Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

EDR: How to allow F5 incoming traffic from multiple IPs

EDR: How to allow F5 incoming traffic from multiple IPs

Environment

  • EDR Server: 6.x and Higher
  • F5 Reverse Proxy 

Objective

How to allow sensor communication to Response through F5 reverse proxy when F5 is configured to send from multiple IP addresses. 

Resolution

  1. Configure F5/EDR using existing documented steps (see Related Content)
  2. On EDR server (master and minions in case of a cluster), edit /etc/cb/nginx/includes/cb.server.base_body and delete the section below
if ($remote_addr = $reverseproxyip) {
set $client_cert $http_x_client_cert_id;
set $keep_x_real_ip T;
}
  1.  In the same location, add the following text, replacing <IP ADDRESS> with your F5 IP.  Duplicate this section for each IP address F5 is configure with.   
if ($remote_addr = "<IP ADDRESS>") {
set $client_cert $http_x_client_cert_id;
set $keep_x_real_ip T;
}
  1. If you have IPv6 configured, preface the IP address with ::ffff:, example:  ::ffff:192.168.1.15

 

Additional Notes

ReverseProxyIP= configuration parameter in /etc/cb/cb.conf will be rendered nonfunctional, and changes to F5 IPs should be reflected in /etc/cb/nginx/includes/cb.server.base_body

Related Content


Labels (1)
Was this article helpful? Yes No
50% helpful (1/2)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
743
Contributors