Jump to content
Welcome to our new Citrix community!

Typecasting XFF value to client IP


Joseph Tuttle

Recommended Posts

Hi all,

 

I am typecasting a portion of the XFF to IP Address for responder policy processing (drops). This seems to be working ok, but I have 2 questions for Typecasting experienced folks.

 

 - Can this method be used to somehow get traffic into the IP Reputation and other CLIENT.IP.SRC dependent functions?

 - In doing so, would this modify the actual CLIENT.IP.SRC value in such a way that traffic might fail to return to the end user?

 

Thanks all for any insight

Link to comment
Share on other sites

3 hours ago, Joseph Tuttle said:

- Can this method be used to somehow get traffic into the IP Reputation and other CLIENT.IP.SRC dependent functions?

YES:  Once typecast to an IP address, then IP Address data type functions work.  You then just have to decied between the _T and _AT functions.

Example:  client.IP.SRC.IPREP_IS_MALICIOUS  || http.REQ.HEADER("x-forwarded-for").TYPECAST_IP_ADDRESS_T.IPREP_IS_MALICIOUS

Are both valid evaluations. You can do the other operations valid on client.ip.src on the IP address datatype like in_subnet()

The issue would be IF the value you feed into the typecast function is invalid for conversion to an IP Address such, then the expression will return undefined and fail to execute.  You might then need to look at how best to make sure your expression is resilient.

 

 

3 hours ago, Joseph Tuttle said:

In doing so, would this modify the actual CLIENT.IP.SRC value in such a way that traffic might fail to return to the end user?

The typecast will NOT change the SRC IP presented in the actual packet arriving at the ADC.  Just what value you are basing your expression on.

So you may be changing the condition for triggering a policy by looking at your XFF header, but you are not changing the contents of the actual source IP and unless you are performing a rewrite or additional header insertion you won't change the value of the header itself while evaluating it.

 

 

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...