Forum Discussion

Cirrus

Dec 25, 2024

Is XFF a must for ASM WAF DoS

In this article it is mentioned that you must configure "Accept XFF" in HTTP profile in order to use DOS or Bot protection. https://my.f5.com/manage/s/article/K000133493 "HTTP profile is required a...

MVP

Dec 25, 2024

dos and bot protection needs to check client's public ip address.

therefore, if your asm sits behind nat fw that changed source ip addres to private address,
then that natfw needs to write client's ip address into http xff request header
and asm needs to read client ip from that xff header.

Emil_Tr

Cirrus

Dec 25, 2024

As I mentioned - there is no trusted proxy in front of F5 and the the actual source IP (as it arrives at F5) is the public source IP, meaning the FW does NOT change client's source IP.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Is XFF a must for ASM WAF DoS

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

Connection Rate Limit with log output

syslog over tcp and define management IP as source

Managing iRules configuration

Recommendation for Adv. Lab

Unable to Forward APM and AFM Logs to AWS CloudWatch Using Telemetry Streaming

Related Content

XFF Universal Persistence iRule

XFF Header Persistence iRule

XFF replace iRule help

Insert XFF on F5 BIG-IP DNS

Difference between Insert X-Forwarded-For and Accept XFF?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS