Forum Discussion

Xepik's avatar
Xepik
Icon for Nimbostratus rankNimbostratus
Nov 20, 2024

Get actual client ips in splunk

We are in the detect and respond have request to enhance logging capabilities of a load balancer. Since all traffic going through F5 and we need actual client ips in splunk for verify the logs. pleas...
  • Aswin_mk's avatar
    Nov 20, 2024

    Hi,

    When the BIG-IP uses NAT for all IP addresses on it's Origin setting, outbound connection to the pool members (nodes/backend servers) will be the NAT IP address.
    The pool members (nodes/backend servers) will not be able to see the real client IP address as it will see the NAT IP address on the BIG-IP.

    If the pool is a HTTP webserverX-Forwarded-For HTTP header can be used.

    However for non-HTTP pool servers, the BIG-IP NAT will need to be disabled to allow the client IP to be the source IP address when hitting the pool.

     

    Please go through the link and you will get more details from it - Get Client IP when F5 BIG-IP is using NAT 

     

    As your Splunk is working on 514 ports, you have to try with the second option (NAT will need to be disabled). But you have to check if server receive logs or not (there will be asymmetric routing issue some time).

    BR,
    Aswin