FortiWeb
A FortiWeb can be configured to join a Security Fabric through the root or downstream FortiGate.
shafiq23
Staff
Staff
Article Id 284147
Description This article describes how to identify private IP classes in X-Forwarded-For header as Original Source in FortiWeb’s traffic log.
Scope FortiWeb, FortiWeb-VM
Solution

When an upstream device performs SNAT, FortiWeb will only see NAT IP as the source IP to connect to web applications behind FortiWeb. Thus, not depict the real client source IP for proper identification in FortiWeb traffic logs and security features.

 

In most use cases, users would be coming from the Internet traversing through a NAT device that adds X-Forwarded-For, allowing FortiWeb to identify the original source.

 

There are also environments where web applications are published on the Intranet and the original client’s source IP uses private IP classes. By default, the FortiWeb X-Forwarded-For profile ignores private IP classes to be identified as Original Source in the traffic log.

 

CLI command is available to disable default configuration and let FortiWeb identify private IP classes as the Original Source in the X-Forwarded-For header.

 

CLI Command:


config waf x-forwarded-for
    edit "XFF"
        set x-forwarded-for-support disable
        set x-forwarded-port disable
        set tracing-original-ip enable
        set original-ip-header X-FORWARDED-FOR
        set x-real-ip disable
        set x-forwarded-proto disable
            config ip-list
        end
            set block-based-on-original-ip disable
            set ip-location left
            set skip-private-original-ip enable <----- 'disable' to identify private IP classes.
            set skip-special-original-ip enable
            unset block-based-on-full-scan
        next
    end

 

From GUI:

  1. Navigate to Log&Report -> Log Access -> Traffic Log.
  2. 'Right-click' on the column.
  3. Select Original Source and Apply.
  4.  Move the Original Source column if required.


For more information on X-Forwarded-For profile configuration, see related documents:
Technical Tip: How to configure FortiWeb to add X-headers such as 'X-Forwarded-For'

Defining your proxies, clients, & X-headers

Contributors