Learn client IP

If there is another NATing device between the FortiGate and the Client (browser), this feature can be used to identify the real client in spite of the address translation. Knowing the actual client is imperative in cases where authorization is taking place.

The settings for the feature are in the CLI in the context of

config web-proxy global


Once here, enable the feature with the command:

set learn-client-ip enable


Once the feature is enabled, the other settings become available.


This command has the following options:

true-client-ip Support HTTP header True-Client-IP.
x-real-ip Support HTTP header X-Real-IP.
x-forwarded-for Support HTTP header X-Forwarded-For.



The options for this setting are selected from the list of IPv4 address or IPv6 address objects.


Below is a config example where the real client ip address will be used to match policy or fsso authentication after the learn-client-ip feature enabled.

The value of learn-client-ip-from-header option can be set to true-client-ip, x-real-ip or x-forwarded-for, but in this case it has been set to x-forward-for.

config web-proxy global

set proxy-fqdn "default.fqdn"

set webproxy-profile "default"

set learn-client-ip enable

set learn-client-ip-from-header x-forwarded-for

set learn-client-ip-srcaddr "all"



config firewall proxy-policy

edit 1

set proxy explicit-web

set dstintf "mgmt1"

set srcaddr "all"

set dstaddr "all"

set service "w"

set action accept

set schedule "always"

set groups "fsso1"

set utm-status enable

set av-profile "default"

set dlp-sensor "default"

set profile-protocol-options "default"

set ssl-ssh-profile "deep-inspection"



config authentication rule

edit "rule1"

set srcaddr "all"

set sso-auth-method "scheme1"



config authentication scheme

edit "scheme1"

set method fsso