Hot!Can the fortigate insert a X-Forwarded-For header only for GET and CONNECT methods?

Author
wasfi@renaissanceit.com.au
New Member
  • Total Posts : 14
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/02/12 19:23:54
  • Status: offline
2021/05/14 17:03:39 (permalink)
0

Can the fortigate insert a X-Forwarded-For header only for GET and CONNECT methods?

Hi;
 
Can I have the FortiGate insert an X-Forwarded-For header only if the HTTP method is GET or CONNECT. Basically I have a virtual server of type http set up with "Preserve Client IP". It is load balancing traffic originating from browsers "with explicit proxy" and destined to a couple of proxy servers. The destination port is 8080.
 
When the Fortigate inserts the X-Forwarded-For for HTTP datagrams with GET, POST, CONNECT, things work fine. However, when it inserts the XFF in datagrams encapsulating TLS content, then it inserts the XFF in the datagram's body causing it to be malformed. 
 
If I can have a simple rule that says: If the HTTP method does not exist then don't insert the XFF header.
 
Kindly
Wasfi
 
 
#1

2 Replies Related Threads

    Yurisk
    Platinum Member
    • Total Posts : 241
    • Scores: 37
    • Reward points: 0
    • Joined: 2011/12/04 03:30:01
    • Location: Israel
    • Status: offline
    Re: Can the fortigate insert a X-Forwarded-For header only for GET and CONNECT methods? 2021/05/16 01:28:07 (permalink)
    0
    Nope, VIP with load balancing does not include ability to match on request type. 
    onthe other hand- fortigate acts as an ssl proxy and encrypts its connection to the server with X-forwarded header already added, why does it make payload corrupt in your case ? This should not happen IMO. 

    Yuri
    https://yurisk.info/ blog: All things Fortinet, no ads.
    #2
    wasfi@renaissanceit.com.au
    New Member
    • Total Posts : 14
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/02/12 19:23:54
    • Status: offline
    Re: Can the fortigate insert a X-Forwarded-For header only for GET and CONNECT methods? 2021/05/16 07:16:30 (permalink)
    0
    in my case, the FortiGate virtual server is not doing any SSL decryption. It however, adds the XFF header in the http datagram conveying the client hello.
    #3
    Jump to:
    © 2021 APG vNext Commercial Version 5.5