Fortinet black logo

Administration Guide

Stripping the X-Forwarded-For value in the HTTP header

Stripping the X-Forwarded-For value in the HTTP header

The X-Forwarded-For value in the HTTP header can be stripped when the strip-x-forwarded-for option is enabled under firewall profile-protocol-options. This feature sets the value to empty using the IPS engine.

The following types of traffic support X-Forwarded-For stripping:

  • HTTP/1.1, HTTP/2, and HTTP/3 traffic that matches an NGFW mode security policy with flow-based inspection.
  • Plain HTTP/1.1 traffic that matches a firewall policy with proxy-based inspection.

The following types of traffic do not support X-Forwarded-For stripping:

  • HTTPS traffic that matches a firewall policy with proxy-based inspection.
  • HTTP and HTTPS traffic that matches an explicit web proxy policy.

Example

In this example, FGT-A is configured with strip-x-forwarded-for enabled for HTTP. On FGT-B, the IPS sensor is configured to monitor the Eicar.Virus.Test.File signature. The IPS logs on FGT-B are used to verify the traffic sent from FGT-A to FGT-B, namely the forwardedfor value in the rawdata field.

To configure X-Forwarded-For stripping:
  1. Configure FGT-A:

    1. Configure the protocol options for HTTP:

      config firewall profile-protocol-options
          edit "protocol-xff"
              config http
                  set ports 80
                  unset options
                  set strip-x-forwarded-for enable
                  unset post-lang
              end
          next
      end
    2. Configure the firewall policy (ensure that an IPS sensor is applied):

      config firewall policy
          edit 1
              set srcintf "port2"
              set dstintf "port5"
              set action accept
              set srcaddr "all"
              set dstaddr "all"
              set schedule "always"
              set service "ALL"
              set utm-status enable
              set profile-protocol-options "protocol-xff"
              set ssl-ssh-profile "ssl-deep"
              set ips-sensor "default"
              set nat enable
          next
      end
  2. Configure FGT-B:

    1. Configure the IPS sensor with extended logging:

      config ips sensor
          edit "monitor-eicar"
              set extended-log enable
              config entries
                  edit 1
                      set rule 29844
                      set status enable
                      set action pass
                  next
              end
          next
      end
    2. Configure the firewall policy (ensure that an IPS sensor is applied):

      config firewall policy
          edit 3
              set srcintf "port5"
              set dstintf "port1"
              set action accept
              set srcaddr "all"
              set dstaddr "all"
              set schedule "always"
              set service "ALL"
              set utm-status enable
              set ssl-ssh-profile "ssl-deep"
              set ips-sensor "monitor-eicar"
              set nat enable
          next
      end
To verify the configuration:
  1. Use a cURL request to send HTTPS traffic with HTTP header X-Forwarded-For from the Client PC to the Server PC:

    curl -vk -H "X-Forwarded-For: 10.22.22.22" https://172.16.200.52/eicar.com
  2. On FGT-B, verify the corresponding IPS logs.

    1. For HTTP/1.1, the X-Forwarded-For value is removed from the rawdata field, and the forwardedfor value is not included:

      1: date=2023-09-21 time=14:05:34 eventtime=1695330334919589600 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.42 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=2471 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=36018 dstport=443 hostname="172.16.200.42" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497475 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" rawdata="Response-Content-Type=application/x-msdos-program" crscore=5 craction=65536 crlevel="low"
    2. For HTTP/2 and HTTP/3, the X-Forwarded-For value is removed from the rawdata field, and forwardedfor is included:

      1: date=2023-09-21 time=14:05:56 eventtime=1695330356543624871 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.52 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=2474 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37786 dstport=443 hostname="172.16.200.52" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497476 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" forwardedfor="\r\n" rawdata="Response-Content-Type=application/x-msdos-program" crscore=5 craction=65536 crlevel="low"
  3. On FGT-A, disable strip-x-forwarded-for for HTTP:

    config firewall profile-protocol-options
        edit "protocol-xff"
            config httpset strip-x-forwarded-for disable
            end
        next
    end
  4. Send the same HTTPS traffic with HTTP header X-Forwarded-For from the Client PC to the Server PC.

  5. On FGT-B, verify the corresponding IPS log, which includes forwardedfor and X-Forwarded-For values in the rawdata field:

    1: date=2023-09-21 time=16:33:06 eventtime=1695339187144132034 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.52 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=3776 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37788 dstport=443 hostname="172.16.200.52" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497478 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" forwardedfor="10.22.22.22" rawdata="Response-Content-Type=application/x-msdos-program|X-Forwarded-For=10.22.22.22" crscore=5 craction=65536 crlevel="low"

Stripping the X-Forwarded-For value in the HTTP header

The X-Forwarded-For value in the HTTP header can be stripped when the strip-x-forwarded-for option is enabled under firewall profile-protocol-options. This feature sets the value to empty using the IPS engine.

