Share via

How can I find the original client IP address of a log entry in my WAF?

Josh Cantie 20 Reputation points
2025-07-30T20:22:34.91+00:00

When I go into the logs for our Application Gateway and run a KQL query to see what items were caught (based on OWASP rules), I can see that the request logs have a column clientIp_s that shows the IP address of the requestee. However, the IP addresses I see here seem to be largely from requests that have passed through our Azure Front Door, and hence the recorded IP address is from an Azure resource somewhere in the world instead of the original IP address of the person making the request. For purposes of throttling IP addresses of bad actors, I'd like to know the original IP address of each request.

I know that Application Gateway inserts an X-Forwarded-For header to all requests before forwarding requests to the back-end - is this a header I can see in the WAF logs, and then I can create a custom rule that throttles repeat bad offenders? Or is the clientIp_s value I'm seeing actually already the X-Forwarded-For IP address of the most recent place the request is coming from, which in our case is Azure Front Door? If so, does that mean I really would have to set up a WAF on Azure Front Door instead to get what I'm really looking for? Thank you!

Azure Web Application Firewall
0 comments
Accepted answer
  1. Divyesh Govaerdhanan 8,345 Reputation points
    2025-07-30T23:05:04.3566667+00:00

    Hello,

    Welcome to Microsoft Q&A,

    The clientIp_s field in Application Gateway WAF logs reflects the immediate source IP of the request, which, in your case, is Azure Front Door. This is expected behavior, as App Gateway treats AFD as the request initiator.

    So instead of the original end-user IP, you’re seeing the IP addresses of Azure Front Door edge nodes.

    Azure Front Door preserves the original client IP in the X-Forwarded-For header. This header contains a comma-separated list of IPs where the first IP is the client’s original IP.

    However, Application Gateway WAF cannot parse or act on headers like X-Forwarded-For. This limits your ability to apply custom WAF rules based on the real client IP at the AppGW level.

    You can,

    1. Use Azure Front Door WAF. Move your IP restriction logic to AFD WAF, which can evaluate the real client IP (RemoteAddr) and take action directly at the edge before the request hits AppGW. Configure AFD WAF rules here.
    2. Log and enforce in your backend application If you control the backend (e.g., App Service or VM), extract the client IP from X-Forwarded-For in your app code and implement rate-limiting or blacklisting as needed.

    https://learn.microsoft.com/en-us/azure/web-application-firewall/afds/waf-front-door-configure-ip-restriction?tabs=browser

    https://learn.microsoft.com/en-us/azure/frontdoor/front-door-faq#does-azure-front-door-preserve--x-forwarded-for--headers-

    Please Upvote and accept the answer if it helps!!

    1 person found this answer helpful.
    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.