|
When an upstream device performs SNAT, FortiWeb will only see NAT IP as the source IP to connect to web applications behind FortiWeb. Thus, not depict the real client source IP for proper identification in FortiWeb traffic logs and security features.
In most use cases, users would be coming from the Internet traversing through a NAT device that adds X-Forwarded-For, allowing FortiWeb to identify the original source.
There are also environments where web applications are published on the Intranet and the original client’s source IP uses private IP classes. By default, the FortiWeb X-Forwarded-For profile ignores private IP classes to be identified as Original Source in the traffic log.
CLI command is available to disable default configuration and let FortiWeb identify private IP classes as the Original Source in the X-Forwarded-For header.
CLI Command:
config waf x-forwarded-for
edit "XFF"
set x-forwarded-for-support disable
set x-forwarded-port disable
set tracing-original-ip enable
set original-ip-header X-FORWARDED-FOR
set x-real-ip disable
set x-forwarded-proto disable
config ip-list
end
set block-based-on-original-ip disable
set ip-location left
set skip-private-original-ip enable <----- 'disable' to identify private IP classes.
set skip-special-original-ip enable
unset block-based-on-full-scan
next
end
From GUI:
- Navigate to Log&Report -> Log Access -> Traffic Log.
- 'Right-click' on the column.
- Select Original Source and Apply.
- Move the Original Source column if required.
For more information on X-Forwarded-For profile configuration, see related documents:
Technical Tip: How to configure FortiWeb to add X-headers such as 'X-Forwarded-For'
Defining your proxies, clients, & X-headers
|
