For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

EvgeniV's avatar
EvgeniV
Icon for Nimbostratus rankNimbostratus
Oct 09, 2024

Different SNAT for each member in the pool

I'm looking for possibility to define different SNAT for each member in the Pool. May be by iRule. But I'm not sure. Because any Selective SNAT iRules that I find based on some switching difference...
devops
EvgeniV's avatar
EvgeniV
Icon for Nimbostratus rankNimbostratus
Oct 13, 2024

Thank You so much Stefan,

The proposed iRule looks right and good but I cannot approve it as working solution,
 I really sorry for that but in our case we use exactly similar iRule:

when LB_SELECTED {
   if { [IP::addr [LB::server addr] equals 193.142.151.1] } {
     snat 172.16.50.1
   }
   if { [IP::addr [LB::server addr] equals 193.142.151.2] } {
     snat 172.16.50.5
  }
   if { [IP::addr [LB::server addr] equals 193.142.151.3] } {
     snat 172.16.50.6
  }
}

(SNAT Pool includes these three Nodes: 172.16.50.1, 172.16.50.5, 172.16.50.6)

And in the FW LOG catched just after F5 we still see Requests from Src:172.16.50.5(6) to Dst:193.142.151.1 , and I can't understand this.

According the iRule such packets are impossible - When Dst:193.142.151.1 the only source IP must be 172.16.50.1   

 

 Respectfully,

Evgeni V.

Paulius's avatar
Paulius
Icon for MVP rankMVP
Oct 13, 2024

What are the self-IPs and floating-IP of the interface on the F5 in that subnet? If you're still seeing requests from an IP that it shouldn't be coming from it is most likely the self-IP of the F5 doing it's health monitor queries. Without the information requested it's difficult to say why exactly this is happening.