For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

mtobkes_64700's avatar
mtobkes_64700
Icon for Nimbostratus rankNimbostratus
Jan 14, 2014

ASM and Akamai

Hi we recently acquired ASM licenses and would like to begin building policies. However we use Akamai for web content delivery, so all connections to our website are sourced/proxied by Akamai. Akamai will insert the actual client's IP in the 'True-Client-IP' header. Because of this any violation will have a sources IP of an Akamai server and many customers might be using this Akamai server. So my concern is if ASM blocks an Akamai IP, a lot of legitimate traffic may also be blocked.

 

Can I use an iRule to extract the 'True-Client-IP' and apply it to an ASM policy to have ASM log and alert/block based on this IP instead of the actual packet's IP address?

 

Thanks in advance, MT

 

application delivery
deployment
design
devops
iRules
management

7 Replies

  • Torti_93733's avatar
    Torti_93733
    Icon for Nimbostratus rankNimbostratus
    Jan 14, 2014

    you can activate trust xff header in the policy and set the header, there

     

    • mtobkes_64700's avatar
      mtobkes_64700
      Icon for Nimbostratus rankNimbostratus
      Jan 21, 2014
      I have enabled the 'Trust XFF Header' option and added custom header 'True-Client-IP' but I continue to see Akamai IPs in the ASM log. Is this expected? How does ASM block based on the IP address in the XXF header and not the actual source IP (Akamai)? Thanks, MT
    • dennypayne's avatar
      dennypayne
      Icon for Employee rankEmployee
      May 22, 2014
      As far as I can tell logging the XFF header instead of the real IP is not supported at this time, but some clarification on this would be helpful. It's not very intutitive for the logs to show something different than what is being operated on.
  • Torti's avatar
    Torti
    Icon for Cirrus rankCirrus
    Jan 14, 2014

    you can activate trust xff header in the policy and set the header, there

     

    • mtobkes_64700's avatar
      mtobkes_64700
      Icon for Nimbostratus rankNimbostratus
      Jan 21, 2014
      I have enabled the 'Trust XFF Header' option and added custom header 'True-Client-IP' but I continue to see Akamai IPs in the ASM log. Is this expected? How does ASM block based on the IP address in the XXF header and not the actual source IP (Akamai)? Thanks, MT
    • dennypayne's avatar
      dennypayne
      Icon for Employee rankEmployee
      May 22, 2014
      As far as I can tell logging the XFF header instead of the real IP is not supported at this time, but some clarification on this would be helpful. It's not very intutitive for the logs to show something different than what is being operated on.
  • Arturo's avatar
    Arturo
    Icon for Employee rankEmployee
    Apr 17, 2015

    ASM include it. I hope you could fix it last year :)

     

    Regarding analytics and DoS profiles...

     

    XFF configuration (ID 405312) In versions prior to 11.3.0, DoS profiles used the Trust XFF setting that was a security policy setting. The Trust XFF setting was renamed Accept XFF, and moved from a security policy property to a property of the HTTP profile. If you upgrade a DoS profile and a security policy with the Trust XFF setting enabled, after the upgrade, the new XFF configuration setting is disabled. If you want the DoS profile to continue trusting XFF, navigate to Local Traffic > Profiles > Services > HTTP > Properties screen, and enable the Accept XFF setting.

     

    Regards.