For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

dfmcfadden49_27's avatar
dfmcfadden49_27
Icon for Nimbostratus rankNimbostratus
Jul 08, 2016

How to send BIG-IP LTM, X-forwarded IP's to IIS "Ip Domain Filter" ?

On a BIG-IP LTM, we have a requirement to create an IP deny filter with Windows "Ip Domain Filters" on our Windows IIS. We need to have the X-forward IP data available for this including the log data...
application delivery
BIG-IP
LTM
security
Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Jul 08, 2016

Hi,

You can activate the X-Forwarded-For option in the http profile assigned to your Virtual Server.

Or you can use an irule for that : 

when HTTP_REQUEST {
        HTTP::header remove "X-Forwarded-For"
        HTTP::header insert "X-Forwarded-For" "[IP::client_addr]"
}

Both solution works fine taken into account that you need to decrypt ssl (if https listening) and assign an http profile.

Yann_Desmarest's avatar
Yann_Desmarest
Icon for Cirrus rankCirrus
Jul 08, 2016

I add the below line to avoid an attacker adding a custom X-Forwarded-For value :

HTTP::header remove "X-Forwarded-For"

I'm using 

IP::client_addr
which is the same as 
IP::remote_addr
in your case.

Quick description of the slight difference : 

IP::client_addr - Returns the client IP address of a connection
IP::remote_addr - Returns the IP address of the host on the far end of the connection.