Forum Discussion

Emil_Tr's avatar
Emil_Tr
Icon for Nimbostratus rankNimbostratus
Dec 25, 2024

Is XFF a must for ASM WAF DoS

In this article it is mentioned that you must configure "Accept XFF" in HTTP profile in order to use DOS or Bot protection.

https://my.f5.com/manage/s/article/K000133493

"HTTP profile is required also and have XFF enabled is the minimum setting needed"

 

On the other hand in this article it says 

https://my.f5.com/manage/s/article/K36452759

"If the setting "Accept XFF" is not enabled in the HTTP profile associated with the virtual server using bot or DoS, then the source IP of the traffic as it arrives to the BIG-IP will be used instead."

"Note: Ensure this header name is inserted by a trusted source.  If you do not trust the header showing the original client IP it may be maliciously altered."

"XFF, or equivalent client IP headers, must be configured to be trusted in the HTTP profile for use with Bot Defense and Application DoS profiles"

This creates some confusion

  1. It is unclear whether XFF is a mandatory. Is it?
  2. If there is no trusted proxy in front of F5 and the the actual source IP (as it arrives at F5) is the public source IP, which is the relevant IP to us, does "Accept XFF" still need to be configured?

Thank you

  • dos and bot protection needs to check client's public ip address.

    therefore, if your asm sits behind nat fw that changed source ip addres to private address,
    then that natfw needs to write client's ip address into http xff request header
    and asm needs to read client ip from that xff header.

    • Emil_Tr's avatar
      Emil_Tr
      Icon for Nimbostratus rankNimbostratus

      Hi

      As I mentioned - there is no trusted proxy in front of F5 and the the actual source IP (as it arrives at F5) is the public source IP, meaning the FW does NOT change client's source IP.