Forum Discussion

Altostratus

Dec 25, 2024

Is XFF a must for ASM WAF DoS

In this article it is mentioned that you must configure "Accept XFF" in HTTP profile in order to use DOS or Bot protection. https://my.f5.com/manage/s/article/K000133493 "HTTP profile is required a...

MVP

Dec 26, 2024

dos and bot protection needs to check client's public ip address.

therefore, if your asm sits behind nat fw that changed source ip addres to private address,
then that natfw needs to write client's ip address into http xff request header
and asm needs to read client ip from that xff header.

Emil_Tr

Altostratus

Dec 26, 2024

As I mentioned - there is no trusted proxy in front of F5 and the the actual source IP (as it arrives at F5) is the public source IP, meaning the FW does NOT change client's source IP.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Is XFF a must for ASM WAF DoS

Recent Discussions

Statistics ›› Analytics : HTTP : Overview

VS FORWARDING & ROUTE

Diameter iRules attachment?

Source IP F5 DNS Zone Forwarder

F5 BIG-IP

Related Content

XFF Universal Persistence iRule

XFF replace iRule help

XFF Header Persistence iRule

Insert XFF on F5 BIG-IP DNS

Difference between Insert X-Forwarded-For and Accept XFF?

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS