Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Checker
New Contributor

How to give real external IP of server behind nat?

Hi, How can I make Fortigate (v4) to give a server in DMZ the real IP of computer connected to it and not the IP of the DMZ interface. I have a server (Debian Wheezy) in a DMZ behind NAT and when someone from the Internet connect to it, in the log (/var/log/atuh.log) all I see is the IP of the DMZ interface of the Fortigate... So I cannot block abusive IP addresses with fail2ban for instance. How can I fix this ? Thanks.
2 REPLIES 2
rwpatterson
Valued Contributor III

Welcome to the forums. What you need to do is UNcheck the NAT setting in the policy that accesses that server from the Internet. (the outside-in policy) You only need to NAT outgoing connections.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
Istvan_Takacs_FTNT

Or without using the FGT as router-only you can also enable to include the ' X-Forwarded-For' header in the web proxy option of the v4 Fortigate. The XFF HTTP header identifies the originating IP address of a web client or browser that is connecting through an HTTP proxy, and the remote addresses it passed through to this point.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors