Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
zhumarlin
New Contributor

Created on ‎11-30-2020 02:50 AM

Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP

Hello.. I already read all posts about the same problem, but 

As the title of this post, we implement a load balancer after fortigate.

We used NAT on Fortigate to translate Public IP to Private IP. And then the HTTPS is offloaded on Load balancer.

Because of that topology, we cannot get the real IP/client IP address. It just shows the FW IP.

We cannot disable NAT because our servers using private IP.

Because of NAT, adding the "x-forwarded-for" header is not works.

 

We also cannot offloading SSL on FW because that is our load balancer's job.

 

Is there any solution based on our topology ?

1748
0 Kudos
1 REPLY 1
lobstercreed
Valued Contributor

Created on ‎11-30-2020 08:09 AM

You should not use NAT on an incoming (from Internet) policy for precisely the reasons you're describing.  The VIP object does the NAT from public IP to private.  Enabling NAT on the policy only affects the source, not the destination.  So you don't want NAT on the incoming policy.  You DO want NAT on the outbound policies.

1152
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.