Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

shakalakka's avatar
shakalakka
Icon for Altostratus rankAltostratus
Nov 16, 2022

Explicit proxy and snat-pools

Hi, We are setting up an explicit proxy for some testing. What we have so far is pretty much the same as this article: Explicit proxy example  Under the "Create a wildcard virtual server"-section ...
application delivery
explicit proxy
xuwen's avatar
xuwen
Icon for Cumulonimbus rankCumulonimbus
Nov 16, 2022

create 0.0.0.0:0 Fordarding IP VS(0.0.0.0:443 Standard tcp VS)  is caused by the http-explicit profile's attribute Explicit Proxy>>Default Connect Handling Deny. If its value set to Allow, all 0 VS may not be required
Select the snatpool based on the white list domain name. I  use the switch to match. If you want to expand the scope, you can use the class match to match. 

Tips:explict VS and 0.0.0.0:0 VS do not need to enable Automap, and 0.0.0.0 VS do not need to use http profile,only use tcp profile can also work

iRules name is http_explict_snatpool_irules

when HTTP_PROXY_REQUEST {
    log local0. "[HTTP::method] [HTTP::uri]"
    switch [string tolower [URI::host [HTTP::uri]]] {
        "www.bestpay.com" {
            snatpool snatpool_explict_white
        }
        "default" {
            snatpool snatpool_explict_default
        }
    }
}

 explict VS config:

list ltm virtual https_vs_explict
ltm virtual https_vs_explict {
creation-time 2022-11-02:13:12:21
destination 10.199.3.10:3128
ip-protocol tcp
last-modified-time 2022-11-16:21:11:57
mask 255.255.255.255
profiles {
new_http_explict_proxy { }
tcp { }
}
rules {
http_explict_snatpool_irules
}
serverssl-use-sni disabled
source 0.0.0.0/0
translate-address enabled
translate-port enabled
vlans {
vlan-HA
}
vlans-enabled
vs-index 49
}

 

 

0.0.0.0:443 Standard tcp VS config:

list ltm virtual VS_explict_2022
ltm virtual VS_explict_2022 {
creation-time 2022-11-03:10:09:21
destination 0.0.0.0:https
ip-protocol tcp
last-modified-time 2022-11-16:21:27:50
mask any
profiles {
tcp { }
}
serverssl-use-sni disabled
source 0.0.0.0/0
translate-address disabled
translate-port disabled
vlans {
my_httptunnel
}
vlans-enabled
vs-index 39
}

 

ltm snatpool snatpool_explict_default {
members {
10.20.20.177
}
}
ltm snatpool snatpool_explict_white {
members {
10.20.20.170
}
}

  • shakalakka's avatar
    shakalakka
    Icon for Altostratus rankAltostratus
    Nov 16, 2022

    Thanks, ill try this now!
    What confuses me a bit is i dont really know what the wildcard actually does. If i read the doc for default-connection-handling, it says that a VS must be created for the outbound connection, if not the connection will be dropped (if connection-handling is set to deny). Im just struggeling a bit to see the difference for the actual connection setup between "allow" and "deny". If the BigIP in "allow" mode just sets up the connection to the server, what difference does the wildcard VS make on the return traffic?

    • xuwen's avatar
      xuwen
      Icon for Cumulonimbus rankCumulonimbus
      Nov 16, 2022

      It seems that the forum has an article to test whether http and https traffic can be proxyed in Deny and Allow modes(you call search this article). if Allow is set, equal "firwall acl permit any", permit dns resolvers resolving the destination IP traffic of the destination domain name.
      Note that the zone of DNS Resolvers should be set to ".", otherwise, if your proxy domain name is not in the zone, BIGIP will report a 503 status code