Forum Discussion

mf5's avatar
mf5
Icon for Nimbostratus rankNimbostratus
Sep 09, 2018

XFF with ASM policy enabled on VS

We have a VS which has ASM security policy applied to it and XFF is enabled in http profile, still we are unable to see client IP in the IIS logs. The IIS version is 10.

 

If we remove the ASM policy we are are able to get the client IP in logs, what could be the issue...?

 

application delivery
ASM Advanced WAF
LTM
  • YossiV's avatar
    YossiV
    Icon for Nimbostratus rankNimbostratus
    Sep 09, 2018

    If you try insted the http profile xff, the following irule:

     

    when HTTP_REQUEST { HTTP::header insert X-Forwarded-For [IP::remote_addr] } Dose it work for you?

     

  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Sep 09, 2018

    Hi,

     

    You have to do 2 things, enable XFF in your HTTP profile and trust xff header (that's means that you will forward client ip to the backend and use XFF in asm):

     

    • Log in to the Configuration utility.
    • Navigate to Local Traffic > Profiles.
    • From the Services menu, click HTTP.
    • Click Create.
    • Type a name for the HTTP profile.

    • Select the Insert X-Forwarded-For check box. Note: Older versions of BIG-IP software may display the option as Insert XForwarded For instead of Insert X-Forwarded-For.

       

    • From the Insert X-Forwarded-For menu, select Enabled.

       

    • Click Finished.
    • You must now associate the new HTTP profile with the virtual server

    For more information: https://devcentral.f5.com/questions/xff-with-asm-policy-enabled-on-vs-61536

     

    Additional Important information:

     

    If multiple X-Forwarded-For headers are present, the BIG-IP ASM system uses the last header. If multiple IP addresses are present in the X-Forwarded-For header, the BIG-IP ASM system uses the last IP address in the header. For example, in the following X-Forwarded-For header, the BIG-IP ASM system uses IP address 172.16.33.100:

     

    X-Forwarded-For: 172.16.2.66, 172.16.2.103, 172.16.33.100

     

    • If the X-Forwarded-For header value is empty, or the header format is non-RFC compliant, the BIG-IP ASM system uses the source IP of the packet.
    • If multiple IP addresses are present in the X-Forwarded-For header, the BIG-IP ASM system uses the last IP address in the header.

    For example, in the following X-Forwarded-For header, the BIG-IP ASM system uses IP address 172.16.33.100:

     

    X-Forwarded-For: 172.16.2.66, 172.16.2.103, 172.16.33.100

     

    • If the X-Forwarded-For header value is empty, or the header format is non-RFC compliant, the BIG-IP ASM system uses the source IP of the packet.
    • If X-Forwarded-For is enabled on the HTTP profile associated with the virtual server on the BIG-IP system, the BIG-IP ASM system uses the value of the X-Forwarded-For header inserted by the HTTP profile, which is the source IP of the ingress packet.

    for more information: https://support.f5.com/csp/article/K12264

     

    hope it will help you.

     

    regards,