Change original source IP to random in ASM logs
Hello experts,
On youtube I have find this video
BIG-IP AWAF Demo 38 - Use IP Geolocation Enforcement w/ F5 BIG-IP Advanced WAF (formerly ASM) - YouTube
and in this video speaker show that she has some iRule that change original source IP to random public IP to emulate traffic from whole world.
I want to configure the same iRule in my test lab but I can't find how to do this or some examples of this iRule.
I have read this topics
iRule to randomly change source IP - DevCentral (f5.com)
iRule to randomly change source IP DevCentral (force.com)
but it is not clear for me how to replace IP only for ASM logs.
Have anyone configure the same thing as on the video and can help me how to configure it in my test lab?
Thank you!
Hi,
The ASM can also look into the x-forwarded-for header to determine the original client IP, for that you need to tell your security policy to trust the xff header. Then you can inject the header whether from the client side using fiddler for example. Or you can inject it locally using this iRule:
when HTTP_REQUEST { HTTP::header replace X-Forwarded-For "[expr (int(rand()*221)+1)].[expr int(rand()*254)].[expr int(rand()*254)].[expr int(rand()*254)]" }
This article describes the procedure for an old ASM version :
https://f5-agility-labs-waf.readthedocs.io/en/latest/class3/module1/lab1/lab1.html