's originating protocol. Requires reverse proxy mode or True Transparent Proxy.
Step 5. Use X-Header to Identify Original Client's IP
c. Add x-forwarded-for profile to an Inline Protection Profile
Click “Inline Protection Profile” >> “Create New”
Step 1. Give the profile a name
Step 2. Select the X-Forwarded-For profile you created from the list.
d. Assign Inline Protection Profile to a Server Policy
Step 1. Click “Server Policy”
Step 2. Edit an Existing Policy or create a New One.
Step 3. Click edit.
Step 1. Select the Inline Protection Profile from the list.
e. Confirm that XFF is working
The following test uses an Apache Web Server and uses Wireshark to sniff on the inbound interface.
Filter for http.x_forwarded_for as shown below.
Step1. Observe the IP address of the test workstation used to access the Virtual IP.
f. Sample Apache Log Files
Apache Access log files will still show the FortiWeb IP as expected.
XFF will only Append the Packet header.
g. Lab topology Overview
192.168.1.50 -> Test Workstation
192.168.88.85 -> FortiWeb MGMT
192.168.88.86 -> FortiWeb Virtual IP
192.168.88.54 -> Apache Web Server
