Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Agent_1994
Contributor

Created on ‎10-02-2017 11:33 AM

make explict proxy use the x-forwarded-for header as a source

Hello again,

 

 It's me again with another weird question. Let's start with the objetive. There are two Fortigates on different sites, let's call "FG-A" the local and "FG-B" the remote. FG-B has explict proxy enabled, a collector, and explict proxy policies. FG-A and FG-B are connected via MPLS.

 

 On FG-B we want to route certain traffic (Office 365, if you may) to another wan connection, and the rest must be forwarded to the explicit proxy on FG-A. My first thought was to use proxy chaining, but i have a problem: the source IP address that FG-B sees is FG-A, not the user. Ok, that's why we use X-Forwarded-For... right? I managed  to add that header using a web-proxy profile, but my problem is that FG-B ignores this header

 

 Is there a way to make the explicit proxy use the X-Forwarded-For header to take the source IP? Or should i try something else?

 

 TIA.

 

PS: Yes, i know that it's an strange solution, but we have some restraints (ie: FG-B is on an ISP, we can just add the other wan connection there).

 

6760
0 Kudos
2 REPLIES 2
emnoc
Esteemed Contributor III

Created on ‎10-02-2017 08:12 PM

Can you draft a  topoloy? You might want to look at  proxy-PAC files and controls within. This way the client  send to the proxy that you want.

 

examples are within this blog

 

http://socpuppet.blogspot.com/2017/08/fortigate-explicit-proxy-with.html

 

I personally hate & try to avoid proxy-chaining due to  the following

 

1: possible outage if the chain is broke

2: via/xff overlooked,  and proxy-loops

3: add more complexity imho

 

Proxy-Chaining is beneficial in stable network where the proxy-chain is full  redundant. I 've used polipo and privoxy for this & in  load-balance situation and where user-auth was not a requirement and chaining was need. It worked 100%  and easy to manage the apache-like access.log was easy to parse and crunch as a side benefit.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
1782
0 Kudos
wluo
New Contributor

Created on ‎10-22-2017 08:57 PM

It is supported in FortiOS 5.6+. Please refer to Page 305 at http://docs.fortinet.com/...ortios_firewall-56.pdf

1782
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.