F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Emil_Tr's avatar
Emil_Tr
Icon for Altocumulus rankAltocumulus
Dec 25, 2024

Is XFF a must for ASM WAF DoS

In this article it is mentioned that you must configure "Accept XFF" in HTTP profile in order to use DOS or Bot protection. https://my.f5.com/manage/s/article/K000133493 "HTTP profile is required a...
asm
ASM WAF
bot
dos
xff
zamroni777's avatar
zamroni777
Icon for MVP rankMVP
Dec 25, 2024

dos and bot protection needs to check client's public ip address.

therefore, if your asm sits behind nat fw that changed source ip addres to private address,
then that natfw needs to write client's ip address into http xff request header
and asm needs to read client ip from that xff header.

Emil_Tr's avatar
Emil_Tr
Icon for Altocumulus rankAltocumulus
Dec 25, 2024

Hi

As I mentioned - there is no trusted proxy in front of F5 and the the actual source IP (as it arrives at F5) is the public source IP, meaning the FW does NOT change client's source IP.