Forum Discussion
KJ_50941
Nimbostratus
Nimbostratusmaintain Client IP address
so I know if you use SNATAUTO MAP on VIP , application owner can't see actual client IP address, if this is MQ and we can't use X-FORWARED-for then how can we accomblish this ? previously we changed Default gateway to F5 floater and remove SNAT auto map. I am wonderiing is there any other way to maintain Client address?
what is the best practice if you need to see actual client adrress?
Thx
1 Reply
- Kevin_Stewart
Employee
Generally there are TWO ways to get the client's true IP address to the backend application: don't translate the address (SNAT), or send it via some other arbitrary mechanism. The first option requires routing configuration on the server side to guarantee egress traffic flow back through the BIG-IP. The second option is easy for protocols like HTTP where you can just inject a header, but potentially more complicated for other protocols based on what they support. There are examples, for instance, of injecting the client IP into unused TCP headers for Akamai-like solutions, and injecting the IP into an SMTP payload. If your protocol doesn't support such things, or you couldn't use it if it did, then your best solution may be to remove the SNAT.
You could also, potentially, just log the incoming requests and client IP via high speed logging (HSL). If you know enough about the protocol, you could even conceivably decode some of the payload (a SQL call for example) for more robust logging.
