Forum Discussion

kristine_v's avatar
kristine_v
Icon for Altostratus rankAltostratus
Aug 30, 2024

Preventing XFF header spoofing

Hi everyone.   Would like to know if this F5 KB article and F5 DevCentral video are still effective and working especially for BIG-IP version 17.1.x? Thank you in advance!   https://techdocs.f5.c...
application delivery
security
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Aug 30, 2024

This isa still relevant but what about when traffic comes from the AWS CDN for example? Will you want to overwrite the XFF header that the CDN configured that actually is the real ip address?

 

In that case better have AFM ACL or irule with data group that checks if the ip address is part of the AWS CDN known IP address range and then to not overwrite the XFF header but if it is not then to do it.

 

 

You can use an icall script to pull the AWS CDN range every day from a central server if you don't have BIG-IQ and you have many BIG-IP devices.

 

Knowledge sharing: Ways to trigger and schedule scripts on the F5 BIG-IP devices. | DevCentral

 

or use external data group

 

Modify large external data-groups with CLI (11.x - 16.x) (f5.com)