Forum Discussion
APM - How to configure logging of snat addresses for network access and app tunnels
Hello everyone,
we are using BIG-IP Access Policy Manager to enable administrative access to systems via App Tunnel and Network Access resources.
For security reasons, we need to be able to map requests logged on backend resources/systems (e.g. in SSH audit logs) to the session or user accessing said backend resource via App Tunnel or Network Access in APM.
Currently, the following request information is logged.
Network Access:
May 17 14:42:00 tmm0 tmm[22565]: 01580002:5: /APM/ap_rmgw:Common:c1237463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c1237463:15 packet: tcp 192.168.12.18:58680 -> 10.0.0.1:22
App Tunnels:
May 17 14:41:10 tmm1 tmm1[22565]: 01580002:5: /APM/ap_rmgw:Common:c6787463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c6787463:0 packet: tcp 89.229.152.144:63252 -> 10.0.0.1:2
For Network Access requests, an IP address of the lease pool configured in the Network Access resource is logged as the client IP. For App Tunnel requests, the public IP of the client accessing APM is logged as the client IP.
In our setup, both requests will be NATed by APM before hitting the target system (through a snat pool in case of a Network Access request, through the active appliances backend IP in case of App Tunnels). Therefore, the APM self IPs (snat pool/appliance backend) will be logged on the target host, leading to us not being able to correlate logs in APM with logs on the target systems.
Is there any way to log the SNAT/NAT addresses and ports used to access target systems through APM?
I've tried using ACCESS_ACL_ALLOWED in an iRule to log additional information, unfortunately this event only seems to trigger on Portal Access resources, not when using App Tunnels or Network Access resources.
Thank you,
Fabian
If you turn up logging of the access profile you will be able to log the user and which lease ip it gets assigned and the actions performed. I have only used debug, but it migth be possible to go lower than that. All the lines are prefixed with the session id, so you should be able to correlate on that to identify a user.
You can also look here: https://community.f5.com/t5/technical-forum/userid-to-leasepool-ip-mapping/td-p/60728
for inspiration regarding the actual logging with an iRule.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com