Hello Experts,I need your help to get the issue sorted on my end. I've been looking for a solution to retain client's Original IP address instead of SNAT IP address. Have gone through few articels on XFF and I couldn;t understand. Appreciate if anyone can please help me with this issue, as this seems to be prolong one. Is it possible to check the client's original IP on f5 itself or in F5 Logging or anywhere in var logs?

Hi, Keep in mind that a.) XFF will only work for HTTP traffic, b.) the VS needs to have the HTTP profile assigned to it, c.) the application (or device) receiving the traffic must correctly interpret the XFF HTTP Header. You can search the system's connection table to find associated client-side & server-side flows. This way you can i.e. see all server-side connections for a specific client IP address; or find out which real client IP addresses are connected to a particular node or pool member. Please refer to the following for more info on working with the connection table: K53851362: Displaying and deleting BIG-IP connection table entries from the command line https://support.f5.com/csp/article/K53851362 K40033505: Explaining the output of tmsh show sys connection https://support.f5.com/csp/article/K40033505 You can also use tcpdump to i.e. capture traffic on the server-side connection related to a client-side IP address: K20233108: Running the tcpdump utility using the p interface modifier https://support.f5.com/csp/article/K20233108 Hope this helps.

Hello Nützmann,Thank you for your reply, really appreciate that. I'm actually looking for logs which are a week older or 10 days older and has the information about the client's original IP address or the client's true IP address. Is there a way we can do some customization or configuration on F5 to store those logs in var/log folder or to send it to some external syslog server? I know XFF work for only HTTP VS and then we need to configure the web server to extract the IP address from the HTTP header, but need to check the older logs which has the true client IP address.can we tune F5 settings to send the logs which have the client True IP address to any syslog server or to store the logs on f5 itself in var/log for auditing or troubleshooting. Any further help on this would really help me. Thank you again for your kind support. Have a good day sir!

You may want to configure a remote syslog server in System >> Logs : Remote Server Now you can use an iRule to log each incoming http-request: when HTTP_REQUEST { log local0. "method=[HTTP::method];path=[HTTP::path];client_ip=[IP::client_addr]" } Log facility local0. writes into the /var/log/ltm and logs will be replicated to the remote syslog server as well. The logs on the BIG-IP are rotated each day around 3 AM, compressed and removed on the 10th day or earlier, if they are too large.

You could find the client IP address in server side logs after some simple actions by extract the IP address from the HTTP header, all web servers you can do that MS IIS, apache, NGNIX.Check out this short video https://youtu.be/t29kGIa04YUHow to use XFF check this articlehttps://support.f5.com/csp/article/K4816

ok Thanks Stephan, does that mean I dont have to configure XFF if I use this irule. will this irule send the client's original or true IP address to syslog server instead of SNAT IP address? Appreciate any help on this.

XFF for retaining client's Original IP

11 Replies

Rodolfo_Nützmann
MVP
Jul 04, 2022
Hi,

Keep in mind that a.) XFF will only work for HTTP traffic, b.) the VS needs to have the HTTP profile assigned to it, c.) the application (or device) receiving the traffic must correctly interpret the XFF HTTP Header.

You can search the system's connection table to find associated client-side & server-side flows. This way you can i.e. see all server-side connections for a specific client IP address; or find out which real client IP addresses are connected to a particular node or pool member.

Please refer to the following for more info on working with the connection table:

K53851362: Displaying and deleting BIG-IP connection table entries from the command line

https://support.f5.com/csp/article/K53851362

K40033505: Explaining the output of tmsh show sys connection

https://support.f5.com/csp/article/K40033505

You can also use tcpdump to i.e. capture traffic on the server-side connection related to a client-side IP address:

K20233108: Running the tcpdump utility using the p interface modifier

https://support.f5.com/csp/article/K20233108

Hope this helps.
- mohammed5370
  Nimbostratus
  Jul 05, 2022
  Hello Nützmann,
  Thank you for your reply, really appreciate that. I'm actually looking for logs which are a week older or 10 days older and has the information about the client's original IP address or the client's true IP address. Is there a way we can do some customization or configuration on F5 to store those logs in var/log folder or to send it to some external syslog server? I know XFF work for only HTTP VS and then we need to configure the web server to extract the IP address from the HTTP header, but need to check the older logs which has the true client IP address.
  can we tune F5 settings to send the logs which have the client True IP address to any syslog server or to store the logs on f5 itself in var/log for auditing or troubleshooting. Any further help on this would really help me. Thank you again for your kind support. Have a good day sir!
  - StephanManthey
    MVP
    Jul 05, 2022
    You may want to configure a remote syslog server in System >> Logs : Remote Server
    
    Now you can use an iRule to log each incoming http-request:
    
    when HTTP_REQUEST { log local0. "method=[HTTP::method];path=[HTTP::path];client_ip=[IP::client_addr]" }
    
    Log facility local0. writes into the /var/log/ltm and logs will be replicated to the remote syslog server as well.
    
    The logs on the BIG-IP are rotated each day around 3 AM, compressed and removed on the 10th day or earlier, if they are too large.
Tamer-Zain
Cirrus
Jul 07, 2022
You could find the client IP address in server side logs after some simple actions by extract the IP address from the HTTP header, all web servers you can do that MS IIS, apache, NGNIX.
Check out this short video
https://youtu.be/t29kGIa04YU
How to use XFF check this article
https://support.f5.com/csp/article/K4816
- mohammed5370
  Nimbostratus
  Jul 08, 2022
  Hello Zain,
  I have many virtual server and configuring all backend server to extract the IP address from HTTP header would be too difficult. I 'm looking for an alternative to get the Client's true IP or Original IP address without having to configure any thing on the backend server. I would need something to do on F5 itself to get the original IP address.

Forum Discussion

XFF for retaining client's Original IP

11 Replies

Recent Discussions

What are the different phases in DevOps?

Create a CSR and Key using the BigIP LTM GUI when renewing a certificate

F5 Rseries HA

Error when running bigip_command Playbook against LTM : Syntax Error: unexpected argument /bin/sh\n

Can iRule be used to perform exception of IPI category based on Geolocation

Related Content

F5 Distributed Cloud Origin Server Subset Rules

Load Balance UDP (Retain Source Client IP)

Fingerprinting TLS Clients with JA4 on F5 BIG-IP

Enhance your Application Security using Client-side signals

iRule based RADIUS Client Stack