Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

How does a Fortigate firwall behave if inserting XFF header to encrypted content



I have a Fortigate firewall that is setup to "preserve client IP" at a virtual server defined on it.


This virtual server load balances traffic destined to two explicit forward proxies on port 8080. 


When the explicit proxy traffic is http, XFF is inserted and the load balancing and proxy connection to server works perfectly. However, when the explicity proxy traffic is https, the connection to server does not work.


My question is, if the Fortigate fails to insert XFF to the https encrypted stream, does it drop the connection as a result?






Esteemed Contributor III

Run "diag debug flow" when doing HTTPS and HTTP and monitor. That will tell you every thing about if it drops the sessions.


Since this is explicit proxy I'm not sure how your inserting the XFF header, but if the tunnel is built to a HTTPS proxy, i do see how your inserting the XFF if the fortigate is not MiTM.


Do you have "config firewall ssl-server"  setup etc........ or doing something else? Basically what is your firewall vip setup?



Ken Felix





PCNSE NSE StrongSwan
New Contributor

Thank you for your reply Emnoc. I don't have config firewall ssl-server 


My virtual server is very basic. It is doing round robin load balancing with source IP hash persistence. However, since it does source IP Natting, the original client IP is not seen by the Proxies, thus the need for XFF.


You are right, it is listening on port 8080 for explicit proxy traffic and as you know whether the traffic is http or https as the browser is set explicitly, the original datagram is always encapsulated in a http datagram destined to port 8080.


Now, when the encapsulated datagram is http the fortigate passes it through after inserting the XFF. Also, when the encapsulating datagram is a mere "CONNECT" method, XFF is inserted without any issues. 


The issue arises when the encapsulated datagram is a TLS one like a "client hello", then the Fortigate drops the datagram despite the encapsulating http datagram. My aim is to have the Fortigate setup in a way to pass it through untouched if it cannot insert the XFF.





Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors