FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cborgato_FTNT
Article Id 196777

Description


This article describes the cases in which it may be helpful to see the 'X-Forwarded-For' and 'True-Client' IPs in IPS logs on FortiOS 5.6.

Scope


FortiGate 5.6+.

Solution

 

FortiGates running on 5.6 with a 3.2x IPS engine (at least) are able to process the 'X-Forwarded-For' and 'True-Client' IPs into the logs.

A common scenario where it can be useful to have a look at them occurs when FortiGate is placed after an existing proxy (3rd party Proxy) and it needs to enforce action based on the IP address kept in the 'X-Forwarded-For' header instead of the actual source IP address - which is the address of the 3rd party Proxy.

For example, when a Data Center FortiGate is put in Transparent or Sniffer mode for IPS (Reference link on how to configure this option), and the traffic is being proxy'd from a delivery network, the logs (sent to FortiAnalyzer or syslogs) can still show the real source IPs in the 'forwardedfor' and 'trueclntip' variables. This way the SOC team can track real source IP addresses - those potentially responsible for attacks.

O
ne log example:

 

date=2018-03-21 time=14:18:30 logid=0419016123 type=utm subtype=ips eventtype=signature level=alert vd=root severity=info srcip=192.18.62.35 srccountry="Reserved" dstip=10.6.6.1 srcintf="port23" dstintf="port22" policyid=1 sessionid=77088 action=dropped proto=6 service="HTTP" attack="Eicar.Virus.Test.File" srcport=80 dstport=13668 hostname="192.18.62.35" direction=incoming attackid=29844 profile="sensor-1" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=444479349 msg="file_transfer: Eicar.Virus.Test.File," forwardedfor="10.1.100.11" trueclntip="10.1.100.11"

 

For more information, refer to the FortiOS v5.6 Handbook-CLI Reference, which can be found in the Fortinet Documentation Library.


If these logging features are needed, an upgrade to FortiOS 5.6 is necessary (5.6 normally runs IPS engine 3.4).


Related articles: