We have are deploying Fortiweb in between our Fortigate and Web Server, in one-arm reverse proxy mode. Our webserver needs to capture the original IP of web visitors, but the webserver could only see the IP of the FortiWeb. I have already enabled X-Forwarded-For options on the Fortiweb.
From the packet capture of Fortiweb, we could see that the X-Forwarded-For IP is seen on the extracted packet logs. However, original IP is not appearing on the source of "Attack Logs" also, while not sure if this has any effects.
And from the backend programming of the webserver, we have tried all the method to capture headers like REMOTE_ADDR, HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP, etc. Still it is showing the IP of Fortiweb only.
For example:
8.8.4.4 (sample public IP of web visitor) -> [10.10.10.5 (Fortigate WAN) -> 10.0.2.5 (Fortigate LAN) ] -> 10.0.2.6 (Fortiweb) -> 10.0.2.7 (webserver)
With the above, our web server is working but should be able to log the 8.8.4.4 as the original IP of visitor. But it could only see the IP of fortiweb 10.0.2.6 as value or x-forwarded-for or remote-addr.
Hopefully someone could have an insight to this. Our webserver do really need to log the Original IP of visitor.
Hello dairu,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hello dairu,
We are still looking for someone to help you.
We will come back to you ASAP.
Thanks,
Hello Dairu,
Hope you are doing fine. In regards to the "X-Forwarded-For" header, if you are able to capture the header in the pcap, then it would be a correct setup in FortiWeb.
While the next thing will be the webserver to capture the "X-Forwarded-For" header value and log as the clients' IP. There're example for webserver like IIS and Apache that you can probably check it out. Hope it'll help.
- IIS
- Apache
Thanks
Hi kmak,
The two link you forwarded are similar, it was for Apache. Do have for IIS?
There was a progress, X-Forwarded-For is appearing when on HTTP. But on not HTTPS. Even the Fortiweb's attack log is showing Original IP on HTTP but internal IP on HTTPS. As it only happens on HTTPS, I did check if there is anything wrong with the SSL/certs, but it is correctly configured. Do you have insight on this?
Hi Dairu,
Sorry for pasted the duplicate link. Here's the link for IIS.
HTTPS packet should have been encrypted where you might not be able to see the web packet contents in pcap, it requires to be decrypted in order to view the content header.
Thanks
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.