Fortinet black logo

Handbook

Learn client IP

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:467789
Download PDF

Learn client IP

If there is another NATing device between the FortiGate and the Client (browser), this feature can be used to identify the real client in spite of the address translation. Knowing the actual client is imperative in cases where authorization is taking place.

The settings for the feature are in the CLI in the context of

config web-proxy global

Once here, enable the feature with the command:

set learn-client-ip enable

Once the feature is enabled, the other settings become available.

learn-client-ip-from-header

This command has the following options:

true-client-ip Support HTTP header True-Client-IP.
x-real-ip Support HTTP header X-Real-IP.
x-forwarded-for Support HTTP header X-Forwarded-For.

learn-client-ip-srcaddr/learn-client-ip-srcaddr6

The options for this setting are selected from the list of IPv4 address or IPv6 address objects.

Example

Below is a config example where the real client ip address will be used to match policy or fsso authentication after the learn-client-ip feature enabled.

The value of learn-client-ip-from-header option can be set to true-client-ip, x-real-ip or x-forwarded-for, but in this case it has been set to x-forward-for.

config web-proxy global

set proxy-fqdn "default.fqdn"

set webproxy-profile "default"

set learn-client-ip enable

set learn-client-ip-from-header x-forwarded-for

set learn-client-ip-srcaddr "all"

end

config firewall proxy-policy

edit 1

set proxy explicit-web

set dstintf "mgmt1"

set srcaddr "all"

set dstaddr "all"

set service "w"

set action accept

set schedule "always"

set groups "fsso1"

set utm-status enable

set av-profile "default"

set dlp-sensor "default"

set profile-protocol-options "default"

set ssl-ssh-profile "deep-inspection"

end

config authentication rule

edit "rule1"

set srcaddr "all"

set sso-auth-method "scheme1"

end

config authentication scheme

edit "scheme1"

set method fsso

end

Learn client IP

If there is another NATing device between the FortiGate and the Client (browser), this feature can be used to identify the real client in spite of the address translation. Knowing the actual client is imperative in cases where authorization is taking place.

The settings for the feature are in the CLI in the context of

config web-proxy global

Once here, enable the feature with the command:

set learn-client-ip enable

Once the feature is enabled, the other settings become available.

learn-client-ip-from-header

This command has the following options:

true-client-ip Support HTTP header True-Client-IP.
x-real-ip Support HTTP header X-Real-IP.
x-forwarded-for Support HTTP header X-Forwarded-For.

learn-client-ip-srcaddr/learn-client-ip-srcaddr6

The options for this setting are selected from the list of IPv4 address or IPv6 address objects.

Example

Below is a config example where the real client ip address will be used to match policy or fsso authentication after the learn-client-ip feature enabled.

The value of learn-client-ip-from-header option can be set to true-client-ip, x-real-ip or x-forwarded-for, but in this case it has been set to x-forward-for.

config web-proxy global

set proxy-fqdn "default.fqdn"

set webproxy-profile "default"

set learn-client-ip enable

set learn-client-ip-from-header x-forwarded-for

set learn-client-ip-srcaddr "all"

end

config firewall proxy-policy

edit 1

set proxy explicit-web

set dstintf "mgmt1"

set srcaddr "all"

set dstaddr "all"

set service "w"

set action accept

set schedule "always"

set groups "fsso1"

set utm-status enable

set av-profile "default"

set dlp-sensor "default"

set profile-protocol-options "default"

set ssl-ssh-profile "deep-inspection"

end

config authentication rule

edit "rule1"

set srcaddr "all"

set sso-auth-method "scheme1"

end

config authentication scheme

edit "scheme1"

set method fsso

end