EDR: How to allow F5 incoming traffic from multiple IPs
search cancel

EDR: How to allow F5 incoming traffic from multiple IPs


Article ID: 287727


Updated On:


Carbon Black EDR (formerly Cb Response)


How to allow sensor communication to Response through F5 reverse proxy when F5 is configured to send from multiple IP addresses. 


  • EDR Server: 6.x and Higher
  • F5 Reverse Proxy 


  1. Configure F5/EDR using existing documented steps (see Related Content)
  2. On EDR server (master and minions in case of a cluster), edit /etc/cb/nginx/includes/cb.server.base_body and delete the section below
if ($remote_addr = $reverseproxyip) {
set $client_cert $http_x_client_cert_id;
set $keep_x_real_ip T;
  1.  In the same location, add the following text, replacing <IP ADDRESS> with your F5 IP.  Duplicate this section for each IP address F5 is configure with.   
if ($remote_addr = "<IP ADDRESS>") {
set $client_cert $http_x_client_cert_id;
set $keep_x_real_ip T;
  1. If you have IPv6 configured, preface the IP address with ::ffff:, example:  ::ffff:


Additional Information

ReverseProxyIP= configuration parameter in /etc/cb/cb.conf will be rendered nonfunctional, and changes to F5 IPs should be reflected in /etc/cb/nginx/includes/cb.server.base_body