Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

How to filter ASM logs by the client's real IP?


Hello everybody,

I have an environment where I have two F5s, one external and one internal, however the ASM module is only enabled on the internal F5, in which the source IP that arrives is from the external self IP. I can view the client's real IP through x-forwarded-for, but I would like to know if I can make a filter in F5 to search for the IP of what comes in x-forwarded-for, instead of the layer's IP network



if you have attached a http profile with Accept XFF   enabled in ASM F5 VIP and in the WAF policy enable the Trust XFF Header   then you can see the X-forward-for IP actual client ip in asm event logs instead of External F5 Selfip, then you can filter the log with IP address.

@Augusto to try to clarify the above statement which may help.
You need to apply a http profile with the add xff function turned on to the external f5, so the one on the border.

Then on the internal f5 where you have ASM/ AWAF tell the WAF policy to Trust XFF headers so the exernal IP is seen when it comes over the border.

You could also turn this on, on the internal f5 you can have many IP's in the XFF header you just need to keep a track of which one the ASM module is using for its calculations.

Hi @Augusto , 

Like @ragunath154 said you can do that.
and here the official article for implementation like this :

Please try the workaround and Mark the reply of @ragunath154 as an accepted solution , to make it easy for other F5 users to know about it.

Mohamed Kansoh