For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dfmcfadden49_27's avatar
dfmcfadden49_27
Icon for Nimbostratus rankNimbostratus
Jul 08, 2016

How to send BIG-IP LTM, X-forwarded IP's to IIS "Ip Domain Filter" ?

On a BIG-IP LTM, we have a requirement to create an IP deny filter with Windows "Ip Domain Filters" on our Windows IIS. We need to have the X-forward IP data available for this including the log data. Is there a process for this?

 

application delivery
BIG-IP
LTM
security

6 Replies

  • Yann_Desmarest's avatar
    Yann_Desmarest
    Icon for Cirrus rankCirrus
    Jul 08, 2016

    Hi,

    You can activate the X-Forwarded-For option in the http profile assigned to your Virtual Server.

    Or you can use an irule for that : 

    when HTTP_REQUEST {
        HTTP::header remove "X-Forwarded-For"
        HTTP::header insert "X-Forwarded-For" "[IP::client_addr]"
}

    Both solution works fine taken into account that you need to decrypt ssl (if https listening) and assign an http profile.

    • dfmcfadden49_27's avatar
      dfmcfadden49_27
      Icon for Nimbostratus rankNimbostratus
      Jul 08, 2016

      Thank you for the reply. normally X-forward only sends the external IP to the IIS log. I see this Irule is a little different then the one I have used over the years. when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] } Does this Irule send to IIS for configuring "IP Domain Filters"? I guess the question should be how to I get the information in the IIS log to the "IP Domian filter" configuration. Can it be sent directly from the F5 or what is the process within IIS? Regards,

       

    • Yann_Desmarest's avatar
      Yann_Desmarest
      Icon for Cirrus rankCirrus
      Jul 08, 2016

      I add the below line to avoid an attacker adding a custom X-Forwarded-For value :

      HTTP::header remove "X-Forwarded-For"

      I'm using 

      IP::client_addr
      which is the same as 
      IP::remote_addr
      in your case.

      Quick description of the slight difference : 

      IP::client_addr - Returns the client IP address of a connection
IP::remote_addr - Returns the IP address of the host on the far end of the connection.
  • Yann_Desmarest_'s avatar
    Yann_Desmarest_
    Icon for Nacreous rankNacreous
    Jul 08, 2016

    Hi,

    You can activate the X-Forwarded-For option in the http profile assigned to your Virtual Server.

    Or you can use an irule for that : 

    when HTTP_REQUEST {
        HTTP::header remove "X-Forwarded-For"
        HTTP::header insert "X-Forwarded-For" "[IP::client_addr]"
}

    Both solution works fine taken into account that you need to decrypt ssl (if https listening) and assign an http profile.

    • dfmcfadden49_27's avatar
      dfmcfadden49_27
      Icon for Nimbostratus rankNimbostratus
      Jul 08, 2016

      Thank you for the reply. normally X-forward only sends the external IP to the IIS log. I see this Irule is a little different then the one I have used over the years. when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] } Does this Irule send to IIS for configuring "IP Domain Filters"? I guess the question should be how to I get the information in the IIS log to the "IP Domian filter" configuration. Can it be sent directly from the F5 or what is the process within IIS? Regards,

       

    • Yann_Desmarest_'s avatar
      Yann_Desmarest_
      Icon for Nacreous rankNacreous
      Jul 08, 2016

      I add the below line to avoid an attacker adding a custom X-Forwarded-For value :

      HTTP::header remove "X-Forwarded-For"

      I'm using 

      IP::client_addr
      which is the same as 
      IP::remote_addr
      in your case.

      Quick description of the slight difference : 

      IP::client_addr - Returns the client IP address of a connection
IP::remote_addr - Returns the IP address of the host on the far end of the connection.