Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Agent_1994
Contributor

make explict proxy use the x-forwarded-for header as a source

Hello again,

 

 It's me again with another weird question. Let's start with the objetive. There are two Fortigates on different sites, let's call "FG-A" the local and "FG-B" the remote. FG-B has explict proxy enabled, a collector, and explict proxy policies. FG-A and FG-B are connected via MPLS.

 

 On FG-B we want to route certain traffic (Office 365, if you may) to another wan connection, and the rest must be forwarded to the explicit proxy on FG-A. My first thought was to use proxy chaining, but i have a problem: the source IP address that FG-B sees is FG-A, not the user. Ok, that's why we use X-Forwarded-For... right? I managed  to add that header using a web-proxy profile, but my problem is that FG-B ignores this header

 

 Is there a way to make the explicit proxy use the X-Forwarded-For header to take the source IP? Or should i try something else?

 

 TIA.

 

PS: Yes, i know that it's an strange solution, but we have some restraints (ie: FG-B is on an ISP, we can just add the other wan connection there).

 

2 REPLIES 2
emnoc
Esteemed Contributor III

Can you draft a  topoloy? You might want to look at  proxy-PAC files and controls within. This way the client  send to the proxy that you want.

 

examples are within this blog

 

http://socpuppet.blogspot.com/2017/08/fortigate-explicit-proxy-with.html

 

I personally hate & try to avoid proxy-chaining due to  the following

 

1: possible outage if the chain is broke

2: via/xff overlooked,  and proxy-loops

3: add more complexity imho

 

Proxy-Chaining is beneficial in stable network where the proxy-chain is full  redundant. I 've used polipo and privoxy for this & in  load-balance situation and where user-auth was not a requirement and chaining was need. It worked 100%  and easy to manage the apache-like access.log was easy to parse and crunch as a side benefit.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
wluo
New Contributor

It is supported in FortiOS 5.6+. Please refer to Page 305 at http://docs.fortinet.com/...ortios_firewall-56.pdf

Labels
Top Kudoed Authors