26-Apr-2022 02:24
Hello Everyone,
We have F5 DNS configured with SNAT then forward the traffic to F5 WAF (Different device).
How we can Insert the XFF header on the F5 DNS.
Solved! Go to Solution.
26-Apr-2022 03:21
Ok cool,
So i think there is your answer, XFF is a HTTP Header, the f5 needs to have the SSL profiles on the front f5 to be able to decrypt add the XFF HTTP Header and then re-encypt it to pass it out back to your waf.
If you do move the SSL offload to the front f5 you could techincally not reencypt the traffic and just pass it back to the WAF unencrypted but that'll depend on your applicaiton.
26-Apr-2022 23:03
OK, so your problem is that you cannot insert an XFF header into TLS encrypted traffic.
The easy solution is to terminate TLS on the DNS virtual server, insert the XFF header using an HTTP profile, re-encrypt on the server-side and then send to the WAF. This is the recommended approach.
There is a harder approach, which is a technique used by Akamai for encrypted traffic that is redirected to an origin server. They insert the original client IP into a TCP option (option 28) because it is rarely used. The option gets extracted at the destination server and inserted into the request as an XFF header using an irule.
I have an irule to extract an IP address inserted into a TCP Option 28 header - I just need to write an additional irule that could insert it on the server-side of the DNS. I can provide the irules tomorrow. However, the first option above is the preferred option.
26-Apr-2022 02:34
Hi,
Do you mean DNS? - if you have a LTM with a virtual server configured with a HTTP profile passing your traffic, you can turn on XFF inside the HTTP profile with a simple tick box.
Pete
26-Apr-2022 02:57
Hello Pete
Yes, F5-DNS. The issue is when we configure the VS with an HTTP profile, the VS does not work.
26-Apr-2022 03:07
ok, so did you find the xff variable and enable it? - did that fix your issue?
If not, can you explain your config slightly more? DNS isn't http and they work in different ways.
What i think you're trying to do is pass back the client IP from the front f5 to the back one with the WAF on it so the WAF can see the client IP. Is that correct?
One thing to just ask, is this traffic encrypted? so https? and are the SSL profiles all configured correctly?
26-Apr-2022 03:16
Please find my answers;
What i think you're trying to do is pass back the client IP from the front f5 to the back one with the WAF on it so the WAF can see the client IP. Is that correct? Yes that is the required
The traffic is encrypted and no SSL profile is assigned on the F5 DNS, SSL is offloaded on the F5 WAF.
26-Apr-2022 03:21
Ok cool,
So i think there is your answer, XFF is a HTTP Header, the f5 needs to have the SSL profiles on the front f5 to be able to decrypt add the XFF HTTP Header and then re-encypt it to pass it out back to your waf.
If you do move the SSL offload to the front f5 you could techincally not reencypt the traffic and just pass it back to the WAF unencrypted but that'll depend on your applicaiton.
26-Apr-2022 02:38 - edited 26-Apr-2022 02:39
Hello Aalshehri.
You can do it with EDNS
https://clouddocs.f5.com/api/irules/DNS__edns0.html
REF - https://serverfault.com/questions/812034/dns-forwarded-for
26-Apr-2022 03:29
EDNS is required to assign a DNS profile on the VS and as we prefer if there is any other solution.
26-Apr-2022 23:03
OK, so your problem is that you cannot insert an XFF header into TLS encrypted traffic.
The easy solution is to terminate TLS on the DNS virtual server, insert the XFF header using an HTTP profile, re-encrypt on the server-side and then send to the WAF. This is the recommended approach.
There is a harder approach, which is a technique used by Akamai for encrypted traffic that is redirected to an origin server. They insert the original client IP into a TCP option (option 28) because it is rarely used. The option gets extracted at the destination server and inserted into the request as an XFF header using an irule.
I have an irule to extract an IP address inserted into a TCP Option 28 header - I just need to write an additional irule that could insert it on the server-side of the DNS. I can provide the irules tomorrow. However, the first option above is the preferred option.