For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Ramil_Ancajas_1's avatar
Ramil_Ancajas_1
Icon for Nimbostratus rankNimbostratus
Nov 02, 2015

Keeping source IP's without disabling SNAT

Hi All,

 

I have an on-a-stick LTM with multiple VLANs configured in the internal interfaces. All VS's configured have SNAT (automap) enabled because the default gateway configured on the servers is the firewall. So those traffic go via F5 to the servers will have the source IP NATted with the F5 self-IP's and return traffic will go back through the F5. Other traffic (non-F5) will go direct to the servers then back to the firewall.

 

Now our infosec wants to preserve the source IP for those traffic go via F5, do you know any other solutions aside from using x-forwarder-for or HSL Logging?

 

Thanks, Ramil

 

3 Replies

  • Henrik_Gyllkran's avatar
    Henrik_Gyllkran
    Icon for Nimbostratus rankNimbostratus
    Nov 02, 2015

    Sorry, inserting X-Forwarded-For, using the BIG-IP for access logging via HSL or making the BIG-IP the default gateway for the servers and disabling SNAT are pretty much your options at hand. Are you looking to do this for a protocol other than HTTP/S where X-Forwarded-For isn't an option?

     

  • Ramil_Ancajas_1's avatar
    Ramil_Ancajas_1
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2015

    Hi Henrik,

     

    Thank you for your response.

     

    Yes, for some reason our infosec wants to apply it to all VS's including those do not have HTTP profile.

     

    I might be ending up forcing myself to change the default gateway and disable the SNAT and do some tricks on the firewall, but i'm wondering if there is any other option i can go with, specially if they want to get the real source IP's of the clients from the node logs itself.

     

    Ramil