Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiWeb 8.0.3 Administration Guide
    8.0.3
    8.0.3
    8.0.2
    8.0.1
    8.0.0
    7.6.7
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.3
    6.3.23
    6.2.8
    6.1.4
    5.7.0
    5.6.1
    5.6.0
    5.6.0

    Support for Duplicating XFF Header to a Custom Header (8.0.0)

    Support for Duplicating XFF Header to a Custom Header (8.0.0)

    FortiWeb 8.0.0 introduces the ability to duplicate the X-Forwarded-For (XFF) header into a user-defined custom header. This enhancement allows administrators to preserve client IP traceability even in deployments where downstream devices may strip or overwrite the original XFF header. The duplicated header provides a fallback mechanism for route tracing and auditing, without interfering with the standard XFF header functionality.

    This feature is only configurable via the CLI:

    config waf x-forwarded-for
    edit "XFF_Policy"
        set duplicate-headers {enable | disable}
        set duplicate-headers-name <custom_header_name>
    next
end
    duplicate-headers {enable | disable} Enables or disables duplication of the XFF header to a custom header.
    duplicate-headers-name <custom_header_name>

    Specifies the name of the custom header. Maximum length: 127 characters.

    This cannot be empty when duplicate-headers is enabled.

    When duplicate-headers is enabled, FortiWeb adds a new header to outbound HTTP requests. The value of this custom header is identical to the final value of the X-Forwarded-For header after all FortiWeb processing is complete. This includes transformations or additions made by the following XFF options:

    • delete-headers

    • merge-headers

    • x-forwarded-for-support

    • ip-location-add

    • add-source-port

    If multiple XFF headers are present and merge-headers is disabled, FortiWeb will duplicate each header individually.

    If delete-headers is enabled or the XFF header does not exist in the request, no duplicate header will be added.

    Behavior Notes:

    • If multiple XFF headers are present and merge-headers is disabled, FortiWeb will duplicate each header individually.

    • If delete-headers is enabled or the XFF header is missing from the request, no duplicate header will be added.

    • If the XFF header is present with an empty value, the duplicate header will also carry an empty value.

    Debug and Verification:

    • To observe runtime behavior of only x-forward-for module, enable debug console printout with the following commands:

      diagnose debug flow filter module-detail x-forwarded-for 7
diagnose debug flow filter flow-detail 0
diagnose debug flow trace start
diagnose debug enable

    • Packet captures can also be used to confirm header duplication.

    Previous
    Next

    Support for Duplicating XFF Header to a Custom Header (8.0.0)

    Support for Duplicating XFF Header to a Custom Header (8.0.0)

    FortiWeb 8.0.0 introduces the ability to duplicate the X-Forwarded-For (XFF) header into a user-defined custom header. This enhancement allows administrators to preserve client IP traceability even in deployments where downstream devices may strip or overwrite the original XFF header. The duplicated header provides a fallback mechanism for route tracing and auditing, without interfering with the standard XFF header functionality.

    This feature is only configurable via the CLI:

    config waf x-forwarded-for
    edit "XFF_Policy"
        set duplicate-headers {enable | disable}
        set duplicate-headers-name <custom_header_name>
    next
end
    duplicate-headers {enable | disable} Enables or disables duplication of the XFF header to a custom header.
    duplicate-headers-name <custom_header_name>

    Specifies the name of the custom header. Maximum length: 127 characters.

    This cannot be empty when duplicate-headers is enabled.

    When duplicate-headers is enabled, FortiWeb adds a new header to outbound HTTP requests. The value of this custom header is identical to the final value of the X-Forwarded-For header after all FortiWeb processing is complete. This includes transformations or additions made by the following XFF options:

    • delete-headers

    • merge-headers

    • x-forwarded-for-support

    • ip-location-add

    • add-source-port

    If multiple XFF headers are present and merge-headers is disabled, FortiWeb will duplicate each header individually.

    If delete-headers is enabled or the XFF header does not exist in the request, no duplicate header will be added.

    Behavior Notes:

    • If multiple XFF headers are present and merge-headers is disabled, FortiWeb will duplicate each header individually.

    • If delete-headers is enabled or the XFF header is missing from the request, no duplicate header will be added.

    • If the XFF header is present with an empty value, the duplicate header will also carry an empty value.

    Debug and Verification:

    • To observe runtime behavior of only x-forward-for module, enable debug console printout with the following commands:

      diagnose debug flow filter module-detail x-forwarded-for 7
diagnose debug flow filter flow-detail 0
diagnose debug flow trace start
diagnose debug enable

    • Packet captures can also be used to confirm header duplication.

    Previous
    Next