Last Modified: Nov 07, 2022
BIG-IP ASM, AVR
Known Affected Versions:
11.6.0, 11.6.0 HF1, 11.6.0 HF2, 11.6.0 HF3, 11.6.0 HF4
12.0.0, 11.6.0 HF5
Opened: Dec 18, 2014 Severity: 3-Major
A specific case of multiple matching XFF headers and special settings, that lead to treating one of the supplied XFF headers, but not the desired one.
The incoming request is treated as coming from an IP address that is not the desired address, this affects the reports and the identification of this request by the DoS system.
1. Configuring at least one custom XFF header in the HTTP profile. 2. The incoming request has at least 2 headers that match the custom headers. 3. The DB variable avr.alwaysuselastxff is set to 0.
It is possible to set an iRule that will do the logic of the comparing the XFF headers, remove the unnecessary ones, and keep only the desired one.
The desired XFF header is taken as the one that represents the HTTP request IP address.