Confirmation of Precedence for SNAT vs WC VS

Question

It looks like we're gong to have to deploy a wildcard VS with an irule to perform selective SNATs for a couple of applications. Since we have many other applications already deployed that could be caught by this wildcard, what is the best way to handle these? I can't quite tell from the precedence doc if the existing defined SNATs for the other applications will pick them up prior to the wildcard VS grabbing the traffic.

michaelatf5 · Answer

A good rule of thumb, is Most Specific First.&nbsp;
To be specific about it:&nbsp;
Existing ConnectionsPacket FilterVirtual ServerSNATNATSELF-IPDROP
However, if you have a wildcard VS that is LESS specific than your SNAT entry, then SNAT will win.  If you have existing VS that are configured specifically for application traffic (Source, Destination, Protocol, Port, etc) that will win over a WC Virtual Server with NO PORT, NO DESTINATION, NO SUBNET, etc.&nbsp;

Forum Discussion

Confirmation of Precedence for SNAT vs WC VS

1 Reply

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Question/Advice on iRule Remediating the Telerik (Unsafe Reflection Vulnerability (CVE-2025-3600)

Resetting to Factory Default

sslprovide (--f5 ssl) does not generate CLIENT/SERVER_TRAFFIC_SECRET on server-side TLS traffic

Issue with IIS and Client Component Service Load balancing

Syslog Filter Configuration for Separating Audit and LTM logs.

Related Content

Verifying Local Traffic Policy and iRule Precedence

Knowledge sharing: Order of precedence for BIG-IP modules, ASM DDOS Protection, Bot Protection

SNAT pool persistence

VS precedence

SNAT IP address logging

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS