Bug ID 662311: CS alerts should contain actual client IP address in XFF header

Last Modified: Nov 07, 2022

Affected Product(s):
BIG-IP FPS(all modules)

Known Affected Versions:
12.1.0, 12.1.0 HF1, 12.1.0 HF2, 12.1.1, 12.1.1 HF1, 12.1.1 HF2, 12.1.2, 12.1.2 HF1, 12.1.2 HF2, 12.1.3,,,,,,,, 12.1.4,, 12.1.5,,,, 12.1.6, 13.0.0, 13.0.0 HF1, 13.0.0 HF2, 13.0.0 HF3, 13.0.1, 13.1.0,,,

Fixed In:

Opened: May 01, 2017

Severity: 3-Major


When no XFF header exists, the alert server will use the sender IP address as the client IP address. Doing so is incorrect behavior because the sender IP address is always the BIG-IP system's IP address. Even if XFF headers exist, the client IP address as known to the BIG-IP system may be missing in the XFF header.


Alert server/BIG-IQ does not show the actual client IP address.


This occurs under either of the following conditions: -- There is no XFF header in the original request. -- An XFF header exists, but it does not contain the actual client IP address (as seen by the BIG-IP system).



Fix Information

FPS now always appends the client IP address to the end of the last XFF header in the alert request. If there is no XFF header, FPS inserts one.

Behavior Change

Guides & references

K10134038: F5 Bug Tracker Filter Names and Tips