Forum Discussion
Is XFF a must for ASM WAF DoS
In this article it is mentioned that you must configure "Accept XFF" in HTTP profile in order to use DOS or Bot protection.
https://my.f5.com/manage/s/article/K000133493
"HTTP profile is required also and have XFF enabled is the minimum setting needed"
On the other hand in this article it says
https://my.f5.com/manage/s/article/K36452759
"If the setting "Accept XFF" is not enabled in the HTTP profile associated with the virtual server using bot or DoS, then the source IP of the traffic as it arrives to the BIG-IP will be used instead."
"Note: Ensure this header name is inserted by a trusted source. If you do not trust the header showing the original client IP it may be maliciously altered."
"XFF, or equivalent client IP headers, must be configured to be trusted in the HTTP profile for use with Bot Defense and Application DoS profiles"
This creates some confusion
- It is unclear whether XFF is a mandatory. Is it?
- If there is no trusted proxy in front of F5 and the the actual source IP (as it arrives at F5) is the public source IP, which is the relevant IP to us, does "Accept XFF" still need to be configured?
Thank you
- zamroni777Nacreous
dos and bot protection needs to check client's public ip address.
therefore, if your asm sits behind nat fw that changed source ip addres to private address,
then that natfw needs to write client's ip address into http xff request header
and asm needs to read client ip from that xff header.- Emil_TrNimbostratus
Hi
As I mentioned - there is no trusted proxy in front of F5 and the the actual source IP (as it arrives at F5) is the public source IP, meaning the FW does NOT change client's source IP.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com