Preserve or retain client IP through WAF

Question

Hello, 
 I've done some searching on here and many posts I find are 5-10 years old and/or the original poster never came back to confirm whatever was suggested fixed their issue or not. And, for reasons beyond me, these threads are locked so you cannot even chime in to ask if what they did fixed it or not, so here I am. 
 We just set up WAF and now client IPs are all showing the IP of the Sophos Firewall. How can we preserve or retain the original client IP? We have a few scenarios where something on our web app is revealed to them based on their IP, but now all traffic is showing coming from the LAN IP of the Sophos. 
 I found one suggestion to make sure " Pass host header " is checked, and other suggestions to use X-Forwarded-For in IIS . Does anyone know what exactly needs to be done? I'm asking here before I simply click the Pass host Header checkbox and/or do the X-Forwarded-For thing, to get some feedback first. 
 Thanks!

djb-sophos · Accepted Answer

It turns out I just needed to disable or delete the 1:1 NAT rule for the public IP in question. LuCar Toni you mentioned this in another post here . Also, because there are multiple subdomains pointing to this one IP, we used the wildcard *.domain.com in the WAF rule. Once the DNAT rule was disabled, the public IPs are now showing at the tail end of each log entry. So the end resolution was to add the X-Forwarded-For in IIS , and delete the NAT rule since WAF does firewall and NAT in one.

Preserve or retain client IP through WAF

Top Replies