Configuring FortiGate to Recognize Real Client IP Addresses
Introduction
In today's networked environments, accurately identifying client IP addresses is crucial, especially for implementing effective authorization. This is particularly important when there's a NATing device between the FortiGate and the client. This guide explains how to configure a FortiGate device to learn and utilize the real client IP addresses, improving your network's security and efficiency.
Why Learning Client IP Addresses is Important
In environments where NAT is used, the IP address seen by your FortiGate device might not be the actual client's address. Identifying the client's true IP is essential for applying policies accurately, such as Fortinet Single Sign-On (FSSO). This setup ensures that FSSO authentication policies apply correctly to each individual client rather than a general IP assigned by a NATing device.
Configuration Steps
1. Enabling Learning of Client IP Addresses
To enable your FortiGate device to learn client IP addresses from headers, follow the steps below:
config web-proxy globalset learn-client-ip enable
set learn-client-ip-from-header x-forwarded-for
set learn-client-ip-srcaddr "all"
end
In this configuration, we set the FortiGate to recognize IP addresses from the x-forwarded-for header, a common practice when dealing with web proxies.
2. Configuring the Proxy Policy
After enabling client IP learning, you'll need to set up a proxy policy on your FortiGate device:
config firewall proxy-policyedit 1
set proxy explicit-web
set dstintf "mgmt1"
set srcaddr "all"
set dstaddr "all"
set service "w"
set action accept
set schedule "always"
set groups "fsso1"
set utm-status enable
set av-profile "default"
set dlp-profile "default"
set profile-protocol-options "default"
set ssl-ssh-profile "deep-inspection"
next
end
This configuration specifies that the policy matches all incoming traffic (since srcaddr is set to "all") and applies various security profiles for comprehensive protection.
3. Setting Up Authentication Scheme and Rule
Lastly, configure the authentication scheme and rule to ensure that IP address learning integrates with your FortiGate's security policies:
config authentication schemeedit "scheme1"
set method fsso
next
endconfig authentication rule
edit "rule1"
set srcaddr "all"
set sso-auth-method "scheme1"
next
end
This setup establishes an authentication scheme using FSSO and associates it with an authentication rule, ensuring that your policy applies according to real client IP addresses.
Conclusion
By configuring your FortiGate to learn client IP addresses, you ensure that your network policies apply accurately and efficiently. This setup is especially crucial in environments utilizing NAT, where the FortiGate might otherwise receive the incorrect client IP. Implement these configurations to improve the reliability and security of your network management.
For further details, visit the official FortiGate documentation.