Forum Discussion

malookyi's avatar
malookyi
Icon for Nimbostratus rankNimbostratus
Feb 07, 2023
Solved

Change original source IP to random in ASM logs

Hello experts, On youtube I have find this video  BIG-IP AWAF Demo 38 - Use IP Geolocation Enforcement w/ F5 BIG-IP Advanced WAF (formerly ASM) - YouTube and in this video speaker show that she ha...
application delivery
event
  • Amine_Kadimi's avatar
    Amine_Kadimi
    Feb 07, 2023

    Hi, 

    The ASM can also look into the x-forwarded-for header to determine the original client IP, for that you need to tell your security policy to trust the xff header. Then you can inject the header whether from the client side using fiddler for example. Or you can inject it locally using this iRule:

    when HTTP_REQUEST {
   HTTP::header replace X-Forwarded-For "[expr (int(rand()*221)+1)].[expr int(rand()*254)].[expr int(rand()*254)].[expr int(rand()*254)]"
}

    This article describes the procedure for an old ASM version :

    https://f5-agility-labs-waf.readthedocs.io/en/latest/class3/module1/lab1/lab1.html 

Amine_Kadimi's avatar
Amine_Kadimi
Icon for MVP rankMVP
Feb 07, 2023

Hi, 

The ASM can also look into the x-forwarded-for header to determine the original client IP, for that you need to tell your security policy to trust the xff header. Then you can inject the header whether from the client side using fiddler for example. Or you can inject it locally using this iRule:

when HTTP_REQUEST {
   HTTP::header replace X-Forwarded-For "[expr (int(rand()*221)+1)].[expr int(rand()*254)].[expr int(rand()*254)].[expr int(rand()*254)]"
}

This article describes the procedure for an old ASM version :

https://f5-agility-labs-waf.readthedocs.io/en/latest/class3/module1/lab1/lab1.html 

  • malookyi's avatar
    malookyi
    Icon for Nimbostratus rankNimbostratus
    Feb 09, 2023

    Hello Amine_Kadimi 

    Thank you! It working!

    Many regards,

    Yaroslav