Forum Discussion
Nik
May 02, 2014Cirrus
Logging outgoing SNAT List connections
I have a number of servers in snat lists and we're trying to figure out what servers are actually making connections. I haven't found anyplace to do this.. any ideas if it's possible?
nitass
Employee
what Stephan suggested is to use virtual server (e.g. wildcard ip forwarding virtual server) with snatpool instead of snat list. so, you can setup logging in irule and assign to the virtual server.
May 02, 2014
With the so called default SNATs I saw some changed behavior in the past and some strange side effects. That´s why I do not recommend them.
In some s/w versions they forwarded traffic without a having a virtual server involved (i.e. between different DMZ VLANs).
From my perspective this config item (default SNAT) is just a relict from early F5 s/w releases (4.x and below). With the introduction of TMOS v9 we´ve got pretty granular control by using SNATpools, SNAT AutoMap or SNAT via iRules.
Btw, have an eye on the timeout settings and monitor the connection table and memory consumption over a long time period. If it´s continuosly growing, the default "indefinite" timeout of a SNAT might be the reason.
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects