Fortinet white logo
Fortinet white logo

Administration Guide

Support for Duplicating XFF Header to a Custom Header (8.0.0)

Support for Duplicating XFF Header to a Custom Header (8.0.0)

FortiWeb 8.0.0 introduces the ability to duplicate the X-Forwarded-For (XFF) header into a user-defined custom header. This enhancement allows administrators to preserve client IP traceability even in deployments where downstream devices may strip or overwrite the original XFF header. The duplicated header provides a fallback mechanism for route tracing and auditing, without interfering with the standard XFF header functionality.

This feature is only configurable via the CLI:

config waf x-forwarded-for
    edit "XFF_Policy"
        set duplicate-headers {enable | disable}
        set duplicate-headers-name <custom_header_name>
    next
end
duplicate-headers {enable | disable} Enables or disables duplication of the XFF header to a custom header.
duplicate-headers-name <custom_header_name>

Specifies the name of the custom header. Maximum length: 127 characters.

This cannot be empty when duplicate-headers is enabled.

When duplicate-headers is enabled, FortiWeb adds a new header to outbound HTTP requests. The value of this custom header is identical to the final value of the X-Forwarded-For header after all FortiWeb processing is complete. This includes transformations or additions made by the following XFF options:

  • delete-headers

  • merge-headers

  • x-forwarded-for-support

  • ip-location-add

  • add-source-port

If multiple XFF headers are present and merge-headers is disabled, FortiWeb will duplicate each header individually.

If delete-headers is enabled or the XFF header does not exist in the request, no duplicate header will be added.

Behavior Notes:
  • If multiple XFF headers are present and merge-headers is disabled, FortiWeb will duplicate each header individually.

  • If delete-headers is enabled or the XFF header is missing from the request, no duplicate header will be added.

  • If the XFF header is present with an empty value, the duplicate header will also carry an empty value.

Debug and Verification:
  • To observe runtime behavior of only x-forward-for module, enable debug console printout with the following commands:

    diagnose debug flow filter module-detail x-forwarded-for 7
    diagnose debug flow filter flow-detail 0
    diagnose debug flow trace start
    diagnose debug enable
    
  • Packet captures can also be used to confirm header duplication.

Support for Duplicating XFF Header to a Custom Header (8.0.0)

Support for Duplicating XFF Header to a Custom Header (8.0.0)

FortiWeb 8.0.0 introduces the ability to duplicate the X-Forwarded-For (XFF) header into a user-defined custom header. This enhancement allows administrators to preserve client IP traceability even in deployments where downstream devices may strip or overwrite the original XFF header. The duplicated header provides a fallback mechanism for route tracing and auditing, without interfering with the standard XFF header functionality.

This feature is only configurable via the CLI:

config waf x-forwarded-for
    edit "XFF_Policy"
        set duplicate-headers {enable | disable}
        set duplicate-headers-name <custom_header_name>
    next
end
duplicate-headers {enable | disable} Enables or disables duplication of the XFF header to a custom header.
duplicate-headers-name <custom_header_name>

Specifies the name of the custom header. Maximum length: 127 characters.

This cannot be empty when duplicate-headers is enabled.

When duplicate-headers is enabled, FortiWeb adds a new header to outbound HTTP requests. The value of this custom header is identical to the final value of the X-Forwarded-For header after all FortiWeb processing is complete. This includes transformations or additions made by the following XFF options:

  • delete-headers

  • merge-headers

  • x-forwarded-for-support

  • ip-location-add

  • add-source-port

If multiple XFF headers are present and merge-headers is disabled, FortiWeb will duplicate each header individually.

If delete-headers is enabled or the XFF header does not exist in the request, no duplicate header will be added.

Behavior Notes:
  • If multiple XFF headers are present and merge-headers is disabled, FortiWeb will duplicate each header individually.

  • If delete-headers is enabled or the XFF header is missing from the request, no duplicate header will be added.

  • If the XFF header is present with an empty value, the duplicate header will also carry an empty value.

Debug and Verification:
  • To observe runtime behavior of only x-forward-for module, enable debug console printout with the following commands:

    diagnose debug flow filter module-detail x-forwarded-for 7
    diagnose debug flow filter flow-detail 0
    diagnose debug flow trace start
    diagnose debug enable
    
  • Packet captures can also be used to confirm header duplication.