EDR: How to allow F5 incoming traffic from multiple IPs
book
Article ID: 287727
calendar_today
Updated On:
Products
Carbon Black EDR (formerly Cb Response)
Issue/Introduction
How to allow sensor communication to Response through F5 reverse proxy when F5 is configured to send from multiple IP addresses.
Environment
EDR Server: 6.x and Higher
F5 Reverse Proxy
Resolution
Configure F5/EDR using existing documented steps (see Related Content)
On EDR server (master and minions in case of a cluster), edit /etc/cb/nginx/includes/cb.server.base_body and delete the section below
if ($remote_addr = $reverseproxyip) {
set $client_cert $http_x_client_cert_id;
set $keep_x_real_ip T;
}
In the same location, add the following text, replacing <IP ADDRESS> with your F5 IP. Duplicate this section for each IP address F5 is configure with.
if ($remote_addr = "<IP ADDRESS>") {
set $client_cert $http_x_client_cert_id;
set $keep_x_real_ip T;
}
If you have IPv6 configured, preface the IP address with ::ffff:, example: ::ffff:192.168.1.15
Additional Information
ReverseProxyIP= configuration parameter in /etc/cb/cb.conf will be rendered nonfunctional, and changes to F5 IPs should be reflected in /etc/cb/nginx/includes/cb.server.base_body