Hi,
in my lab I'm exposing FMG WebUI on the public internet behind Cloudflare reverse proxy. I did basic Cloudflare configuration and I do reach FMG WebUI with using FQDN over HTTPS connection without any issue.
However, once I am logged in, after few seconds of activity I am forced logged-out. And I have to log back in. Sometimes before I am forced logged out and I am moving around different sections of WebUI, I get red banner on FMG WebUi saying "Invalid IP address".
This behavour is not present if bypass Cloudflare. i.e. I browse WebUI using IP address and not FQDN.
What I suspect is that at some point (in the middle of the session) Cloudflare is changing IP address of the reverse proxy. i.e. FMG sees that the session is coming from different IP address and it forces user to log out.
Has anyone manage to expose FMG WebUI behind Cloudflare reverse proxy?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello
Does the FQDN resolve to multiple IP addresses? If so then it could be the issue, then try add a new DNS record that resolves to one single IP.
If it is not the case, then it is probably using redundant reverse proxies with different back-end addresses (seen by FMG). I didn't use CloudFlare revers proxy before but if it is configurable try to force it to keep the same IP when accessing FMG.
Thank you for your reply.
No, FQDN resolves single IP address on port 443 that belongs to FMG. I am not able to see anything on Cloudflare dashboard that would configure reverse proxy to use a single IP address. What I find is that when proxying Cloudflare passes original IP address used by the user in one of the additional header in HTTP request to FMG. However, I am thinking that since I am getting this error, it seems that FMG Web Server is not able to digest that?!
I do continue to investigate on Cloudflare side, but I posted here just to see if anyone had existing experience on this kind of deployment.
I'm not aware that FortiManager's WebUI supports "X-Forwarded-For" header. I think you should look for a solution from cloud flare side.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.