Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Values in X-Forwarded-For when SNAT is enable

Hi I have a case where user has pointed out that the X-Forwarded-For has F5 self ip. F5 has automap enabled. Is this expected behaviour? The VS has tcp profile, so nothing being done by F5 to the http header

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

I suggest you look at the server that is the node for the VS that is setting this header. Since the LTM is set for SNAT/automap, the self IP address will be the client address seen by that server.

0
Comments on this Answer
Comment made 3 months ago by mhd90 54

i do have the header capture from the server, and it shows Header [x-forwarded-for]: x.x.x.x x.x.x.x is the f5 self ip

My question is, is this expected behavior? My understanding was, if i dont change or insert anything in the header through F5, the XFF value should not reflect the f5 ip...

0
Comment made 3 months ago by DaveS 120

XFF is used to indicate the originating IP address. The configuration details you've given for the LTM means it's not including the header so it must be the back end server that is doing it, confirmed by the address being the LTM self address.

Is this expected behaviour - it will be if server is configured for XFF insertion.

0
Comment made 3 months ago by boneyard 5579

when you say "i do have the header capture from the server"

does that mean an actual network packet capture before the server HTTP server software touched it?

i agree with you that it doesn't make sense for the F5 BIG-IP to do this if there is no HTTP profile involved.

but there still can be something else between the F5 BIG-IP and the HTTP server.

and there is the slight chance someone is being playful and inserting it at the client side.

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Unless server is modifying the XFF header, F5 will always set it as client IP. If you do capture and examine the backend traffic from F5 you can see the XFF details.

0