Hi;
I have a Fortigate firewall that is setup to "preserve client IP" at a virtual server defined on it.
This virtual server load balances traffic destined to two explicit forward proxies on port 8080.
When the explicit proxy traffic is http, XFF is inserted and the load balancing and proxy connection to server works perfectly. However, when the explicity proxy traffic is https, the connection to server does not work.
My question is, if the Fortigate fails to insert XFF to the https encrypted stream, does it drop the connection as a result?
Kindly
Wasfi
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Run "diag debug flow" when doing HTTPS and HTTP and monitor. That will tell you every thing about if it drops the sessions.
Since this is explicit proxy I'm not sure how your inserting the XFF header, but if the tunnel is built to a HTTPS proxy, i do see how your inserting the XFF if the fortigate is not MiTM.
Do you have "config firewall ssl-server" setup etc........ or doing something else? Basically what is your firewall vip setup?
Ken Felix
PCNSE
NSE
StrongSwan
Thank you for your reply Emnoc. I don't have config firewall ssl-server
My virtual server is very basic. It is doing round robin load balancing with source IP hash persistence. However, since it does source IP Natting, the original client IP is not seen by the Proxies, thus the need for XFF.
You are right, it is listening on port 8080 for explicit proxy traffic and as you know whether the traffic is http or https as the browser is set explicitly, the original datagram is always encapsulated in a http datagram destined to port 8080.
Now, when the encapsulated datagram is http the fortigate passes it through after inserting the XFF. Also, when the encapsulating datagram is a mere "CONNECT" method, XFF is inserted without any issues.
The issue arises when the encapsulated datagram is a TLS one like a "client hello", then the Fortigate drops the datagram despite the encapsulating http datagram. My aim is to have the Fortigate setup in a way to pass it through untouched if it cannot insert the XFF.
Kindly
Wasfi
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.