Stripping the X-Forwarded-For value in the HTTP header
The X-Forwarded-For value in the HTTP header can be stripped when the strip-x-forwarded-for
option is enabled under firewall profile-protocol-options
. This feature sets the value to empty using the IPS engine.
The following types of traffic support X-Forwarded-For stripping:
-
HTTP/1.1, HTTP/2, and HTTP/3 traffic that matches an NGFW mode security policy with flow-based inspection.
-
Plain HTTP/1.1 traffic that matches a firewall policy with proxy-based inspection.
The following types of traffic do not support X-Forwarded-For stripping:
-
HTTPS traffic that matches a firewall policy with proxy-based inspection.
-
HTTP and HTTPS traffic that matches an explicit web proxy policy.
Example
In this example, FGT-A is configured with strip-x-forwarded-for
enabled for HTTP. On FGT-B, the IPS sensor is configured to monitor the Eicar.Virus.Test.File signature. The IPS logs on FGT-B are used to verify the traffic sent from FGT-A to FGT-B, namely the forwardedfor
value in the rawdata
field.
To configure X-Forwarded-For stripping:
-
Configure FGT-A:
-
Configure the protocol options for HTTP:
config firewall profile-protocol-options edit "protocol-xff" config http set ports 80 unset options set strip-x-forwarded-for enable unset post-lang end next end
-
Configure the firewall policy (ensure that an IPS sensor is applied):
config firewall policy edit 1 set srcintf "port2" set dstintf "port5" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set profile-protocol-options "protocol-xff" set ssl-ssh-profile "ssl-deep" set ips-sensor "default" set nat enable next end
-
-
Configure FGT-B:
-
Configure the IPS sensor with extended logging:
config ips sensor edit "monitor-eicar" set extended-log enable config entries edit 1 set rule 29844 set status enable set action pass next end next end
-
Configure the firewall policy (ensure that an IPS sensor is applied):
config firewall policy edit 3 set srcintf "port5" set dstintf "port1" set action accept set srcaddr "all" set dstaddr "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "ssl-deep" set ips-sensor "monitor-eicar" set nat enable next end
-
To verify the configuration:
-
Use a cURL request to send HTTPS traffic with HTTP header X-Forwarded-For from the Client PC to the Server PC:
curl -vk -H "X-Forwarded-For: 10.22.22.22" https://172.16.200.52/eicar.com
-
On FGT-B, verify the corresponding IPS logs.
-
For HTTP/1.1, the
X-Forwarded-For
value is removed from therawdata
field, and theforwardedfor
value is not included:1: date=2023-09-21 time=14:05:34 eventtime=1695330334919589600 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.42 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=2471 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=36018 dstport=443 hostname="172.16.200.42" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497475 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" rawdata="Response-Content-Type=application/x-msdos-program" crscore=5 craction=65536 crlevel="low"
-
For HTTP/2 and HTTP/3, the
X-Forwarded-For
value is removed from therawdata
field, andforwardedfor
is included:1: date=2023-09-21 time=14:05:56 eventtime=1695330356543624871 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.52 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=2474 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37786 dstport=443 hostname="172.16.200.52" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497476 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" forwardedfor="\r\n" rawdata="Response-Content-Type=application/x-msdos-program" crscore=5 craction=65536 crlevel="low"
-
-
On FGT-A, disable
strip-x-forwarded-for
for HTTP:config firewall profile-protocol-options edit "protocol-xff" config httpset strip-x-forwarded-for disable end next end
-
Send the same HTTPS traffic with HTTP header X-Forwarded-For from the Client PC to the Server PC.
-
On FGT-B, verify the corresponding IPS log, which includes
forwardedfor
andX-Forwarded-For
values in therawdata
field:1: date=2023-09-21 time=16:33:06 eventtime=1695339187144132034 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.52 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=3776 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37788 dstport=443 hostname="172.16.200.52" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497478 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" forwardedfor="10.22.22.22" rawdata="Response-Content-Type=application/x-msdos-program|X-Forwarded-For=10.22.22.22" crscore=5 craction=65536 crlevel="low"