I need to be able to capture source IP on FTPS connection.

Question

I need to capture the source IP for ftps traffic, and match that IP to a FTP session.
It is easy enough to create an irule to capture source IP, and have that sent to a logging server, where then splunk can query the logs. After I have the list of source IP's I need to be able to match that up with a user. Because the data is being passed through the load balancer as secure, I can not do any inspection at the LTM, and I don't see time stamps as being a good enough match for busy servers to positively match a ftp session to a source IP. &nbsp;

vernonwells · Answer

Your choices are:&nbsp;
Offload TLS on the BIG-IP (and potentially re-encrypt between BIG-IP and the servers);Inspect a presented client certificate.
Naturally, 2 only works if a.) a certificate is actually presented by the client; and b.) it is a user certificate, rather than a machine certificate.&nbsp;

Forum Discussion

I need to be able to capture source IP on FTPS connection.

1 Reply

Security Best Practices for F5 Products

F5 AppWorld 2026 Registration - early bird pricing.

Kostas Injeyan - October 2025 Featured Member

Recent Discussions

HA Failover between two Datacenters

LTM issue Openning new web browser tab

F5 asm/awaf

Cannot ping external interface

AST Configuration Assistance

Related Content

DevCentral Connects hosts Capture the Flag!

Decrypting BIG-IP Packet Captures Automatically

Decrypting BIG-IP Packet Captures without iRules

Automating Packet Captures on BIG-IP

Ultimate irule debug - Capture and investigate

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS