Forum Discussion

pkingi_72523's avatar
pkingi_72523
Icon for Nimbostratus rankNimbostratus
Apr 19, 2010

Can irules be used to match source address infromation before and after SNAT?

We are using an F5 as an SSL-offload and then again as a reverse proxy. In both cases, the source address is natted.

 

We have an IPS after the SSL-offload and before the reverse proxy that does detect attacks but attacks appear to come from the SSL_offload address.

 

 

We need to determine what the original source of attacks are so are looking to see if irules can provide some information to trace back to the original source.

 

 

Anyone else deal with this type of issue? Keen to hear how to get around this....

 

 

 

cheers

 

Patrick

 

 

application delivery
dev
devops
iRules

1 Reply

  • hoolio's avatar
    hoolio
    Icon for Cirrostratus rankCirrostratus
    Apr 20, 2010
    Hi Patrick,

     

     

    LTM can insert a custom HTTP header named X-Forwarded-For (or any arbitrary name) with the original client IP address. To configure this you can create a custom HTTP profile and enable the 'insert X-Forwarded-For' option. If you want to insert a custom named header, you can do this with the HTTP profile options. Set the 'request header to remove' to MY_CUSTOM_HEADER and set the 'request header to insert' to MY_CUSTOM_HEADER: [IP::client_addr].

     

     

    The IPS would need to be able to read the custom HTTP header instead of the IP header.

     

     

    Aaron