Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

Can the fortigate insert a X-Forwarded-For header only for GET and CONNECT methods?



Can I have the FortiGate insert an X-Forwarded-For header only if the HTTP method is GET or CONNECT. Basically I have a virtual server of type http set up with "Preserve Client IP". It is load balancing traffic originating from browsers "with explicit proxy" and destined to a couple of proxy servers. The destination port is 8080.


When the Fortigate inserts the X-Forwarded-For for HTTP datagrams with GET, POST, CONNECT, things work fine. However, when it inserts the XFF in datagrams encapsulating TLS content, then it inserts the XFF in the datagram's body causing it to be malformed. 


If I can have a simple rule that says: If the HTTP method does not exist then don't insert the XFF header.






Valued Contributor

Nope, VIP with load balancing does not include ability to match on request type.  onthe other hand- fortigate acts as an ssl proxy and encrypts its connection to the server with X-forwarded header already added, why does it make payload corrupt in your case ? This should not happen IMO. 

Yuri blog: All things Fortinet, no ads.

All opinions are mine only.
New Contributor

in my case, the FortiGate virtual server is not doing any SSL decryption. It however, adds the XFF header in the http datagram conveying the client hello.

Top Kudoed Authors