Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Cajuntank
Contributor II

X-forwarded-for header question?

Ok, I will admit I am a little outside my knowledge base with this one. In my investigation, I am learning that what I am looking for might be this header passed from the browser called X-Forward-For. Based on what I am seeing, this shows or can show, the clients original IP, then successive IPs as they pass through proxies. 

 

I am not sure if this is something that is handled at the browser level itself (but I do see extensions available where you can easily customize/add, etc...), but I also see past articles about this header and Fortinet products... but it appears the traffic flow is that maybe being inbound, like protecting a web server behind a FortiGate or FortiWeb device.

 

My inquiry for my traffic outbound from my network. Is there a way to inject that header as it passes through the firewall so if an external webserver can log that info via its auditing, I can glean the private client IP of my user (assuming I have access to that external webserver's audit logs of course)? 

1 Solution
abarushka
Staff
Staff

Hello,

 

Yes, FortiGate supports adding x-fowarded-for header. Please find more details by following the link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-x-forwarded-for-header-to-explicit-...

FortiGate

View solution in original post

3 REPLIES 3
abarushka
Staff
Staff

Hello,

 

Yes, FortiGate supports adding x-fowarded-for header. Please find more details by following the link below:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Adding-x-forwarded-for-header-to-explicit-...

FortiGate
Cajuntank

OK, again, forgive the ignorance on this, but can you give me an idea of what the resulting traffic flow will be? What I mean is, the policy I am interested in applying this to, is a flow-based policy using flow based security inspections. Would I need to convert that to a proxy based policy or can I keep it a flow based? And this will be a https site, so is there anything I need to add to that web-proxy profile accordingly?

 

Sorry for all of the follow-up inquiries.

abarushka

Hello,

 

"webproxy-profile" (x-fowarded-for) can be applied to only explicit proxy policy or regular firewall policy (proxy inspection mode only). "webproxy-profile" setting is not applicable, when firewall policy in flow inspection mode.

 

You may consider to configure web-proxy profile and add the profile under firewall policy / explicit proxy policy (deep inspection profile might be required) and check whether x-fowarded-for is added:

 

config web-proxy profile
edit <name>
set header-x-forwarded-for add
end

FortiGate
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors