Help
FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
guptas
Staff
Staff

Created on ‎02-29-2024 04:21 AM Edited on ‎08-27-2025 02:40 AM By Community Manager

Article Id 302095

Technical Tip: How to reflect X-Forwarded-For IP as the original IP source in traffic logs

Description This article describes how to reflect an X-Forwarded-For (XFF) IP as the original source IP in traffic logs.
Scope FortiWeb.
Solution

Before FortiWeb, if there was any NAT device and XFF information was available, it was possible to see the original IP source as the X-Forwarder-For IP in traffic logs.

 

In a network, there is a device before FortiWeb that enables the firewall to perform SNAT. In FortiWeb, only the SNAT is displayed as the source IP for all client requests in the FortiWeb traffic logs.

 

To disable the NAT on the firewall and see the original client IP address in traffic logs as the source IP, configure XFF settings on the firewall. In this example, the firewall is performing SNAT before FortiWeb.

 

To view the client IP address as the Original Source IP address in FortiWeb traffic logs, disable the following settings:

 

config waf x-forwarded-for

    edit XEF

        set skip-private-original-ip disable

end

 

Related document:

waf-x-forwarded-for - FortiWeb CLI reference
1321
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2026 Fortinet, Inc. All Rights Reserved.