Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
lvannstruth
Staff
Staff

Created on ‎10-19-2023 10:28 PM

Article Id 278975

Technical Tip: Function and Behavior of the Virtual Server 'translate-host' Setting

Description

This article describes the function and behavior of the ‘translate-host’ setting under virtual server real server configuration.
Scope

FortiOS versions 7.2.4/7.4.0 and newer.
Solution

Topology:

 

topology.jpg

 

The translate-host feature for virtual server load balancing allows the FortiGate to alter the ‘Host’ field in the client HTTP request headers when these requests are processed through a virtual server. The ‘host’ field is translated from the client request(IP entered into a web browser) to the real server’s IP address and port.

 

Example Configuration:

 

config firewall vip
    edit "Translate-Host Example"
        set type server-load-balance
        set extip 10.0.103.3
        set extintf "any"
        set server-type https
        set extport 443
        config realservers
            edit 1
                set ip 10.0.104.2
                set port 80
                set translate-host enable
            next
        end
        set ssl-certificate "Fortinet_GUI_Server"
    next
end

 

The ‘translate-host’ setting is enabled by default, meaning that it is normally hidden when running the ‘show’ command for a virtual IP object. The ‘show full’ command can be used to verify whether or not ‘translate-host’ is enabled.

 

Behavior:

Client accesses website via the virtual server’s external IP address(10.0.103.3). Note that the ‘Host’ field in the HTTP request headers is the same as the value entered in the web browser’s address bar.

 

ubuntu 1.png

 

Packet Capture on the webserver shows the FortiGate translating the host field from the HTTP request to the real server’s destination IP and port:

 

ubuntu 2.png

 

This behavior can be disabled by changing the translate-host setting on the CLI, this can be done with the following command:

 

config firewall vip
    edit <vip>
        config realservers
            edit <realserver number>
                 set translate-host disable
            next
        end
    next
end

 

Limitations:

Translation of the host field does not occur even if the setting is enabled under the following conditions:

  • The virtual server ‘server-type’ must be set to ‘https’ and not ‘http’. Note that this setting corresponds to the requests coming to the FortiGate, a virtual server with type HTTPS can still serve queries to a webserver that is only configured for HTTP.
  • The client requests the website with the DNS hostname instead of the external IP address of the VIP object. In this case the value of the ‘Host’ field will be left unaltered by the FortiGate and will remain the DNS hostname.

 

534
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.