Bug ID 627656: BIG-IP alerts contains proxy IP instead of client IP

Last Modified: Apr 28, 2025

Affected Product(s):
BIG-IP FPS(all modules)

Known Affected Versions:
13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1

Fixed In:
13.1.0

Opened: Nov 09, 2016

Severity: 3-Major

Symptoms

BIG-IP alerts contains proxy IP address instead of client IP address.

Impact

WebSafe uses wrong IP address (proxy) as 'client IP' in alerts.

Conditions

1. db var antifraud.uselastxff is disabled. 2. HTTP's 'accept xff' is enabled. 3. Request contains multiple XFF headers.

Workaround

Use alternate XFF headers in HTTP profile.

Fix Information

xff logic should consider multiple xff headers

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips