Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
wasfi
New Contributor

Created on ‎09-07-2020 08:07 PM

Can a Fortigate with version 5.4 or 5.2 insert an XFF Header

Hi;

 

Can a Fortigate Firewall running version 5.2.x or 5.4.x insert an XFF header? 

 

If yes, how exactly can this be done?

 

Does it apply to the following models? or it will apply no matter the models?

1500D, 600C, 1000C, 300D, 2000E

 

Kindly

Wasfi

 

 

 

 

Labels:
5334
0 Kudos
2 Solutions
Yurisk
SuperUser
SuperUser

Created on ‎09-07-2020 11:18 PM

Hi, according to the Fortinet documentation it can: 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.

View solution in original post

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
3980
0 Kudos
localhost
Contributor III
In response to wasfi

Created on ‎09-08-2020 02:56 AM

Hi Wasfi

 

Yes this is possible. The KB article Yurisk posted already contains all the information you need. But it can be configured in the CLI only.

The firewall policy must be in proxy mode (6.2) otherwise it won't work.

This example adds the x-forwarded-for value to all outgoing HTTP Urls. You can also limit it to specific URL's in the webfilter urlfilter setting.

 

 

config web-proxy profile
    edit "1"
        set header-x-forwarded-for add
    next
end

 

 

 

config webfilter urlfilter
    edit 1
        set name "add-header"
        config entries
            edit 1
                set url "*"
                set type wildcard
                set action monitor
                set web-proxy-profile "1"
            next
        end
    next
end

config webfilter profile
    edit "add-header-webprofile"
        config web
            set urlfilter-table 1
        end
            set rate-image-urls disable
        end
    next
end

config firewall policy
    edit 20
        set srcintf "INTERN-LAB"
        set dstintf "EXTERN"
        set srcaddr "TEMP_10.1.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "add-header-webprofile"
        set logtraffic all
        set nat enable
    next
end

 

 

EDIT: Ah.. just noted you want to do this in 5.2 or 5.4. No idea.. looks like these CLI commands don't exist yet.

View solution in original post

Preview file
58 KB
3976
0 Kudos
5 REPLIES 5
Yurisk
SuperUser
SuperUser

Created on ‎09-07-2020 11:18 PM

Hi, according to the Fortinet documentation it can: 

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109

 

Yuri https://yurisk.info/  blog: All things Fortinet, no ads.
Yuri https://yurisk.info/ blog: All things Fortinet, no ads.
3981
0 Kudos
wasfi
New Contributor
In response to Yurisk

Created on ‎09-08-2020 12:55 AM

Hi Yuri

 

the FortiGate Firewall will not be load balancing. It is just acting as an Internet gateway doing Source IP Natting. Furthermore, it will not be handling https but rather http only, thus no need for loading the certificate on the FortiGate. 

 

I need to Fortigate Firewall to insert the XFF header in the header of HTTP requests as it does Natting of the Source IP address. No VIPs needed and no SSL offload. Can this be done?

 

Kindly

Wasfi

3915
0 Kudos
localhost
Contributor III
In response to wasfi

Created on ‎09-08-2020 02:56 AM

Hi Wasfi

 

Yes this is possible. The KB article Yurisk posted already contains all the information you need. But it can be configured in the CLI only.

The firewall policy must be in proxy mode (6.2) otherwise it won't work.

This example adds the x-forwarded-for value to all outgoing HTTP Urls. You can also limit it to specific URL's in the webfilter urlfilter setting.

 

 

config web-proxy profile
    edit "1"
        set header-x-forwarded-for add
    next
end

 

 

 

config webfilter urlfilter
    edit 1
        set name "add-header"
        config entries
            edit 1
                set url "*"
                set type wildcard
                set action monitor
                set web-proxy-profile "1"
            next
        end
    next
end

config webfilter profile
    edit "add-header-webprofile"
        config web
            set urlfilter-table 1
        end
            set rate-image-urls disable
        end
    next
end

config firewall policy
    edit 20
        set srcintf "INTERN-LAB"
        set dstintf "EXTERN"
        set srcaddr "TEMP_10.1.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "add-header-webprofile"
        set logtraffic all
        set nat enable
    next
end

 

 

EDIT: Ah.. just noted you want to do this in 5.2 or 5.4. No idea.. looks like these CLI commands don't exist yet.

Preview file
58 KB
3977
0 Kudos
xsilver_FTNT
Staff
Staff
In response to localhost

Created on ‎09-10-2020 02:37 AM

Hi Wasfi,

do not want to be rude, but .. 

1. you are posting FortiOS/FortiGate questions to FortiAuthenticator forum

2. FortiOS 5.2 is almost 2Y out of support and 5.4 support just ended in June this year,

so I would strongly suggest to use something recent/newer then OS versions released in 2014 !

For reference - Product Life Cycles : https://support.fortinet.com/Information/ProductLifeCycle.aspx

 

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

3915
0 Kudos
wasfi
New Contributor
In response to xsilver_FTNT

Created on ‎09-10-2020 02:54 AM

Hi Thomas;

 

You are not being rude. I think it was lazy of me to post on the FortiAuthenticator Forum in the first place. I couldn't find the FortiGate forum, so I assumed that I can post on the FortiAuthenticator, which wasn't appropriate. Sorry. I will let my customer know that these versions are out of support.

 

Kindly

Wasfi

3915
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.