Forum Discussion

Augusto's avatar
Icon for Nimbostratus rankNimbostratus
Sep 28, 2023

How to filter ASM logs by the client's real IP?

Hello everybody,

I have an environment where I have two F5s, one external and one internal, however the ASM module is only enabled on the internal F5, in which the source IP that arrives is from the external self IP. I can view the client's real IP through x-forwarded-for, but I would like to know if I can make a filter in F5 to search for the IP of what comes in x-forwarded-for, instead of the layer's IP network

3 Replies

  • if you have attached a http profile with Accept XFF   enabled in ASM F5 VIP and in the WAF policy enable the Trust XFF Header   then you can see the X-forward-for IP actual client ip in asm event logs instead of External F5 Selfip, then you can filter the log with IP address.

    • PSFletchTheTek's avatar
      Icon for MVP rankMVP

      Augusto to try to clarify the above statement which may help.
      You need to apply a http profile with the add xff function turned on to the external f5, so the one on the border.

      Then on the internal f5 where you have ASM/ AWAF tell the WAF policy to Trust XFF headers so the exernal IP is seen when it comes over the border.

      You could also turn this on, on the internal f5 you can have many IP's in the XFF header you just need to keep a track of which one the ASM module is using for its calculations.