For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

meena_60183's avatar
meena_60183
Icon for Nimbostratus rankNimbostratus
Jul 10, 2008

clone pool and port mirroring

Hi All,     I have a need where I need to copy (mirror) all the port 80/443 traffic from the clients to the virtual server to an external appliance for analysis. Due to some limitations on ...
config
design
brad_11480's avatar
brad_11480
Icon for Nimbostratus rankNimbostratus
Jun 05, 2013
I know this thread is old, but it also seems to be one of only a few that talk about clone pools verses port spanning/mirroring. I have recently plowed through the clone pool feature as it met our needs for implementing an application performance package (Foglight) for traffic from selected virtual servers on our F5 LTM/Viprion hardware. The documentation is pretty weak and it took a little probing to get an understanding of how this works.

 

 

Many IDS/IPS systems, packet monitors, and systems such as Foglight are passive and simply listen and capture packets that are on the 'wire'. They don't present an IP address and so it was a bit confusing as to how to setup the clone pool, which requires not only IP addresses but also port numbers.

 

 

What I found was that the port number means absolutely nothing. You can define it as all ports or just pick a port. You will get all traffic basically matching that of the virtual servers you set to have the traffic cloned.

 

 

The IP address is simply used as the tool for the F5 to go out and ARP to obtain a MAC address to stuff in the packets and send back out (via TMM) to whatever interface. For our situation, the only device on that interface was the monitoring device so I put a static ARP entry on the F5 guest to associate it with the interface. It now knows where to send the clone packets.

 

 

The packets that are cloned are left intact (except for the MAC address change to deliver it to the interface where the clone server pool is). This means that if the data is encrypted, it will remain encrypted, the source and destination IP's remain the same, etc. This was another question that the documentation didn't answer. Initially I thought it would be post SSL termination.. but as I just indicated.. the packets remain intact and are not altered. This means that if the data is encrypted it is cloned encrypted.

 

 

I haven't tried iRules with it yet and still have a question in an iRule as to how you specify if the traffic is server side or client side or both when you use the clone iRule. On the virtual server there are two settings-- one to clone client side and one to clone server side. Perhaps it relates to what event it occurs in (server side or client side).. It just isn't clear and may take a couple tries to figure out what traffic gets cloned.

 

 

It has worked well here and is providing a lot of flexibility on what traffic gets cloned/mirrored. Spanning the interface just wouldn't work well as it would have all traffic from the VLAN's that are in the trunk which is significantly greater than they wanted. This narrows it down to those virtual servers that they are working with.
brad_11480's avatar
brad_11480
Icon for Nimbostratus rankNimbostratus
May 05, 2014
Well, from what I remember the Foglight doesn't allow you to set an address on the interface it is using for "Snooping" traffic-- and you don't need to do anything on the Foglight side.. That interface is just pulling whatever traffic comes across it. on the F5 side, however, as Kevin indicated, you need an IP address and it uses that to ARP to get the MAC associated with it. So hence a problem when the Foglight doesn't do this. What we did was fool the F5 into thinking that there was a device out there using a TMSH command to create the ARP entry. here are my notes... There are a number of things they don't tell you. 1. the clone pool needs to go out a different interface.. it will basically change the MAC and send it to whatever interface that pool is on. 2. most IPS systems tap and listen and don't present themselves as a device with an IP on that network. This makes it tough as the F5 will go out with an ARP requsest to get the MAC associated with the IP of the clone pool member. 3. it doesn't matter what port is on the pool member. the clone sends all traffic as it is. 4. create a selfIP on that interface that allows traffic to route to its subnet. 5. create pool will members in that same subnet so they receive the traffic. 6. it probably has to be layer2 away (no routers and such). so what do you do when the clone member isn't a real device out there since the IDS doesn't have an IP on that interface? you fool the F5 into thinking there is a device out there. 1. define the pool member without a port and without a health monitor (it isn't really there, remember). 2. in TMSH define an arp entry for it with a dummy mac. Example where 192.168.30.124 is the pool member defined create net arp clonemac ip-address 192.168.30.124 mac-address 00:11:22:33:44:55 (Note this is done in TMSH as it is TMM that clones.. Putting this on on the OS level won't pick up the ARP entry.) The sample config statements were as follows. the network interface was defined for a VLAN named VLclone on physical network interface 1/1.4 of the F5/Viprion: ltm pool /Common/pool_clone_foglight { description "for Foglight IDS" members { /Common/192.168.30.124:0 { address 192.168.30.124 } } } and for the virtual servers using it the 'clone' under advanced is set: ltm virtual /Common/vs_webdev_http { clone-pools { /Common/pool_clone_foglight { context clientside } /Common/pool_clone_foglight { context serverside } } and also for the https service.. (The foglight will need the certificate key to decrypt the packets)