F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

rafaelbn_305907's avatar
rafaelbn_305907
Icon for Nimbostratus rankNimbostratus
Aug 17, 2017

Design - SNAT vs. Inline (kind of philosophical)

Hello Devs! Hows everybody doing?   I'm new to BIG-IP and I'm currently studying for the 301a exam. I came from the networking world.   I'm a big fan of letting routers "route", firewalls "fire...
application delivery
BIG-IP
inline
LTM
snat
Stanislas_Piro2's avatar
Stanislas_Piro2
Icon for Cumulonimbus rankCumulonimbus
Aug 17, 2017

Hi,

 

First, BigIP is not only a load balancer... but also a firewall, a reverse proxy, a SSL VPN gateway, a DNS server, a Web Application Firewall...

 

Reading K12837, SNAT does not demote PVA in version 11.2.1 and later.

 

There is not really best practice but configuration without SNAT is better to keep client IP on server side connection.

 

HTTP connections support X-Forwarded-For header to insert client IP even if SNAT is enabled.

 

for all other protocols, SNAT may cause some limitations. for example, if you load balance SMTP connection with SNAT, AntiSPAM feature may be limited.

 

Related Content