Forum Discussion

Altostratus

Aug 06, 2018

X-Forwarded-For: Multiple IP's Chained | Need Original IP | iRules and HTTP Profile?

Hello, I am at a loss. I am a security engineer and one of my jobs is managing the SIEM, which I am building out currently. One of the log sources is, of course, the F5 ASM logs. The problem, h...

Cumulonimbus

Aug 07, 2018

This is a case of multiple XFF headers and you can't really know which contains the end-user address unless you know the addresses of the intermediate systems to filter them out. To log all the addresses locally, you can do:

when HTTP_REQUEST {
    if { [HTTP::header values "X-Forwarded-For"] ne "" } {
        log local0. "[HTTP::header values \"X-Forwarded-For\"]"
    }
}

You will need to make some changes for remote logging.

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

X-Forwarded-For: Multiple IP's Chained | Need Original IP | iRules and HTTP Profile?

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Extracting X-Forwarded-For in Node.js

TCP Option 28 X-Forwarded-For Header

iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

X-Forwarded-For Log Filter for Windows Servers

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS