Forum Discussion

mf5's avatar
mf5
Icon for Nimbostratus rankNimbostratus
Sep 09, 2018

XFF with ASM policy enabled on VS

We have a VS which has ASM security policy applied to it and XFF is enabled in http profile, still we are unable to see client IP in the IIS logs. The IIS version is 10.   If we remove the ASM pol...
application delivery
ASM Advanced WAF
LTM
youssef1's avatar
youssef1
Icon for Cumulonimbus rankCumulonimbus
Sep 09, 2018

Hi,

 

You have to do 2 things, enable XFF in your HTTP profile and trust xff header (that's means that you will forward client ip to the backend and use XFF in asm):

 

  • Log in to the Configuration utility.
  • Navigate to Local Traffic > Profiles.
  • From the Services menu, click HTTP.
  • Click Create.
  • Type a name for the HTTP profile.

  • Select the Insert X-Forwarded-For check box. Note: Older versions of BIG-IP software may display the option as Insert XForwarded For instead of Insert X-Forwarded-For.

     

  • From the Insert X-Forwarded-For menu, select Enabled.

     

  • Click Finished.
  • You must now associate the new HTTP profile with the virtual server

For more information: https://devcentral.f5.com/questions/xff-with-asm-policy-enabled-on-vs-61536

 

Additional Important information:

 

If multiple X-Forwarded-For headers are present, the BIG-IP ASM system uses the last header. If multiple IP addresses are present in the X-Forwarded-For header, the BIG-IP ASM system uses the last IP address in the header. For example, in the following X-Forwarded-For header, the BIG-IP ASM system uses IP address 172.16.33.100:

 

X-Forwarded-For: 172.16.2.66, 172.16.2.103, 172.16.33.100

 

  • If the X-Forwarded-For header value is empty, or the header format is non-RFC compliant, the BIG-IP ASM system uses the source IP of the packet.
  • If multiple IP addresses are present in the X-Forwarded-For header, the BIG-IP ASM system uses the last IP address in the header.

For example, in the following X-Forwarded-For header, the BIG-IP ASM system uses IP address 172.16.33.100:

 

X-Forwarded-For: 172.16.2.66, 172.16.2.103, 172.16.33.100

 

  • If the X-Forwarded-For header value is empty, or the header format is non-RFC compliant, the BIG-IP ASM system uses the source IP of the packet.
  • If X-Forwarded-For is enabled on the HTTP profile associated with the virtual server on the BIG-IP system, the BIG-IP ASM system uses the value of the X-Forwarded-For header inserted by the HTTP profile, which is the source IP of the ingress packet.

for more information: https://support.f5.com/csp/article/K12264

 

hope it will help you.

 

regards,