X-Forwarded-For (XFF) LAB

以下實驗在於 X-Forwarded-For (XFF) 測試,驗證透過開源的CDN 軟體 Varnish

加上 FortiGate 的 Virtual server load balance 機制.取得真實 Client IP .

Varnish HTTP Cache 

https://www.varnish-cache.org

實驗架構

連線流程

Client [192.168.100.0/24] (設定 hosts 192.168.100.20 wps.cdn.tw ) 

--> CDN IP (192.168.100.20) --> 原站 IP [192.168.100.10] (FTG SLB VIP)

-->  FTG Firewall (192.168.100.125/192.168.1.1)

--> SLB Member (RealServer IP 192.168.1.11 or 12)

--> Nginx log  取得真實 Client IP

重要設定

[root@CDN ~]#  cat /etc/varnish/default.vcl

vcl 4.0;

backend default {

    .host = "127.0.0.1";

    .port = "8080";

}

acl purge {

    "localhost";

    "127.0.0.1";

}

sub vcl_recv {

    if (req.method == "PURGE") {

        if (!client.ip ~ purge) {

            return(synth(405, "DENY"));

        }

        return (purge);

    }

    if (req.url ~ "\.(gif|jpg|jpeg|swf|ttf|css|js|flv|mp3|mp4|pdf|ico|png)(\?.*|)$") {

        unset req.http.cookie;

    }

}

sub vcl_pipe {

    return (pipe);

}

sub vcl_pass {

    return (fetch);

}

sub vcl_backend_response {

.............

[root@CDN ~]#  cat /etc/nginx/nginx.conf

.....

server {

  listen 80;

  server_name wps.cdn.tw;

  port_in_redirect off;

  add_header Strict-Transport-Security "max-age=31536000;";

  add_header X-Content-Type-Options nosniff;

  location / {

    proxy_pass http://127.0.0.1:6081;

    proxy_set_header Host $http_host;

    proxy_set_header X-Forwarded-Host $http_host;

    proxy_set_header X-Real-IP $remote_addr;

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_set_header X-Forwarded-Proto https;

    proxy_set_header HTTPS "on";

  }

}

server {

  listen 8080;

  server_name wps.cdn.tw;

  location / {

    proxy_pass http://192.168.100.10;

    proxy_set_header  Host $http_host;

.....

[root@CDN ~]#  dnf info varnish.x86_64

Last metadata expiration check: 1:15:24 ago on Sat 02 Aug 2025 01:18:24 PM CST.

Installed Packages

Name         : varnish

Version      : 6.6.2

Release      : 6.el9_6.1

Architecture : x86_64

Size         : 3.0 M

Source       : varnish-6.6.2-6.el9_6.1.src.rpm

Repository   : @System

From repo    : ol9_appstream

Summary      : High-performance HTTP accelerator

URL          : https://www.varnish-cache.org/

License      : BSD

Description  : This is Varnish Cache, a high-performance HTTP accelerator.

             :

             : Varnish Cache stores web pages in memory so web servers don’t have to

             : create the same web page over and over again. Varnish Cache serves

             : pages much faster than any application server; giving the website a

             : significant speed up.

             :

             : Documentation wiki and additional information about Varnish Cache is

             : available on: https://www.varnish-cache.org/

RealServer 上 Nginx log 設定

log_format  main  '$http_x_forwarded_for |

                    $http_x_real_ip |

                    $remote_addr - $remote_user [$time_local] "$request" '

                   '$status $body_bytes_sent "$http_referer" '

                   '"$http_user_agent" "$http_x_forwarded_for"';

Demo

PaloAlto Dual ISP with ECMP testing

 

tracert (Trace Route)

show routing route ecmp yes

其它補充:

如果要指定某一個 Source IP / Range ..走特定的 WAN x / ISP x ,

就同一般的[網通設備]一樣.

使用 政策路由 Policy-Based Route [PBR] 設定即可,

等同於 PaloAlto  的  Policy Based Forwarding  [PBF] 設定

判斷邏輯為: 

檢查是否有 PBF Rule -->  有命中則 依 PBF 決定路由

若沒命中則視  Routing Table  (可用 ECMP ) 決定其路由

OSPF over IPsec gre tunnel in FortiGate

 Continuing this theme, this time it’s a site-to-site VPN between FTGs

https://xrcd2.blogspot.com/2025/07/fortigate-site-to-site-vpn-lab.html

https://xrcd2.blogspot.com/2023/02/ospf-over-ipsec-for-paloalto-and.html

CLI config example

(1)

