Hi,
Keep in mind that a.) XFF will only work for HTTP traffic, b.) the VS needs to have the HTTP profile assigned to it, c.) the application (or device) receiving the traffic must correctly interpret the XFF HTTP Header.
You can search the system's connection table to find associated client-side & server-side flows. This way you can i.e. see all server-side connections for a specific client IP address; or find out which real client IP addresses are connected to a particular node or pool member.
Please refer to the following for more info on working with the connection table:
K53851362: Displaying and deleting BIG-IP connection table entries from the command line
https://support.f5.com/csp/article/K53851362
K40033505: Explaining the output of tmsh show sys connection
https://support.f5.com/csp/article/K40033505
You can also use tcpdump to i.e. capture traffic on the server-side connection related to a client-side IP address:
K20233108: Running the tcpdump utility using the p interface modifier