I have a case where user has pointed out that the X-Forwarded-For has F5 self ip. F5 has automap enabled. Is this expected behaviour? The VS has tcp profile, so nothing being done by F5 to the http header
I suggest you look at the server that is the node for the VS that is setting this header. Since the LTM is set for SNAT/automap, the self IP address will be the client address seen by that server.
i do have the header capture from the server, and it shows
Header [x-forwarded-for]: x.x.x.x
x.x.x.x is the f5 self ip
My question is, is this expected behavior? My understanding was, if i dont change or insert anything in the header through F5, the XFF value should not reflect the f5 ip...
XFF is used to indicate the originating IP address. The configuration details you've given for the LTM means it's not including the header so it must be the back end server that is doing it, confirmed by the address being the LTM self address.
Is this expected behaviour - it will be if server is configured for XFF insertion.
when you say "i do have the header capture from the server"
does that mean an actual network packet capture before the server HTTP server software touched it?
i agree with you that it doesn't make sense for the F5 BIG-IP to do this if there is no HTTP profile involved.
but there still can be something else between the F5 BIG-IP and the HTTP server.
and there is the slight chance someone is being playful and inserting it at the client side.
Unless server is modifying the XFF header, F5 will always set it as client IP. If you do capture and examine the backend traffic from F5 you can see the XFF details.