Forum Discussion
naladar_65658
Altostratus
AltostratusUsing X-Forwarded-For in Reports
Hello all,
I was wondering if anyone knows of a work around (iRule maybe?) for the following issue:
"Since BIG-IP ASM does not support the use of the X-Forwarded-For header, all traffic coming from an upstream device that proxies or applies address translation will be shown as the source IP address, rather than the originating source IP address of the client."
We have traffic coming into a BIG-IP 6400 and it passes traffic off to a standalone ASM 4100. It works great, but all the attack reports show the VIP's of the 6400 as the source. I would like the attack reports to use the X-Forwarded-For IP that the 6400 is putting into the header before it sends the traffic to the 4100.
- AaronJB
SIRT
Unfortunately there is no way of adjusting the reporting to use the X-Forwarded-For header in place of the TCP source address of the connection at this time, that I know of.
There is an active RFE CR requesting this functionality in a future version however, so I would invite you to open a case with F5 Support and ask for this feature so that we can make a note of your request against this CR and, hopefully, increase it's visibility within the company.
Thanks,
Aaron - In the current version 10.0 the remote logging feature in ASM provides a way to send the XFF header as part of the log.
You can then use your external logging facility (e.g. Splunk) to get the data you want
Thanks,
Tom.
