Forum Discussion

Jnon's avatar
Jnon
Icon for Nimbostratus rankNimbostratus
Jul 18, 2016

I need to be able to capture source IP on FTPS connection.

I need to capture the source IP for ftps traffic, and match that IP to a FTP session. It is easy enough to create an irule to capture source IP, and have that sent to a logging server, where then splunk can query the logs. After I have the list of source IP's I need to be able to match that up with a user. Because the data is being passed through the load balancer as secure, I can not do any inspection at the LTM, and I don't see time stamps as being a good enough match for busy servers to positively match a ftp session to a source IP.

 

  • Your choices are:

     

    1. Offload TLS on the BIG-IP (and potentially re-encrypt between BIG-IP and the servers);
    2. Inspect a presented client certificate.

    Naturally, 2 only works if a.) a certificate is actually presented by the client; and b.) it is a user certificate, rather than a machine certificate.