Technical Forum
Ask questions. Discover Answers.
Showing results for 
Search instead for 
Did you mean: 
Custom Alert Banner

XFF for retaining client's Original IP


Hello Experts,

I need your help to get the issue sorted on my end. I've been looking for a solution to retain client's Original IP address instead of SNAT IP address. Have gone through few articels on XFF and I couldn;t understand.  Appreciate if anyone can please help me with this issue, as this seems to be prolong one. Is it possible to check the client's original IP on f5 itself or in F5 Logging or anywhere in var logs?



Keep in mind that a.) XFF will only work for HTTP traffic, b.) the VS needs to have the HTTP profile assigned to it, c.) the application (or device) receiving the traffic must correctly interpret the XFF HTTP Header.

You can search the system's connection table to find associated client-side & server-side flows. This way you can i.e. see all server-side connections for a specific client IP address; or find out which real client IP addresses are connected to a particular node or pool member.

Please refer to the following for more info on working with the connection table:

K53851362: Displaying and deleting BIG-IP connection table entries from the command line

K40033505: Explaining the output of tmsh show sys connection


You can also use tcpdump to i.e. capture traffic on the server-side connection related to a client-side IP address:
K20233108: Running the tcpdump utility using the p interface modifier
Hope this helps.

Hello Nützmann,

Thank you for your reply, really appreciate that. I'm actually looking for logs which are a week older or 10 days older and has the information about the client's original IP address or the client's true IP address. Is there a way we can do some customization or configuration on F5 to store those logs in var/log folder or to send it to some external syslog server? I know XFF work for only HTTP VS and then we need to configure the web server to extract the IP address from the HTTP header, but need to check the older logs which has the true client IP address.

can we tune F5 settings to send the logs which have the client True IP address to any syslog server or to store the logs on f5 itself in var/log for auditing or troubleshooting. Any further help on this would really help me. Thank you again for your kind support. Have a good day sir! 

You may want to configure a remote syslog server in System >> Logs : Remote Server

Now you can use an iRule to log each incoming http-request:

    log local0. "method=[HTTP::method];path=[HTTP::path];client_ip=[IP::client_addr]"

Log facility local0. writes into the /var/log/ltm and logs will be replicated to the remote syslog server as well.

The logs on the BIG-IP are rotated each day around 3 AM, compressed and removed on the 10th day or earlier, if they are too large.

ok Thanks Stephan, does that mean I dont have to configure XFF if I use this irule. will this irule send the client's original or true IP address to syslog server instead of SNAT IP address? Appreciate any help on this.

The iRule will send the original client IP along with the HTTP method and requested path to the local syslog, which is writing into /var/log/ltm. In case you also have configured a remote syslog server, it will show up there as well.

In most environments its the preferred method to insert the X-Forwarded-For on the load balancer and to consolidate the server logs. On the servers its required to change the logging directive so its tracking the IP address provided in the X-Forwarded-For header instead of the IP address of the IP header (which is the serverside SNAT inserted by the BIG-IP).

If you lookup server logs, you will notice, that a log entry contains information both of the request and the response (i.e. status code), this can be accomplished as well.

This would require to store request information of your choise (i.e. the clients original IP address) in a variable in the context of the HTTP_REQUEST event and to write this information in the context of the HTTP_RESPONSE event along with i.e. status code, content type, content length to the logs.

is this how the logs in var/log/ltm  look like.

Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/identify_user.asp;client_ip=
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/css/styles.css;client_ip=
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm5[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/inc_navigator_utility.js;client_ip=
Jul 7 23:47:14 OC1-BIGIP-F5LTM-T1 info tmm6[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/common/js/script_login_utility.js;client_ip=
Jul 7 23:57:07 OC1-BIGIP-F5LTM-T1 info tmm7[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/identify_user.asp;client_ip=
Jul 7 23:57:27 OC1-BIGIP-F5LTM-T1 info tmm2[29783]: Rule /Common/Test-client-IP-Add <HTTP_REQUEST>: method=GET;path=/;client_ip=
Jul 7 23:57:27 OC1-BIGIP-F5LTM-T1 info tmm2[29783]: Rule /Common/Test-

or can you give me a sample of how exactly the true client IP logs look like in. I just configured the irule and attached it to the virtual server. tried accessing the URL and looked for the client IP address, but couldn't find one. Do I need to use the any filter or grep to look ?
I tried filtering with Virtual server IP address and true client IP address and still couldn't find anyone of that.

Hi @mohammed5370, it looks like the BIG-IP is seeing the as client IP address only.

This is, because there is only one client ( requesting your service or (more likely) all incoming client requests go through a proxy or other device first, which applies a hiding NAT.

So there is little to no chance to see the actual client IP address.

But perhaps this device in front of your BIP-IP is inserting an X-Forwarded-For header? If this would be the case, you can log its value:

    log local0. "method=[HTTP::method];path=[HTTP::path];client_ip=[HTTP::header value X-Forwarded-For]"


For a more detailled request logging you may consider this log statement in the context of HTTP_REQUEST:

log local0. "irule=\"requestlogging\",virtual=\"[getfield [virtual name] / 3]\",src=\"[IP::client_addr]\",geo_country=\"[whereis [IP::client_addr] country]\",http_host=\"[HTTP::host]\",http_uri=\"[HTTP::uri]\",http_method=\"[HTTP::method]\",payload_lenght=\"[string length $payload]\",content_type=\"[HTTP::header value Content-Type]\",http_referer_path=\"[URI::path [HTTP::header value Referer]]\""

It will also provide information about the virtual server, handling the request, geolocation information of the client, the referer header (how the client was directed to your site) and others.

Please note, that a local log entry is limited in size. So perhaps you may want to use


instead of the http_uri and to avoid the logging of the http_referer_path.

I'm sorry stephan,I'm not that expert in linux logging,appreciate if you can guide me with the exact command to filter out when in var/log/ltm. I still couldn't find the IP address I'm looking for. Below are the steps which I configured to test it

1. Irule configured on f5
2. attached it to the Virtual server
3.tried access the virtual server through browser again, URL is accessible
4.connected into f5 CLI, then went to cd /var/log/ltm
5. saw too many logs, tried filtering using the grep command to see if it  could worked.
6. command I used to filter the logs (cat ltm | grep, where is the client's true IP address. and still couldn't find the output.

WOuld be grateful if you could give me the exact command to filter out the logs when I'm in below path or log folder
[admin@test-device] log #



You could find the client IP address in server side logs after some simple actions by extract the IP address from the HTTP header, all web servers you can do that MS IIS, apache, NGNIX.

Check out this short video

How to use XFF check this article



Hello Zain,

I have many virtual server and configuring all backend server to extract the IP address from HTTP header would be too difficult. I 'm looking for an alternative to get the Client's true IP or Original IP address without having to configure any thing on the backend server. I would need something to do on F5 itself to get the original IP address.