For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

kong5_153476's avatar
kong5_153476
Icon for Nimbostratus rankNimbostratus
Oct 23, 2014
Solved

A irule of source IP and IP after SNAT

After the SNAT config used SNAT pool, Customer requested that record the correspondence of source IP and IP after SNAT to file /var/log/ltm. Request every connections, such as TCP、UDP etc.   Anyon...
application delivery
BIG-IP Access Policy Manager (APM)
design
devops
iRules
LTM
security
  • Jason_40733's avatar
    Jason_40733
    Oct 23, 2014

    Here's another link with an example of logging the entire connection.. client, client(snat) and server for TCP.

     

    https://devcentral.f5.com/questions/how-to-monitor-internal-ip-translate-to-which-ip-snat-in-pool

     

    Example from that link is here.

     

    rule myrule { when SERVER_CONNECTED { log local0. "" log local0. "cs client [IP::client_addr]:[TCP::client_port]" log local0. "cs server [clientside {IP::local_addr}]:[clientside {TCP::local_port}]" log local0. "ss client [IP::local_addr]:[TCP::local_port]" log local0. "ss server [IP::remote_addr]:[TCP::remote_port]" } }

     

Jason_40733's avatar
Jason_40733
Icon for Cirrocumulus rankCirrocumulus
Oct 23, 2014

Here is a good question/answer on writing irules for logging connections.

 

https://devcentral.f5.com/questions/writing-an-irule-to-log-all-traffic

 

It includes examples for logging TCP and UDP traffic. Though it does not show you how to log the SNAT'd IP address.

 

Jason