For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Duncan_Proffitt's avatar
Duncan_Proffitt
Icon for Altostratus rankAltostratus
Apr 26, 2018

XFF and the ASM module

WE are experiencing a situation where the F5 is denying traffic due to an XFF that it doesnt understand.   The F5 receives traffic from a certain server that has already added an XFF on to the IP ...
application delivery
ASM Advanced WAF
LTM
taunan_89710's avatar
taunan_89710
Historic F5 Account
Jun 04, 2018

Sorry for the late answer.

 

The ASM must be configured to trust the XFF header in the policy configuration. Once this is done you can configure name of the XFF header to look for if it is non-standard.

 

If there are multiple XFF headers with the configured name ASM will use only the last one for reporting and inspection.

 

The unexpected behavior that many users run into is that if the HTTP profile is configured to insert an XFF header this becomes the last one in the list and ASM will use this. Essentially if there is an upstream SNAT the ASM will only see that address in the XFF header and effectively it is functionally identical to NOT using the XFF as the source IP will match what was received at layer3.

 

I hope this helps as a general guideline. I see you found an issue with the XFF iRule inserting the route domain suffix.