Fortinet 271 FortiWeb 5.0 Patch 6 Administration Guide
2. Configure these settings:
3. Click OK.
Setting Description
Use X-Header to
Identify Original
Client’s IP
If FortiWeb is deployed behind a device that applies NAT, enable this
option to derive the original client’s source IP address from an HTTP
X-header, instead of the SRC field in the IP layer. Then type the key
such as X-Forwarded-For or X-Real-IP, without the colon ( : ), of
the X-header that contains the original source IP address of the client.
This HTTP header is often X-Forwarded-For: when traveling
through a web proxy, but can vary. For example, the Akamai service
uses True-Client-IP:.
For deployment guidelines and mechanism details, see “Blocking the
attacker’s IP, not your load balancer” on page 269.
Caution: To combat forgery, configure the IP addresses of load
balancers and proxies that are trusted providers of this header. Also
configure those proxies/load balancers to reject fraudulent headers,
rather than passing them to FortiWeb.
IP Location in
X-Header
Select whether to extract the original client’s IP from either the left or
right end of the HTTP X-header line.
Most proxies put the request’s origin at the left end, which is the
default setting. Some proxies, however, place it on the right end.
Block Using
Original Client’s
IP
Enable to be able to block requests that violate your policies by using
the original client’s IP derived from this HTTP X-header.
When disabled, only attack logs and reports will use the original client’s
IP.