Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wasfi
New Contributor

Can a Fortigate with version 5.4 or 5.2 insert an XFF Header

Hi;

 

Can a Fortigate Firewall running version 5.2.x or 5.4.x insert an XFF header? 

 

If yes, how exactly can this be done?

 

Does it apply to the following models? or it will apply no matter the models?

1500D, 600C, 1000C, 300D, 2000E

 

Kindly

Wasfi

 

 

 

 

2 Solutions
Yurisk
Valued Contributor

Hi, according to the Fortinet documentation it can: 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
localhost

Hi Wasfi

 

Yes this is possible. The KB article Yurisk posted already contains all the information you need. But it can be configured in the CLI only.

The firewall policy must be in proxy mode (6.2) otherwise it won't work.

This example adds the x-forwarded-for value to all outgoing HTTP Urls. You can also limit it to specific URL's in the webfilter urlfilter setting.

 

 

config web-proxy profile
    edit "1"
        set header-x-forwarded-for add
    next
end

 

 

 

config webfilter urlfilter
    edit 1
        set name "add-header"
        config entries
            edit 1
                set url "*"
                set type wildcard
                set action monitor
                set web-proxy-profile "1"
            next
        end
    next
end

config webfilter profile
    edit "add-header-webprofile"
        config web
            set urlfilter-table 1
        end
            set rate-image-urls disable
        end
    next
end

config firewall policy
    edit 20
        set srcintf "INTERN-LAB"
        set dstintf "EXTERN"
        set srcaddr "TEMP_10.1.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "add-header-webprofile"
        set logtraffic all
        set nat enable
    next
end

 

 

EDIT: Ah.. just noted you want to do this in 5.2 or 5.4. No idea.. looks like these CLI commands don't exist yet.

View solution in original post

5 REPLIES 5
Yurisk
Valued Contributor

Hi, according to the Fortinet documentation it can: 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
wasfi
New Contributor

Hi Yuri

 

the FortiGate Firewall will not be load balancing. It is just acting as an Internet gateway doing Source IP Natting. Furthermore, it will not be handling https but rather http only, thus no need for loading the certificate on the FortiGate. 

 

I need to Fortigate Firewall to insert the XFF header in the header of HTTP requests as it does Natting of the Source IP address. No VIPs needed and no SSL offload. Can this be done?

 

Kindly

Wasfi

localhost

Hi Wasfi

 

Yes this is possible. The KB article Yurisk posted already contains all the information you need. But it can be configured in the CLI only.

The firewall policy must be in proxy mode (6.2) otherwise it won't work.

This example adds the x-forwarded-for value to all outgoing HTTP Urls. You can also limit it to specific URL's in the webfilter urlfilter setting.

 

 

config web-proxy profile
    edit "1"
        set header-x-forwarded-for add
    next
end

 

 

 

config webfilter urlfilter
    edit 1
        set name "add-header"
        config entries
            edit 1
                set url "*"
                set type wildcard
                set action monitor
                set web-proxy-profile "1"
            next
        end
    next
end

config webfilter profile
    edit "add-header-webprofile"
        config web
            set urlfilter-table 1
        end
            set rate-image-urls disable
        end
    next
end

config firewall policy
    edit 20
        set srcintf "INTERN-LAB"
        set dstintf "EXTERN"
        set srcaddr "TEMP_10.1.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "add-header-webprofile"
        set logtraffic all
        set nat enable
    next
end

 

 

EDIT: Ah.. just noted you want to do this in 5.2 or 5.4. No idea.. looks like these CLI commands don't exist yet.

xsilver_FTNT

Hi Wasfi,

do not want to be rude, but .. 

1. you are posting FortiOS/FortiGate questions to FortiAuthenticator forum

2. FortiOS 5.2 is almost 2Y out of support and 5.4 support just ended in June this year,

so I would strongly suggest to use something recent/newer then OS versions released in 2014 !

For reference - Product Life Cycles : https://support.fortinet.com/Information/ProductLifeCycle.aspx

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet stuff - TAC Staff Engineer

wasfi

Hi Thomas;

 

You are not being rude. I think it was lazy of me to post on the FortiAuthenticator Forum in the first place. I couldn't find the FortiGate forum, so I assumed that I can post on the FortiAuthenticator, which wasn't appropriate. Sorry. I will let my customer know that these versions are out of support.

 

Kindly

Wasfi

Top Kudoed Authors