Knowledge Search


[Junos WebApp Secure] Sessions showing the load balancer IP address and not actual source/dest IP address in JWAS WebUI sessions page

  [KB28098] Show Article Properties

Junos WebApp Secure (JWAS) sessions page shows the information about malicious and non-malicious sessions , the IP address of the attacker, browser, operating system etc. When a load balancer is used along with JWAS, the attacker IP address can show as that of load balancer’s IP address. This KB article provides information as to how to resolve the issue and how to correctly see the actual IP addresses rather than load balancer’s IP.
When JWAS, formerly known as Mykonos, is deployed with a third-party load balancer, it need to be configured to accept the X-Forwarded-For header from the load balancer.
If that is not configured, all session IPs on the JWAS appliance will seem to be coming from the load balancer directly.

SSH/Console method:
Run the below command to make JWAS trust the header of the load balancer:
'sudo mykonos-shell config set engine.exclude_forward_addresses <IP_of_Loadbalancer>'

The following screen shot shows an example for CLI method where load balancer has been added as a trusted host

WebUI Method:
On the WebUI of JWAS, Go to Configuration > Security Engine > Security Engine Whitelists.  Select  X-Forwarded-For Address Exclusions, and then Add to enter the IP address of the load balancer.

Modification History:
2019-03-25: content re-reviewed for accuracy
Related Links: