Forum Discussion
DanieleS9
Nimbostratus
Mar 17, 2022F5 asm url file upload best practices
Hi, iI search the best way to configure a file upload url that generate lots of different attack signature false positive. Anyone can teach me how to create a correct exclusion or maybe something different for solve this?
Thanks
- first of all, i'm not an expert but just wann help if i can. :-)
- al_kabeer_2905
Nimbostratus
hi and thx for reply, - Hamish
Cirrocumulus
SNAT is literally Source-NAT. Basically its telling the VS to act as a proxy... So the backend (Poolmembers) see the IP connection coming from one of the BigIP's addresses (Automap will use the floating self-ip of the interface that routes to the poolmembers). - al_kabeer_2905
Nimbostratus
when i put the snat none, the virtual server is not working - Hamish
Cirrocumulus
About 5 items below the SNAT option when configuring the Virtual Server. There's separate options for 'Address Translation' and 'Port Translation'. Select both. Then make sure the default gateway back to the client IP is via the F5 floating self-ip address that directly connects to the poolmembers. (I suspect that's already done, unless you were running the poolmembers in a kind of n-path configuration)I think it's more likely that the only thing wrong is your poolmembers are routing back direct to the client via a separate router, since it looks like you're running the F5 single armed (Sorry, can't see your picture, so no network diagram to verify)...
- al_kabeer_2905
Nimbostratus
hi, in the attachment there is full diagram of what i am discussing - hoolio
Cirrostratus
As Nitass and Hamish have suggested, if you have the default gateway on 192.168.1.1 and 192.168.1.2 set to the LTM self IP on the 192.168.1.0/24 subnet, you can set SNAT on the virtual server to none and the servers will see the original client IP address. As Hamish said, make sure to leave (destination) address and (destination) port translation enable on the virtual server properties. - al_kabeer_2905
Nimbostratus
thanks Boss for yr reply i will try it and give my feedback - al_kabeer_2905
Nimbostratus
i have tried it i cant remote desktop or access http servers now , since i change the default gateway to ip of Bigip not coreswitch
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects