waf x-forwarded-for
Use this command to configure FortiWeb’s use of X-Forwarded-For:
and X-Real-IP:
.
For behavior of this feature and requirements, see the FortiWeb Administration Guide:
HTTPS://docs.fortinet.com/fortiweb/admin-guides
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf x-forwarded-for
set block-based-on-original-ip {enable | disable}
set ip-location {left | right}
set original-ip-header "<HTTP-header-key_str>"
set tracing-original-ip {enable | disable}
set x-forwarded-proto {enable | disable}
set x-forwarded-for-support {enable | disable}
set x-real-ip {enable | disable}
set skip-private-original-ip {enable | disable}
set add-source-port {enable | disable}
set x-forwarded-port {enable | disable}
config ip-list
edit <entry_index>
next
end
next
end
Variable | Description | Default |
Enter the name of the new or existing group. The maximum length is 63 characters. To display the list of existing groups, enter:
|
No default. | |
Enable to be able to block requests that violate your policies by using the original client’s IP derived from this HTTP X-header. When disabled, only attack logs and reports will use the original client’s IP. |
disable
|
|
Select whether to extract the original client’s IP from either the left or right end of the HTTP X-header line. Most proxies put the request’s origin at the left end, which is the default setting. Some proxies, however, place it on the right end. |
left
|
|
Enter the key of the X-header, such as Maximum length is 256 characters. |
No default. | |
If FortiWeb is deployed behind a device that applies NAT, enable this option to derive the original client’s source IP address from an HTTP X-header, instead of the This HTTP header is often For deployment guidelines and mechanism details, see the FortiWeb Administration Guide: HTTPS://docs.fortinet.com/fortiweb/admin-guides Caution: To combat forgery, configure the IP addresses of load balancers and proxies that are trusted providers of this header. Also configure those proxies/load balancers to reject fraudulent headers, rather than passing them to FortiWeb. |
disable
|
|
x-forwarded-proto {enable | disable} |
Enable to add an Requires Reverse Proxy or True Transparent Proxy mode. |
disable
|
Enable to include the
This option can be useful for web servers that log or analyze clients’ IP addresses, and support the This option applies only when FortiWeb is operating in Reverse Proxy mode or True Transparent Proxy. |
disable
|
|
Enable to include the Like This option applies only when FortiWeb is operating in Reverse Proxy or True Transparent Proxy mode. |
disable
|
|
Enable to skip the private original IP that indicates the service used in the client’s original request. |
|
|
Enable to add an HTTP header that indicates the service used in the client’s original request. Usually if your FortiWeb is receiving HTTPS requests from clients, and it is operating in Reverse Proxy mode, SSL/TLS is being offloaded. FortiWeb has terminated the SSL/TLS connection and the second segment of the request, where it forwards to the back-end servers, is clear text HTTP. In some cases, your back-end server may need to know that the original request was, in fact, encrypted HTTPS, not HTTP. |
disable
|
|
Enter the index number of the individual entry in the table. The valid range is 1–9,223,372,036,854,775,807. Each list can contain a maximum of 256 IP addresses. |
No default. | |
Type the IP address of a load balancer or proxy that is in front of the FortiWeb appliance (between the client and FortiWeb). To apply anti-spoofing measures and improve security, FortiWeb trusts the contents of the HTTP header that you specify in original-ip-header "<HTTP-header-key_str>" only if the packet arrived from one of the IP addresses you specify here. It regards original-ip-header "<HTTP-header-key_str>" from other IP addresses as potentially spoofed. For packets from other IP addresses, FortiWeb ignores the |
No default. | |
Enable to add an Available only when FortiWeb operates in Reverse Proxy, True Transparent Proxy, or WCCP mode. |
|
|
Enable to add an Available only when FortiWeb operates in Reverse Proxy, True Transparent Proxy, or WCCP mode. |
disable
|
Example
The following example defines a X-Forwarded-For rule that adds X-Forwarded-For:
, X-Real-IP:
, and X-Forwarded-Proto:
headers to traffic that FortiWeb forwards to a back-end server. It enables FortiWeb to use the HTTP X-Header to identify and block the original client's IP. To protect against XFF spoofing, it also specifies the trusted load-balancer 192.0.2.105
in the X-Forwarded-For IP list.
config waf x-forwarded-for
edit "load-balancer1"
set x-forwarded-for-support enable
set tracing-original-ip enable
set original-ip-header X-FORWARDED-FOR
set x-real-ip enable
set x-forwarded-proto enable
config ip-list
edit 1
set ip "192.0.2.105"
next
end
set block-based-on-original-ip enable
next
end