Can irules be used to match source address infromation before and after SNAT?

Question

We are using an F5 as an SSL-offload and then again as a reverse proxy. In both cases, the source address is natted. 
&nbsp;We have an IPS after the SSL-offload and before the reverse proxy that does detect attacks but attacks appear to come from the SSL_offload address.&nbsp;
&nbsp;We need to determine what the original source of attacks are so are looking to see if irules can provide some information to trace back to the original source.&nbsp;
&nbsp;Anyone else deal with this type of issue? Keen to hear how to get around this....&nbsp;&nbsp;
&nbsp;cheers
&nbsp;Patrick&nbsp;&nbsp;

hoolio · Answer

Hi Patrick, 
&nbsp;  
&nbsp; LTM can insert a custom HTTP header named X-Forwarded-For (or any arbitrary name) with the original client IP address.  To configure this you can create a custom HTTP profile and enable the 'insert X-Forwarded-For' option.  If you want to insert a custom named header, you can do this with the HTTP profile options.  Set the 'request header to remove' to MY_CUSTOM_HEADER and set the 'request header to insert' to MY_CUSTOM_HEADER: [IP::client_addr]. 
&nbsp;  
&nbsp; The IPS would need to be able to read the custom HTTP header instead of the IP header. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Can irules be used to match source address infromation before and after SNAT?

Recent Discussions

Default retry time inband monitor

how to monitor the axfr master response

Http / https health monitor issue

I used the wrong email account when take Application Delivery Exam (101)

F5 looses the token for the first call

Related Content

CSV to Address External Datagroup File

Decoding the IPv4 address from the persistence cookie

iRules Style Guide

The Power of Source Address

Public IP address display

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS