Hi zbirmingham,
There might be multiple XFF headers or multiple XFF values in a single header. And keep in mind that a client can insert any XFF value they want. With those in mind, how would you want to handle the XFF values if there are more than one?
Can you have the CDN change the name of the header they insert in their requests to something that isn't X-Forwarded-For? This would lower the chance of another proxy inserting a header with the same name (but not lower the chance that a malicious user could spoof their own header value to bypass your iRule logic).
If you move the code from the CLIENT_ACCEPTED event to the HTTP_REQUEST event, it would work if there is just one XFF value. But it would be better to use a switch statement so you're only running the whereis command once instead of twice.
Aaron