Forum Discussion

Nimbostratus

Aug 04, 2025

F5 APM monitor VPN user destinations

Hello, Is F5 APM capable of showing the destinations that the VPN user is trying to reach to? Can we get this information by default, or does it require customization? Shall be seen throug...

Nacreous

Aug 04, 2025

You can achieve this by assigning an ACL also to the users.

In ACL you can either allow or deny destinations but enable logging.

This way you could see all connections under each sessions.

But I don't think you should do it and flood your BIG-IP with so many logs.

But why don't you get this info from the firewall? I suppose there is one after F5.

User100000
Nimbostratus
Aug 04, 2025
Yes, we thought in enable logging option. this can be viewed by CLI only, and which log file?

AVR does not support in this?

What is the best practice in APM to have the traffic flow in the network by the IP assigned to the user from the pool or by F5 IP

as the wizard make the configuration to the required resources reached by F5 self IP not the user IP assigned from the pool
- Injeyan_Kostas
  Nacreous
  Aug 04, 2025
  I think AVR cannot show this.
  You can also see it in GUI under Access ›› Overview : Active Sessions and clicking each session id
  for cli check /var/log/apm
  
  For traffic flow the best is to let users flow with their assigned IPs and not do SNAT but this depends on your topology.
  Wizards are for the ease of use do not just rely on wizards.
  Moreover you could do some irule magic and integrate F5 VPN with your firewall, depends the FW, and push user info with API in order to map user with IP. In this case FW will be able to use user based rules instead of source IP.