Not able to see the User IP after enabling the X forwarder in F5

Back to discussions

Expand all | Collapse all

Not able to see the User IP after enabling the X forwarder in F5

1. Not able to see the User IP after enabling the X forwarder in F5

Recommend

Arpit Dave

Posted Nov 11, 2022 09:15 AM

Hi Team,

I have F5 Load balancer where i have configure the VIP and My both proxy is working on A-A mode. In the proxy, i am not getting the actual IP address and getting load balancer IP which is F5 IP. In F5 we have already enable the X-forwarder for header but still we are not getting user ip details.

I have already follow the below article but its not helping me.
How to Use the X-Forwarded-For Header from the CONNECT Request to Apply Policy to HTTPS Traffic

Broadcom

remove preview

How to Use the X-Forwarded-For Header from the CONNECT Request to Apply Policy to HTTPS Traffic

Resolution The solution is to use the Effective Client IP object. Open up the Visual Policy Manager (Management Console> Configuration > Policy > Visual Policy Manager > Launch), and from the Visual Policy Manager (VPM): 1) Create a Web Access Layer and move it to before the other Web Layers you want to apply policy to.

View this on Broadcom >

Can someone please suggest what need to be configure in Proxy appliance to see actual user IP not the load balance IP or NAT IP.

Thanks
Arpit Dave

Can someone ple

2. RE: Not able to see the User IP after enabling the X forwarder in F5

Recommend
Furil
Posted Nov 12, 2022 09:03 AM
Edited by Furil Nov 12, 2022 09:04 AM

Reply Reply Privately
Hello,

This is not a proxy issue but on the F5 VIP itself, from your statement I think you simply need to disable source nat on the F5 VIP

Best regards,
Furil
3. RE: Not able to see the User IP after enabling the X forwarder in F5

Recommend
Arpit Dave
Posted Nov 15, 2022 11:09 PM

Reply Reply Privately
If we disable NAT in the F5 then can't use browsing. how Proxy can be read the Http header is there any configuration

Original Message
4. RE: Not able to see the User IP after enabling the X forwarder in F5

Recommend
Broadcom Employee

Ankit Kansara
Posted Nov 16, 2022 09:06 AM

Reply Reply Privately
Hi Arpit

You can use policy rules based on the detail of the X-forwarded-for header.

But first, it is needed to confirm whether F5 is adding a header or not. You can capture unfiltered ( because source IP is already NATed and all traffic comes to proxy with F5 IP now) pcap on Proxy. And from unfiltered pcap you can check for any web request to proxy is there X-forwarded-for header exist or not.

Original Message
5. RE: Not able to see the User IP after enabling the X forwarder in F5

Recommend
Arpit Dave
Posted Nov 16, 2022 11:46 PM

Reply Reply Privately
Hi Ankit,

Can you please help me with the policy need to be configured in proxySG.

Thanks
Arpit

Original Message
6. RE: Not able to see the User IP after enabling the X forwarder in F5

Recommend
Broadcom Employee

Ankit Kansara
Posted Nov 17, 2022 12:37 AM

Reply Reply Privately
Hi Arpit

I need information on your exact requirement.

You have mentioned you are not able to see the user IP. "In the proxy, i am not getting the actual IP address and getting load balancer IP which is F5 IP. In F5 we have already enable the X-forwarder for header but still we are not getting user ip details."

(1) Exactly where you are not getting user ip details? In access logs or in active connection list or at any other place, please provide specific info.

(2) Have you created web access layer policy rules based on client IP and those are not working as expected?

(3) If the answer to question 2 is yes then you need to follow the article that has been shared by you in starting of this discussion. And following the same rule configuration, if it is still not working then need to proceed with the investigation of whether F5 adding a header or not.

Best Regards

Ankit

Original Message

7. RE: Not able to see the User IP after enabling the X forwarder in F5

Recommend

Harry Pilgrim

Posted Nov 18, 2022 09:24 AM

If a load balanced ProxySG has its default gateway set to the router IP and not the internal floating IP of the F5, then there is no way for the traffic to return to the F5. If the proxy were to see the client IP, it would attempt to route the non-local client IP through the router around the F5 to the client. If the client receives this packet from the ProxySG, it will not match the TCP session, since the client is expecting the F5 VIP IP to respond, so the client drops the response.

F5 solves this with a feature called Auto Source Network Address Translation (SNAT) (AskF5 | Manual Chapter: SNATs). If the F5 virtual servers has the Auto SNAT feature enabled (under advanced settings just below VLAN and Tunnel), then the F5 will NAT the client address to ensure return routing. This is likely why you are seeing the F5 IP instead of the client IP.

We run the same sort of configuration. Multiple active ProxySGs behind an F5. The user sends proxy requests to the F5 VIP, and the F5 load balances the requests to the proxy servers without SNAT so we see the client IP. Our ProxySG have their default gateway set to the router IP, not the F5 internal floating IP.

The ProxySG has a feature called "Return To Sender" (# (config) return-to-sender (broadcom.com)). While this feature is turned on by default, it is possible yours may be turned off. Enabling RTS will allow the proxy server to send packets back to the load balancer regardless of the proxy routing table. Once the response reaches the F5, it will match a session and be returned to the client from the F5 VIP IP, and the client will recognize the session.

Regarding X-Forwarded-For, if you are not terminating/intercepting the TLS connections on the F5 (and simply load balancing connecitons), then the F5 cannot insert an X-Forwarded-For header into the requests, so that's likely why that's not working.

Original Message

ProxySG & Advanced Secure Gateway