Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Richie086
New Contributor

Fowarding external IP address information through our fortigate firewall to haproxy

We need the ability to see the external IP address of clients that are browsing sites that we are hosting behind the Fortigate firewall.   Here is a brief overview of our setup    [image][/image]   What we need to be able to do is see the actual external IP address (1.2.3.4) of customers that are browsing web sites that we are hosting internally.    As of right now, if a customer is browsing a site that is internet facing, if we view the logs on our load balancer, all external traffic looks like it is coming from the Fortigate firewall (10.50.1.1).  Here is an example log output from our HAProxy load balancer    Mar 10 00:04:03 haproxy2 haproxy[2166293]: 10.50.1.1:62232 [10/Mar/2021:00:04:03.640] localhost~ titu_cluster/titu11 0/0/0/2/3 200 64577 - - ---- 28/28/3/63/0 0/0 "GET /images/base_models/18865.jpg HTTP/1.1" Mar 10 00:04:03 haproxy2 haproxy[2166293]: 10.50.1.1:62235 [10/Mar/2021:00:04:03.639] localhost~ titu_cluster/titu12 0/0/1/2/5 200 95530 - - ---- 28/28/2/47/0 0/0 "GET /images/base_models/18867.jpg HTTP/1.1"     Is there some way to forward the traffic from the Fortigate firewall to our load balancer (10.6.9.53) so we capture the external IP address?  Here is an example of what we would like to be able to see on our end:   Mar 10 00:04:03 haproxy2 haproxy[2166293]: 1.2.3.4:62232 [10/Mar/2021:00:04:03.640] localhost~ titu_cluster/titu11 0/0/0/2/3 200 64577 - - ---- 28/28/3/63/0 0/0 "GET /images/base_models/18865.jpg HTTP/1.1" Mar 10 00:04:03 haproxy2 haproxy[2166293]: 1.2.3.4:62235 [10/Mar/2021:00:04:03.639] localhost~ titu_cluster/titu12 0/0/1/2/5 200 95530 - - ---- 28/28/2/47/0 0/0 "GET /images/base_models/18867.jpg HTTP/1.1" Mar 10 00:04:03 haproxy2 haproxy[2166293]: 1.2.3.4:62234 [10/Mar/2021:00:04:03.640] localhost~ titu_cluster/titu13 0/0/1/4/6 200 73454 - - ---- 28/28/3/105/0 0/0 "GET /images/base_models/18869.jpg HTTP/1.1"        We have configured our load balancer to forward the external IP address of visitors to our website, but we are still seeing 10.50.1.1 as the source IP in the logs on the load balancer.    Thanks!

1 Solution
Yurisk
Valued Contributor

The image is not uploaded correct. 

Guessing you are using VIP to allow access to the server, consider enabling X-Forwarded-For on the Fortigate, haproxy can use it for real IP addresses of the clients:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
4 REPLIES 4
Markus
Valued Contributor

Disable nat on the incoming firewall policy...


________________________________________________________
--- NSE 4 ---
________________________________________________________

________________________________________________________--- NSE 4 ---________________________________________________________
emnoc
Esteemed Contributor III

yeah it would help to see your diag and the policy but something tell me you have egress interface NAt going on. So for traffic hitting the WAN the original src.ip is nat'd to the egress interface after the route-lookup.

 

diag debug flow , will show this and the policy fwiw

 

Ken Felix

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Yurisk
Valued Contributor

The image is not uploaded correct. 

Guessing you are using VIP to allow access to the server, consider enabling X-Forwarded-For on the Fortigate, haproxy can use it for real IP addresses of the clients:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109 

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
Richie086

This worked.   Thank you!

Labels
Top Kudoed Authors