Join us now!

Username
Password
Verification
	Stay logged in

Forgot Your Password? Forgot your Username? Haven't received registration validation E-mail?

User Control Panel Log out

Forums
Posts

Latest Posts

Active Posts

Recently Visited

Search Results

View More
Blog

Recent Blog Posts

View More
Photos

Recent Photos

My Favorites

View More Photo Galleries
PMs

Unread PMs

Inbox

Send New PM View More
Page Extras
Menu
- Forum Themes
- Member List
- Online User List
- User Groups

Videos, Docs Library, KB
Fuse
- Fuse Fortinet User Community

Mark Thread UnreadFlat Reading Mode ❐

Hot!Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP

Author Post Essentials Only Full Version
zhumarlin New Member Total Posts : 1 Scores: 0 Reward points: 0 Joined: 2020/11/30 02:37:29 Status: offline 2020/11/30 02:50:02 (permalink) 0 Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP Hello.. I already read all posts about the same problem, but As the title of this post, we implement a load balancer after fortigate. We used NAT on Fortigate to translate Public IP to Private IP. And then the HTTPS is offloaded on Load balancer. Because of that topology, we cannot get the real IP/client IP address. It just shows the FW IP. We cannot disable NAT because our servers using private IP. Because of NAT, adding the "x-forwarded-for" header is not works. We also cannot offloading SSL on FW because that is our load balancer's job. Is there any solution based on our topology ? #1 1 Reply Related Threads
lobstercreed Platinum Member Total Posts : 360 Scores: 43 Reward points: 0 Joined: 2018/11/28 14:57:58 Location: Sedalia, MO Status: offline Re: Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP 2020/11/30 08:09:58 (permalink) 0 You should not use NAT on an incoming (from Internet) policy for precisely the reasons you're describing. The VIP object does the NAT from public IP to private. Enabling NAT on the policy only affects the source, not the destination. So you don't want NAT on the incoming policy. You DO want NAT on the outbound policies. #2

Author

Post

Essentials Only Full Version

zhumarlin

New Member

Total Posts : 1
Scores: 0
Reward points: 0
Joined: 2020/11/30 02:37:29
Status: offline

2020/11/30 02:50:02 (permalink)

Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP

Hello.. I already read all posts about the same problem, but
As the title of this post, we implement a load balancer after fortigate.
We used NAT on Fortigate to translate Public IP to Private IP. And then the HTTPS is offloaded on Load balancer.
Because of that topology, we cannot get the real IP/client IP address. It just shows the FW IP.
We cannot disable NAT because our servers using private IP.
Because of NAT, adding the "x-forwarded-for" header is not works.

We also cannot offloading SSL on FW because that is our load balancer's job.

Is there any solution based on our topology ?

1 Reply Related Threads

lobstercreed

Platinum Member

Total Posts : 360
Scores: 43
Reward points: 0
Joined: 2018/11/28 14:57:58
Location: Sedalia, MO
Status: offline

Re: Internet - Fortigate (NAT) - Load Balancer = LB Cannot Get Real IP 2020/11/30 08:09:58 (permalink)

You should not use NAT on an incoming (from Internet) policy for precisely the reasons you're describing. The VIP object does the NAT from public IP to private. Enabling NAT on the policy only affects the source, not the destination. So you don't want NAT on the incoming policy. You DO want NAT on the outbound policies.

Jump to: