Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
dairu
New Contributor III

Fortiweb X-Forwarded-For not Showing Original IP of visitor from Web Server

We have are deploying Fortiweb in between our Fortigate and Web Server, in one-arm reverse proxy mode. Our webserver needs to capture the original IP of web visitors, but the webserver could only see the IP of the FortiWeb. I have already enabled X-Forwarded-For options on the Fortiweb.

From the packet capture of Fortiweb, we could see that the X-Forwarded-For IP is seen on the extracted packet logs. However, original IP is not appearing on the source of "Attack Logs" also, while not sure if this has any effects.

And from the backend programming of the webserver, we have tried all the method to capture headers like REMOTE_ADDR, HTTP_X_FORWARDED_FOR, HTTP_X_REAL_IP, etc. Still it is showing the IP of Fortiweb only.

 

For example:

8.8.4.4 (sample public IP of web visitor) -> [10.10.10.5 (Fortigate WAN) -> 10.0.2.5 (Fortigate LAN) ] -> 10.0.2.6 (Fortiweb) -> 10.0.2.7 (webserver)

 

With the above, our web server is working but should be able to log the 8.8.4.4 as the original IP of visitor. But it could only see the IP of fortiweb 10.0.2.6 as value or x-forwarded-for or remote-addr.

 

Hopefully someone could have an insight to this. Our webserver do really need to log the Original IP of visitor.

5 REPLIES 5
Anthony_E
Community Manager
Community Manager

Hello dairu,


Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Thanks,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello dairu,

 

We are still looking for someone to help you.

We will come back to you ASAP.


Thanks,

Anthony-Fortinet Community Team.
kmak
Staff
Staff

Hello Dairu,

 

Hope you are doing fine. In regards to the "X-Forwarded-For" header, if you are able to capture the header in the pcap, then it would be a correct setup in FortiWeb.

While the next thing will be the webserver to capture the "X-Forwarded-For" header value and log as the clients' IP. There're example for webserver like IIS and Apache that you can probably check it out. Hope it'll help.

 

- IIS

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Log+the+IP+of+the+client+in+Apache+using+the+...

- Apache

https://cwiki.apache.org/confluence/display/CLOUDSTACK/Log+the+IP+of+the+client+in+Apache+using+the+...

 

Thanks

KMAK
dairu
New Contributor III

Hi kmak,

 

The two link you forwarded are similar, it was for Apache. Do have for IIS?

 

There was a progress, X-Forwarded-For is appearing when on HTTP. But on not HTTPS. Even the Fortiweb's attack log is showing Original IP on  HTTP but internal IP on HTTPS.  As it only happens on HTTPS, I did check if there is anything wrong with the SSL/certs, but it is correctly configured. Do you have insight on this?

 

 

kmak

Hi Dairu,

 

Sorry for pasted the duplicate link. Here's the link for IIS.

 

https://techcommunity.microsoft.com/t5/iis-support-blog/how-to-use-x-forwarded-for-header-to-log-act...

 

HTTPS packet should have been encrypted where you might not be able to see the web packet contents in pcap, it requires to be decrypted in order to view the content header.

 

Thanks

KMAK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors