For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Rahim_Abdulla's avatar
Rahim_Abdulla
Icon for Nimbostratus rankNimbostratus
Apr 25, 2014

Can Big-IP send an alert for virtual server bouncebacks?

So we have clients and servers behind the Big-IP in in-line mode, so of course we need a SNAT for the client. But let's say we ... forgot to create a SNAT - is it possible to have Big-IP send out an ...
application delivery
availability
LTM
management
Patrik_Jonsson's avatar
Patrik_Jonsson
Icon for MVP rankMVP
Apr 25, 2014

Hi!

Why not SNAT all traffic then and insert XFF headers which then can enable logging of the clients real IP on the web server?

One thing I can think of is using the LB_FAILED event in conjunction with HSL. Maybe somebody can think of something better though.

From devcentrals wiki

The LB_FAILED event is triggered when LTM is ready to send the request to a pool member and one hasn’t been chosen (the system failed to select a pool or a pool member), is unreachable (when no route to the target exists), has reached a queue limit, or is non-responsive (fails to respond to a connection request).

when LB_FAILED {
    set hsl [HSL::open -proto UDP -pool syslog-514_pool]
    HSL::send $hsl "LB_Failed triggered for client: [IP::client_addr]\n"
}

This rule would send a message to your syslog server, which you can then configure to alert you.

Kind regards, Patrik