Learn client IP addresses
Learning the actual client IP addresses is imperative for authorization. This function identifies the real client IP address when there is a NATing device between the FortiGate and the client.
config web-proxy global
set learn-client-ip {enable | disable}
set learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for}
set learn-client-ip-srcaddr <address> ... <address>
end
|
learn-client-ip {enable | disable} |
Enable/disable learning the client's IP address from headers. |
|
learn-client-ip-from-header {true-client-ip | x-real-ip | x-forwarded-for} |
Learn client IP addresses from the specified headers. |
|
learn-client-ip-srcaddr <address> ... <address> |
The source address names. |
Example
In this example, the real client IP address is used to match a policy for FSSO authentication.
To enable learning the client IP address:
config web-proxy global
set proxy-fqdn "default.fqdn"
set webproxy-profile "default"
set learn-client-ip enable
set learn-client-ip-from-header x-forwarded-for
set learn-client-ip-srcaddr "all"
end
To configure the proxy policy:
config firewall proxy-policy
edit 1
set proxy explicit-web
set dstintf "mgmt1"
set srcaddr "all"
set dstaddr "all"
set service "w"
set action accept
set schedule "always"
set groups "fsso1"
set utm-status enable
set av-profile "default"
set dlp-sensor "default"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
next
end
To configure the authentication scheme and rule:
config authentication scheme
edit "scheme1"
set method fsso
next
endconfig authentication rule
edit "rule1"
set srcaddr "all"
set sso-auth-method "scheme1"
next
end
