For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sulabh_Srivasta's avatar
Sulabh_Srivasta
Icon for Cirrus rankCirrus
Mar 19, 2019

XFF and SNAT IP in header

Hi All,   I have client ssl and server ssl configured on a Virtual Server, that VIP also have SNAT and XFF configured. So when back end servers are getting the packet it has client info and SNAT I...
application delivery
BIG-IP
LTM
security
Rico_368208's avatar
Rico_368208
Icon for Nimbostratus rankNimbostratus
Mar 19, 2019

The way that the XFF header works is it takes the original client IP, the one connecting to the F5 device, and puts it in the XFF header. This is to get around the issue of the source IP being changed that comes from the F5 proxying the connection. When the backend server receives the data, it should have a source IP of the F5 SNAT IP and a header with the original client IP. If this is not what you are seeing, something is messing up. If this is what you are seeing but you want the source IP to be the IP of the original client and there to be no IP address from the F5, you would have to disable SNAT. Be careful with this though as it can cause an asymmetrical routing path that is hard to predict. If all the backend servers have the F5 as their default gateway, then you can disable SNAT safely.

 

If you have any more questions, I am sure I can help