FortiGate-BH (VPN-TO-HQ) # show

config vpn ipsec phase1-interface

    edit "VPN-TO-HQ"

        set interface "port1"

        set local-gw 68.10.1.1

        set peertype any

        set net-device disable

        set proposal des-md5 des-sha1

        set dhgrp 14 5

        set encapsulation gre

        set remote-gw 210.10.1.1

        set psksecret FortiPWD168

    next

end

FortiGate-BH (VPN-TO-HQ) # show

config vpn ipsec phase2-interface

    edit "VPN-TO-HQ"

        set phase1name "VPN-TO-HQ"

        set proposal des-md5 des-sha1

        set dhgrp 14 5

        set auto-negotiate enable

        set encapsulation transport-mode

        set protocol 47

    next

end

FortiGate-BH (VPN-TO-HQ) # show

config system interface

    edit "VPN-TO-HQ"

        set vdom "root"

        set ip 192.168.1.2 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 192.168.1.1 255.255.255.252

        set snmp-index 15

        set interface "port1"

    next

end

================================================

(2)

FortiGate-HQ (VPN-TO-BH) # show

config vpn ipsec phase1-interface

    edit "VPN-TO-BH"

        set interface "port1"

        set local-gw 210.10.1.1

        set peertype any

        set net-device disable

        set proposal des-md5 des-sha1

        set dhgrp 14 5

        set encapsulation gre

        set remote-gw 68.10.1.1

        set psksecret FortiPWD168

    next

end

FortiGate-HQ (VPN-TO-BH) # show

config vpn ipsec phase2-interface

    edit "VPN-TO-BH"

        set phase1name "VPN-TO-BH"

        set proposal des-md5 des-sha1

        set dhgrp 14 5

        set auto-negotiate enable

        set encapsulation transport-mode

        set protocol 47

    next

end

FortiGate-HQ (VPN-TO-BH) # show

config system interface

    edit "VPN-TO-BH"

        set vdom "root"

        set ip 192.168.1.1 255.255.255.255

        set allowaccess ping

        set type tunnel

        set remote-ip 192.168.1.2 255.255.255.252

        set snmp-index 15

        set interface "port1"

    next

end

===================================================

WEB config  example

========================================

Tracer & Ping Test 

FortiGate Site to Site VPN Lab

 Continuing this theme, this time it’s a site-to-site VPN between FTGs

https://xrcd2.blogspot.com/2023/02/ospf-over-ipsec-for-paloalto-and.html

FortiGate firewall configures the Syslog filter

FortiGate firewall configures the Syslog filter

Reference URL :  

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Using-syslog-free-style-filters/ta-p/204606

Test

Log Example:

ssh login

Jun 28 14:06:00 192.168.100.254 date=2025-06-28 time=14:06:00 devname="Test-FW" devid="FGVMEXXXXXXXXXXX" eventtime=1751090760672765479 tz="+0800" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1751090760" user="admin" ui="ssh(192.168.100.112)" method="ssh" srcip=192.168.100.112 dstip=192.168.100.254 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from ssh(192.168.100.112)"

web login 

Jun 28 14:07:10 192.168.100.254 date=2025-06-28 time=14:07:09 devname="Test-FW" devid="FGVMEXXXXXXXXXXX" eventtime=1751090829377377416 tz="+0800" logid="0100032001" type="event" subtype="system" level="information" vd="root" logdesc="Admin login successful" sn="1751090829" user="admin" ui="http(192.168.100.112)" method="http" srcip=192.168.100.112 dstip=192.168.100.254 action="login" status="success" reason="none" profile="super_admin" msg="Administrator admin logged in successfully from http(192.168.100.112)"

=======================================================

ssh config 

Jun 28 13:48:30 192.168.100.254 date=2025-06-28 time=13:48:30 devname="Test-FW01" devid="FGVMEXXXXXXXXXXX" eventtime=1751089710571156282 tz="+0800" logid="0100032102" type="event" subtype="system" level="alert" vd="root" logdesc="Configuration changed" user="admin" ui="ssh(192.168.100.112)" msg="Configuration is changed in the admin session"

web config 

Jun 28 13:58:07 192.168.100.254 date=2025-06-28 time=13:58:07 devname="Test-FW" devid="FGVMEXXXXXXXXXXX" eventtime=1751090286557611095 tz="+0800" logid="0100032222" type="event" subtype="system" level="notice" vd="root" logdesc="Global setting changed" user="admin" ui="GUI(192.168.100.112)" field="hostname" old_value="Test-FW01" new_value="Test-FW" msg="User admin changed hostname global setting to Test-FW from GUI(192.168.100.112)"

==================================================

FTG Config 

Test-FW # config log syslogd filter

Test-FW (filter) # show

config log syslogd filter

    config free-style

        edit 1

            set category event

            set filter "logid 0100032001 0100032102 0100032222"

        next

        edit 2

            set category traffic

            set filter "srcintf port1"

        next

    end

end

Test-FW (filter) # get

severity            : information

forward-traffic     : enable

local-traffic       : enable

multicast-traffic   : enable

sniffer-traffic     : enable

ztna-traffic        : enable

anomaly             : enable

voip                : enable

gtp                 : enable

free-style:

    == [ 1 ]

    id:     1       category: event

    == [ 2 ]

    id:     2       category: traffic

Test-FW (filter) #