vWAF can be configured to get client IP address from custom HTTP header.
Lets consider that the proxy solution adds a custom HTTP Header called "Client-IP" with actual client IP address as seen below in HTTP Request from user:
GET / HTTP/1.1
Host: example.com
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
Accept: text/html,application/xhtml+xml,application/xml;
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Client-IP: 10.209.70.9
Connection: close
For vWAF to detect the same, once logged into the vWAF GUI, click on Administration > Global Configuration:
Add the custom HTTP header in "CLIENT IP HEADER" > "custom client ip header" section as shown below and save the changes:
If the proxy solution sets an X-Forwarded-For header, select the checkbox for option "use X-Forwarded-For header" in same page for vWAF to consider same. We can now configure a Handler template in vWAF application to restrict based on IP address and send a HTTP forbidden error to client as seen below:
HTTP/1.1 403 Forbidden
Cache-Control: no-cache
Content-Type: text/plain
Date: xxxx
Pragma: no-cache
Connection: close
Content-Length: 18 
