Hi;
Can I have the FortiGate insert an X-Forwarded-For header only if the HTTP method is GET or CONNECT. Basically I have a virtual server of type http set up with "Preserve Client IP". It is load balancing traffic originating from browsers "with explicit proxy" and destined to a couple of proxy servers. The destination port is 8080.
When the Fortigate inserts the X-Forwarded-For for HTTP datagrams with GET, POST, CONNECT, things work fine. However, when it inserts the XFF in datagrams encapsulating TLS content, then it inserts the XFF in the datagram's body causing it to be malformed.
If I can have a simple rule that says: If the HTTP method does not exist then don't insert the XFF header.
Kindly
Wasfi
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Nope, VIP with load balancing does not include ability to match on request type. onthe other hand- fortigate acts as an ssl proxy and encrypts its connection to the server with X-forwarded header already added, why does it make payload corrupt in your case ? This should not happen IMO.
in my case, the FortiGate virtual server is not doing any SSL decryption. It however, adds the XFF header in the http datagram conveying the client hello.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.