Fortinet 270 FortiWeb 5.0 Patch 6 Administration Guide
FortiWeb will also use the original source IP as the basis for blocking when using some features
that operate on the source IP:
• DoS prevention
• brute force login prevention
• period block
For example, on FortiWeb, if you provide the IP address of the proxy or load balancer, when
blocking requests and writing attack log messages or building reports, instead of using the SRC
field in the IP layer of traffic as the client’s IP address (which would cause all attacks to appear
to originate from the load balancer), FortiWeb can instead find the client’s real IP address in the
X-Forwarded-For: HTTP header. FortiWeb could also add its own IP address to the chain in
X-Forwarded-For:, helping back-end web servers that require the original client’s source IP
for purposes such as server-side analytics — providing news in the client’s first language or ads
relevant to their city, for example.
Figure 37:Attack log using X-Forwarded-For: to expose the attacker’s true source IP at
172.20.120.220 instead of the load balancer’s source IP at 172.20.120.5
Like IP-layer NAT, some networks also translate addresses at the HTTP layer. In those cases,
enabling Use X-Header to Identify Original Client’s IP may have no effect. To determine the
name of your network’s X-headers, if any, and to see whether or not they are translated, use
diagnose network sniffer in the CLI or external packet capture software such as
Wireshark.
To configure FortiWeb to obtain the packet’s original source IP address from an HTTP
header:
1. Go to Server Objects > X-Forwarded-For > X-Forwarded-For.
Like addresses at the IP layer, attackers can spoof and alter addresses in the HTTP layer. Do
not assume that they are 100% accurate, unless there are anti-spoofing measures in place such
as defining trusted providers of X-headers.
X-header-derived client IPs are not supported by all features, including:
•“Blacklisting source IPs with poor reputation” on page 329
•“Blacklisting countries & regions” on page 331
•“Combination access control & rate limiting” on page 325
•“Restricting access to specific URLs” on page 321
•Allow Known Search Engines
To preserve connectivity troubleshooting capabilities, FortiWeb traffic logs do not use the
original client IP from X-headers — only attack logs will.