I need to be able to capture source IP on FTPS connection.

Question

I need to capture the source IP for ftps traffic, and match that IP to a FTP session.
It is easy enough to create an irule to capture source IP, and have that sent to a logging server, where then splunk can query the logs. After I have the list of source IP's I need to be able to match that up with a user. Because the data is being passed through the load balancer as secure, I can not do any inspection at the LTM, and I don't see time stamps as being a good enough match for busy servers to positively match a ftp session to a source IP. &nbsp;

vernonwells · Answer

Your choices are:&nbsp;
Offload TLS on the BIG-IP (and potentially re-encrypt between BIG-IP and the servers);Inspect a presented client certificate.
Naturally, 2 only works if a.) a certificate is actually presented by the client; and b.) it is a user certificate, rather than a machine certificate.&nbsp;

Forum Discussion

I need to be able to capture source IP on FTPS connection.

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

DevCentral Connects hosts Capture the Flag!

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

Automating Packet Captures on BIG-IP

F5 XC vk8s workload with Open Source Nginx

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS