Can the fortigate insert a X-Forwarded-For header only for GET and CONNECT methods?
Can I have the FortiGate insert an X-Forwarded-For header only if the HTTP method is GET or CONNECT. Basically I have a virtual server of type http set up with "Preserve Client IP". It is load balancing traffic originating from browsers "with explicit proxy" and destined to a couple of proxy servers. The destination port is 8080.
When the Fortigate inserts the X-Forwarded-For for HTTP datagrams with GET, POST, CONNECT, things work fine. However, when it inserts the XFF in datagrams encapsulating TLS content, then it inserts the XFF in the datagram's body causing it to be malformed.
If I can have a simple rule that says: If the HTTP method does not exist then don't insert the XFF header.
Nope, VIP with load balancing does not include ability to match on request type.
onthe other hand- fortigate acts as an ssl proxy and encrypts its connection to the server with X-forwarded header already added, why does it make payload corrupt in your case ? This should not happen IMO.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.