The following types of traffic support X-Forwarded-For stripping:

  • HTTP/1.1, HTTP/2, and HTTP/3 traffic that matches an NGFW mode security policy with flow-based inspection.
  • Plain HTTP/1.1 traffic that matches a firewall policy with proxy-based inspection.

The following types of traffic do not support X-Forwarded-For stripping:

  • HTTPS traffic that matches a firewall policy with proxy-based inspection.
  • HTTP and HTTPS traffic that matches an explicit web proxy policy.

Example

In this example, FGT-A is configured with strip-x-forwarded-for enabled for HTTP. On FGT-B, the IPS sensor is configured to monitor the Eicar.Virus.Test.File signature. The IPS logs on FGT-B are used to verify the traffic sent from FGT-A to FGT-B, namely the forwardedfor value in the rawdata field.

To configure X-Forwarded-For stripping:
  1. Configure FGT-A:

    1. Configure the protocol options for HTTP:

      config firewall profile-protocol-options
          edit "protocol-xff"
              config http
                  set ports 80
                  unset options
                  set strip-x-forwarded-for enable
                  unset post-lang
              end
          next
      end
    2. Configure the firewall policy (ensure that an IPS sensor is applied):

      config firewall policy
          edit 1
              set srcintf "port2"
              set dstintf "port5"
              set action accept
              set srcaddr "all"
              set dstaddr "all"
              set schedule "always"
              set service "ALL"
              set utm-status enable
              set profile-protocol-options "protocol-xff"
              set ssl-ssh-profile "ssl-deep"
              set ips-sensor "default"
              set nat enable
          next
      end
  2. Configure FGT-B:

    1. Configure the IPS sensor with extended logging:

      config ips sensor
          edit "monitor-eicar"
              set extended-log enable
              config entries
                  edit 1
                      set rule 29844
                      set status enable
                      set action pass
                  next
              end
          next
      end
    2. Configure the firewall policy (ensure that an IPS sensor is applied):

      config firewall policy
          edit 3
              set srcintf "port5"
              set dstintf "port1"
              set action accept
              set srcaddr "all"
              set dstaddr "all"
              set schedule "always"
              set service "ALL"
              set utm-status enable
              set ssl-ssh-profile "ssl-deep"
              set ips-sensor "monitor-eicar"
              set nat enable
          next
      end
To verify the configuration:
  1. Use a cURL request to send HTTPS traffic with HTTP header X-Forwarded-For from the Client PC to the Server PC:

    curl -vk -H "X-Forwarded-For: 10.22.22.22" https://172.16.200.52/eicar.com
  2. On FGT-B, verify the corresponding IPS logs.

    1. For HTTP/1.1, the X-Forwarded-For value is removed from the rawdata field, and the forwardedfor value is not included:

      1: date=2023-09-21 time=14:05:34 eventtime=1695330334919589600 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.42 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=2471 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=36018 dstport=443 hostname="172.16.200.42" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497475 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" rawdata="Response-Content-Type=application/x-msdos-program" crscore=5 craction=65536 crlevel="low"
    2. For HTTP/2 and HTTP/3, the X-Forwarded-For value is removed from the rawdata field, and forwardedfor is included:

      1: date=2023-09-21 time=14:05:56 eventtime=1695330356543624871 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.52 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=2474 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37786 dstport=443 hostname="172.16.200.52" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497476 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" forwardedfor="\r\n" rawdata="Response-Content-Type=application/x-msdos-program" crscore=5 craction=65536 crlevel="low"
  3. On FGT-A, disable strip-x-forwarded-for for HTTP:

    config firewall profile-protocol-options
        edit "protocol-xff"
            config httpset strip-x-forwarded-for disable
            end
        next
    end
  4. Send the same HTTPS traffic with HTTP header X-Forwarded-For from the Client PC to the Server PC.

  5. On FGT-B, verify the corresponding IPS log, which includes forwardedfor and X-Forwarded-For values in the rawdata field:

    1: date=2023-09-21 time=16:33:06 eventtime=1695339187144132034 logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=10.1.1.1 srccountry="Reserved" dstip=172.16.200.52 dstcountry="Reserved" srcintf="port5" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=3776 action="detected" proto=6 service="HTTPS" policyid=3 poluuid="782b9e86-58a3-51ee-8e0f-79c7682223dd" policytype="policy" attack="Eicar.Virus.Test.File" srcport=37788 dstport=443 hostname="172.16.200.52" url="/eicar.com" agent="curl/7.61.1" httpmethod="GET" direction="incoming" attackid=29844 profile="monitor-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=75497478 msg="file_transfer: Eicar.Virus.Test.File" rawdataid="1/1" forwardedfor="10.22.22.22" rawdata="Response-Content-Type=application/x-msdos-program|X-Forwarded-For=10.22.22.22" crscore=5 craction=65536 crlevel="low"