App that doesn't support X-Forwarded-For and cloud DDoS mitigation

Got a situation: Application relies on client_addr for logging and GeoIP services, and we are considering implementing a cloud WAF/DDoS mitigation service. SNAT automap is in use. Devs unwilling to update app to include XfF support on short term.

 

Is it possible to have an iRule retain the original values of client_addr and XfF in variables, rewrite the XfF to client_addr on the 'when HTTP_request' event (so the server app pool can see the original client IP in the client_addr header, where it expects it), and then write the original header values back to the response on the 'when HTTP_response' event? Does the Big-IP track the state of each request for this to be possible, or is adding XfF support in the application the only way to go?