Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RolandBaumgaertner72
Contributor

Way to see Destination IP behind VIP in apache

Hi,

 

I found some informacion on the community sites refering reverse proxy but I am not sure.

 

We have a webserver behind a VIP with only 1 static IP (there are like 4 VIPs to different hosts in the DMZ). In one VIP the Dev Team would like to get the source public IP to see at the apache for a new service.

 

With the actual NAT they get only the DMZ interface IP because of the NAT.

 

Any good ideas?

 

Thanks

5 REPLIES 5
ozkanaltas
Valued Contributor II

You have two options for that. You can use a web proxy profile. This profile adds the client's IP address to the HTTP request header.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-x-forwarded-for-header-to-explicit-...

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-add-X-forwarded-headers-to-the-traf...


Or you can use Virtual Server instead of VIP. This way also doing the same thing. 

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Preserve-client-IP-in-Virtual-servers/ta-p...


The dev team can catch real client IPs from the x-forwarded-for request header. 

If you have found a solution, please like and accept it to make it easily accessible to others.
NSE 4-5-6-7 OT Sec - ENT FW
If you have found a solution, please like and accept it to make it easily accessible to others.NSE 4-5-6-7 OT Sec - ENT FW
AEK
SuperUser
SuperUser

Hi Roland

Are you using a VIP or Virtual Server with SSL offloading?

Are you using DNAT only or have you also enabled SNAT at firewall policy level?

AEK
AEK
RolandBaumgaertner72
Contributor

Hi,

I will check the options, thanks!

 

Right now it is a normal VIP with DNAT, so the apache only gets the IP of the DMZ Interface.

 

regards

AEK

Hi Roland

DNAT shouldn't change source NAT, so you should see the original source IP in the IP packet when it reaches the server. Or am I wrong?

AEK
AEK
ebilcari

On the firewall policy that allows access to the VIP you should disable NAT in order to not do SNAT.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors