Hot!Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP

Author
zhumarlin
New Member
  • Total Posts : 1
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/11/30 02:37:29
  • Status: offline
2020/11/30 02:50:02 (permalink)
0

Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP

Hello.. I already read all posts about the same problem, but 
As the title of this post, we implement a load balancer after fortigate.
We used NAT on Fortigate to translate Public IP to Private IP. And then the HTTPS is offloaded on Load balancer.
Because of that topology, we cannot get the real IP/client IP address. It just shows the FW IP.
We cannot disable NAT because our servers using private IP.
Because of NAT, adding the "x-forwarded-for" header is not works.
 
We also cannot offloading SSL on FW because that is our load balancer's job.
 
Is there any solution based on our topology ?
#1

1 Reply Related Threads

    lobstercreed
    Platinum Member
    • Total Posts : 360
    • Scores: 43
    • Reward points: 0
    • Joined: 2018/11/28 14:57:58
    • Location: Sedalia, MO
    • Status: offline
    Re: Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP 2020/11/30 08:09:58 (permalink)
    0
    You should not use NAT on an incoming (from Internet) policy for precisely the reasons you're describing.  The VIP object does the NAT from public IP to private.  Enabling NAT on the policy only affects the source, not the destination.  So you don't want NAT on the incoming policy.  You DO want NAT on the outbound policies.
    #2
    Jump to:
    © 2021 APG vNext Commercial Version 5.5