EDR: How to allow F5 incoming traffic from multiple IPs

search cancel

EDR: How to allow F5 incoming traffic from multiple IPs

book

Article ID: 287727

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

How to allow sensor communication to Response through F5 reverse proxy when F5 is configured to send from multiple IP addresses.

Environment

EDR Server: 6.x and Higher
F5 Reverse Proxy

Resolution

Configure F5/EDR using existing documented steps (see Related Content)
On EDR server (master and minions in case of a cluster), edit /etc/cb/nginx/includes/cb.server.base_body and delete the section below

if ($remote_addr = $reverseproxyip) {
set $client_cert $http_x_client_cert_id;
set $keep_x_real_ip T;
}

In the same location, add the following text, replacing <IP ADDRESS> with your F5 IP. Duplicate this section for each IP address F5 is configure with.

if ($remote_addr = "<IP ADDRESS>") {
set $client_cert $http_x_client_cert_id;
set $keep_x_real_ip T;
}

If you have IPv6 configured, preface the IP address with ::ffff:, example: ::ffff:192.168.1.15

Additional Information

ReverseProxyIP= configuration parameter in /etc/cb/cb.conf will be rendered nonfunctional, and changes to F5 IPs should be reflected in /etc/cb/nginx/includes/cb.server.base_body

Feedback

thumb_up Yes

thumb_down No