F5 XC Session tracking with User Identification Policy

With F5 AWAF/ASM there is feature called session tracking that allows tracking and blocking users that do too many violations not only based on IP address but also things like the BIG-IP AWAF/ASM session cookie. What about F5 XC Distributed Cloud? Well now we will answer that question 😉

Why tracking on ip addresses some times is not enough?

XC has a feature called malicious users that allows to block users if they generate too many service policy, waf , bot or other violations. By default users are tracked based on source IP addresses but what happens if there are proxies before the XC Cloud or NAT devices ? Well then all traffic for many users will come from a single ip address and when this IP address is blocked many users will get blocked, not just the one that did the violation. Now that we answered this question lets see what options we have.

Reference:

• AI/ML detection of Malicious Users using F5 Distributed Cloud WAAP

Trusted Client IP header

This option is useful when the client real ip addresses are in something like a XFF header that the proxy before the F5 XC adds. By enabling this option automatically XC will use this header not the  IP packet to get the client ip address and enforce Rate Limiting , Malicious Users blocking etc.

Even in the XC logs now the ip address in the header will be shown as a source IP and if there is no such header the ip address in the packet will be used as backup.

 

 

 

Reference:

• How to setup a Client IP as the Source IP on the HTTP Load Balancer headers? – F5 Distributed Cloud Services (zendesk.com)
• Overview of Trusted Client IP Headers in F5 Distributed Cloud Platform

User Identification Policies

The second more versatile feature is the XC user identification policies that by default is set to "Client IP" that will be the client ip from the IP packet or if "Trusted Client IP header" is configured the IP address from the configured header will be used.

When customizing the feature allows the use of TLS fingerprints , HTTP headers like the "Authorization" header and more options to track the users and enforce rate limiters on them or if they make too many violations and Malicious users is enabled to block them based on the configured identifier if they make too many waf violations and so much more.

The user identification will failover to the ip address in the packet if it can't identify the source user but multiple identification rules could be configured and evaluated one after another, as to only failover to the packet ip address if an identification rule can't be matched!

If  the backend upstream origin server application cookie is used for user identification and XC WAF App firewall is enabled and you can also use Cookie protection to protect the cookie from being send from another IP address!

 

 

 

 

 

 

 

The demo juice shop app at https://demo.owasp-juice.shop/ can be used for such testing!

References

• Lab 3: Malicious Users (f5.com)
• Malicious Users | F5 Distributed Cloud Technical Knowledge
• Configuring user session tracking (f5.com)
• How to configure Cookie Protection – F5 Distributed Cloud Services (zendesk.com)