Forum Discussion

Augusto's avatar
Augusto
Icon for Nimbostratus rankNimbostratus
Sep 28, 2023

How to filter ASM logs by the client's real IP?

Hello everybody, I have an environment where I have two F5s, one external and one internal, however the ASM module is only enabled on the internal F5, in which the source IP that arrives is from t...
application delivery
event
security
ragunath154's avatar
ragunath154
Icon for Cirrostratus rankCirrostratus
Sep 28, 2023

if you have attached a http profile with Accept XFF   enabled in ASM F5 VIP and in the WAF policy enable the Trust XFF Header   then you can see the X-forward-for IP actual client ip in asm event logs instead of External F5 Selfip, then you can filter the log with IP address.

  • PSFletchTheTek's avatar
    PSFletchTheTek
    Icon for MVP rankMVP
    Oct 02, 2023

    Augusto to try to clarify the above statement which may help.
    You need to apply a http profile with the add xff function turned on to the external f5, so the one on the border.
    https://my.f5.com/manage/s/article/K4816

    Then on the internal f5 where you have ASM/ AWAF tell the WAF policy to Trust XFF headers so the exernal IP is seen when it comes over the border.

    You could also turn this on, on the internal f5 you can have many IP's in the XFF header you just need to keep a track of which one the ASM module is using for its calculations.