Can a Fortigate with version 5.4 or 5.2 insert an XFF Header

wasfi · ‎09-07-2020

Hi;

Can a Fortigate Firewall running version 5.2.x or 5.4.x insert an XFF header?

If yes, how exactly can this be done?

Does it apply to the following models? or it will apply no matter the models?

1500D, 600C, 1000C, 300D, 2000E

Kindly

Wasfi

Yurisk · ‎09-07-2020

Hi, according to the Fortinet documentation it can:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

View solution in original post

localhost · ‎09-08-2020

Hi Wasfi

Yes this is possible. The KB article Yurisk posted already contains all the information you need. But it can be configured in the CLI only.

The firewall policy must be in proxy mode (6.2) otherwise it won't work.

This example adds the x-forwarded-for value to all outgoing HTTP Urls. You can also limit it to specific URL's in the webfilter urlfilter setting.

config web-proxy profile
    edit "1"
        set header-x-forwarded-for add
    next
end

config webfilter urlfilter
    edit 1
        set name "add-header"
        config entries
            edit 1
                set url "*"
                set type wildcard
                set action monitor
                set web-proxy-profile "1"
            next
        end
    next
end

config webfilter profile
    edit "add-header-webprofile"
        config web
            set urlfilter-table 1
        end
            set rate-image-urls disable
        end
    next
end

config firewall policy
    edit 20
        set srcintf "INTERN-LAB"
        set dstintf "EXTERN"
        set srcaddr "TEMP_10.1.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "add-header-webprofile"
        set logtraffic all
        set nat enable
    next
end

EDIT: Ah.. just noted you want to do this in 5.2 or 5.4. No idea.. looks like these CLI commands don't exist yet.

View solution in original post

Yurisk · ‎09-07-2020

Hi, according to the Fortinet documentation it can:

https://kb.fortinet.com/kb/documentLink.do?externalID=FD44109

Yuri https://yurisk.info/ blog: All things Fortinet, no ads.

wasfi · ‎09-08-2020

Hi Yuri

the FortiGate Firewall will not be load balancing. It is just acting as an Internet gateway doing Source IP Natting. Furthermore, it will not be handling https but rather http only, thus no need for loading the certificate on the FortiGate.

I need to Fortigate Firewall to insert the XFF header in the header of HTTP requests as it does Natting of the Source IP address. No VIPs needed and no SSL offload. Can this be done?

Kindly

Wasfi

localhost · ‎09-08-2020

Hi Wasfi

Yes this is possible. The KB article Yurisk posted already contains all the information you need. But it can be configured in the CLI only.

The firewall policy must be in proxy mode (6.2) otherwise it won't work.

This example adds the x-forwarded-for value to all outgoing HTTP Urls. You can also limit it to specific URL's in the webfilter urlfilter setting.

config web-proxy profile
    edit "1"
        set header-x-forwarded-for add
    next
end

config webfilter urlfilter
    edit 1
        set name "add-header"
        config entries
            edit 1
                set url "*"
                set type wildcard
                set action monitor
                set web-proxy-profile "1"
            next
        end
    next
end

config webfilter profile
    edit "add-header-webprofile"
        config web
            set urlfilter-table 1
        end
            set rate-image-urls disable
        end
    next
end

config firewall policy
    edit 20
        set srcintf "INTERN-LAB"
        set dstintf "EXTERN"
        set srcaddr "TEMP_10.1.1.1"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set inspection-mode proxy
        set ssl-ssh-profile "certificate-inspection"
        set webfilter-profile "add-header-webprofile"
        set logtraffic all
        set nat enable
    next
end

EDIT: Ah.. just noted you want to do this in 5.2 or 5.4. No idea.. looks like these CLI commands don't exist yet.

xsilver_FTNT · ‎09-10-2020

Hi Wasfi,

do not want to be rude, but ..

1. you are posting FortiOS/FortiGate questions to FortiAuthenticator forum

2. FortiOS 5.2 is almost 2Y out of support and 5.4 support just ended in June this year,

so I would strongly suggest to use something recent/newer then OS versions released in 2014 !

For reference - Product Life Cycles : https://support.fortinet.com/Information/ProductLifeCycle.aspx

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

wasfi · ‎09-10-2020

Hi Thomas;

You are not being rude. I think it was lazy of me to post on the FortiAuthenticator Forum in the first place. I couldn't find the FortiGate forum, so I assumed that I can post on the FortiAuthenticator, which wasn't appropriate. Sorry. I will let my customer know that these versions are out of support.

Kindly

Wasfi