iRule for AFM IP Intelligence security policy to work with HTTP XFF (X-Forwarded-For) headers

Code is community submitted, community supported, and recognized as ‘Use At Your Own Risk’.

Short Description


As mentioned in article (K73304774: AFM + IP Intelligence does not block requests using X-Forwarded-For header value) the AFM can't work with XFF headers unless decrypting traffic and using the IP Intelligence i in a irule, which is comlex but there is an easier way and I will show you how! 😎

Description of the irule "virtual" command:

If the XFF has multiple values better also see article (K70310105: ASM with IP-intelligence cannot reject request based on x-forwarded-for) that if for the ASM/AWAF but the same principle applies here.



Problem solved by this Code Snippet


The iRule below is attached on a virtual server that decrypts the HTTPS traffic, then the traffic is forwarded to another second virtual server where the  IP Intelligence policy is assigned.


How to use this Code Snippet


Make 2 virtial servers as the first VS will decrypt the traffic (you also attach the iRule to the first VS) and will lead to the second VS and the second VS will have an LTM pool and the IPI policy attached to it. Keep in  mind that if the traffic is too high there could be a bottleneck because of the internal channel between the two VS.


Code Snippet Meta Information

  1. Version:
  2. Coding Language: TCL/iRule


Full Code Snippet



 if {  [HTTP::header exists "X-Forwarded-For"]  } {

 snat [HTTP::header "X-Forwarded-For"]

 log local0. "Client IP changed from [IP::client_addr] to [HTTP::header "X-Forwarded-For"]"


virtual second_vs



Updated Aug 17, 2023
Version 8.0

Was this article helpful?

1 Comment