How does a Fortigate firwall behave if inserting XFF header to encrypted content
I have a Fortigate firewall that is setup to "preserve client IP" at a virtual server defined on it.
This virtual server load balances traffic destined to two explicit forward proxies on port 8080.
When the explicit proxy traffic is http, XFF is inserted and the load balancing and proxy connection to server works perfectly. However, when the explicity proxy traffic is https, the connection to server does not work.
My question is, if the Fortigate fails to insert XFF to the https encrypted stream, does it drop the connection as a result?
Thank you for your reply Emnoc. I don't have config firewall ssl-server
My virtual server is very basic. It is doing round robin load balancing with source IP hash persistence. However, since it does source IP Natting, the original client IP is not seen by the Proxies, thus the need for XFF.
You are right, it is listening on port 8080 for explicit proxy traffic and as you know whether the traffic is http or https as the browser is set explicitly, the original datagram is always encapsulated in a http datagram destined to port 8080.
Now, when the encapsulated datagram is http the fortigate passes it through after inserting the XFF. Also, when the encapsulating datagram is a mere "CONNECT" method, XFF is inserted without any issues.
The issue arises when the encapsulated datagram is a TLS one like a "client hello", then the Fortigate drops the datagram despite the encapsulating http datagram. My aim is to have the Fortigate setup in a way to pass it through untouched if it cannot insert the XFF.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.