I have an environment where I have two F5s, one external and one internal, however the ASM module is only enabled on the internal F5, in which the source IP that arrives is from the external self IP. I can view the client's real IP through x-forwarded-for, but I would like to know if I can make a filter in F5 to search for the IP of what comes in x-forwarded-for, instead of the layer's IP network
if you have attached a http profile with Accept XFF enabled in ASM F5 VIP and in the WAF policy enable the Trust XFF Header then you can see the X-forward-for IP actual client ip in asm event logs instead of External F5 Selfip, then you can filter the log with IP address.
@Augusto to try to clarify the above statement which may help. You need to apply a http profile with the add xff function turned on to the external f5, so the one on the border. https://my.f5.com/manage/s/article/K4816
Then on the internal f5 where you have ASM/ AWAF tell the WAF policy to Trust XFF headers so the exernal IP is seen when it comes over the border.
You could also turn this on, on the internal f5 you can have many IP's in the XFF header you just need to keep a track of which one the ASM module is using for its calculations.
