Forum Discussion

Scott123456789's avatar
Scott123456789
Icon for Cirrus rankCirrus
Mar 23, 2017

X-Forwarded-For through proxy and F5

My organization recently got the ASM module when they purchased a pair of 5250Vs. I've never used ASM before and we don't have anyone in our organization that has either, so I'm learning on the fly. ...
ASM Advanced WAF
security
x-forwarded-for
Soda_Cup_148395's avatar
Soda_Cup_148395
Icon for Nimbostratus rankNimbostratus
Mar 24, 2017

As for the remote sites using proxies, each one NEEDS to insert the XFF. Verify they are doing this with tcpdump on the frontend of the f5.

Then since the VS is performing SNAT, it is inserting the IP of the proxy source as the XFF. You need to use an iRule to append the header with an additional XFF received from the proxy.

As you have disparate configurations at your remote sites, you probably need to change the behavior per source IP, as the f5 inserting the proxy IP after SNAT will not help you out, you want the XFF that the proxy is sending toward the f5 maintained when forwarded to the backend servers, so use append.

This will append the XFF if it exists, or insert a new one if it does not-

when HTTP_REQUEST {

if { [string tolower [HTTP::header names]] contains "x-forwarded-for"}{
    set XFF [HTTP::header X-Forwarded-For]
    append XFF ","
    lappend XFF [IP::remote_addr]
} else {
    set XFF [IP::remote_addr]
}

HTTP::header replace "X-Forwarded-For" $XFF

}