Fortinet 267 FortiWeb 5.0 Patch 6 Administration Guide
attack logs and reports to show the IP of the actual attacker, rather than misleadingly
blaming the load balancer.
•The web server needs the client’s source IP address for purposes such as analytics, but
FortiWeb is operating in reverse proxy mode, which applies NAT, and therefore all requests
appear to come from FortiWeb’s IP address.
Due to source NAT (SNAT), a packet’s source address in its IP layer may have been changed,
and therefore the original address of the client may not be directly visible to FortiWeb and/or its
protected web servers. During a packet’s transit from the client to the web server, it could be
changed several times: web proxies, load balancers, routers, and firewalls can all apply NAT.
Depending on whether the NAT devices are HTTP-aware, the NAT device can record the
packet’s original source IP address in the HTTP headers. HTTP X-headers such as
X-Real-IP: can be used by FortiWeb instead to trace the original source IP (and each source
IP address along the path) in request packets. They may also be used by back-end web servers
for client analysis.
Figure 36:Affects of source NAT at the IP and HTTP layers of request packets when in-between
devices are HTTP-aware
Indicating the original client’s IP to back-end web serversSome web applications need to know the IP address of the client where the request originated
in order to log or analyze it.
For example, if your web applications need to display different available products for clients in
Canada instead of the United States, your web applications may need to analyze the original
client’s IP for a corresponding geographic location.
In that case, you would enable FortiWeb to add or append to an X-Forwarded-For: or
X-Real-IP: header. Otherwise, from the web server’s perspective, all IP sessions appear to
be coming from FortiWeb — not from the original requester. The back-end web server would
not be able to guess what the original client’s public IP was, and therefore would not be able to
analyze it. When these options are enabled, the web server can instead use this HTTP-layer
header to find the public source IP and path of the IP-layer session from the original client.
To configure FortiWeb to add the packet’s source IP to X-Forwarded-For: and/or
X-Real-IP:
1. Go to Server Objects > X-Forwarded-For > X-Forwarded-For.