For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

John_Chen_43562's avatar
John_Chen_43562
Icon for Nimbostratus rankNimbostratus
Aug 07, 2015

outbound traffic for specific url by using specific IP

The gateway of all my pool members is F5. I have SNAT and VS for outbound traffic. Therefore the outside world see the IP1 - which is set on my SNAT for my outbound traffic. I want the pool member go...
application delivery
availability
design
devops
iRules
LTM
VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Aug 08, 2015

If you have a wildcard forwarding Virtual Server (that is, listening on 0.0.0.0:0), you may also create a wildcard port 80 VS (that is, listening on 0.0.0.0:80), the add the http profile and the following iRule:

when HTTP_REQUEST {
    if { [string tolower [HTTP::host]] equals "www.yahoo.com" } {
        snat 5.6.7.8
    }
}

Change 5.6.7.8 to the appropriate IP (or use a SNAT pool and the snatpool command. Assign your default SNAT (either AutoMap or the appropriate SNAT pool) from your wildcard forwarding VS to the new port 80 VS. That way, SNAT IP1 will be used for all traffic except that bound for www.yahoo.com. Make sure that both Virtual Servers are bound to only the VLAN from which your pool member traffic originates.

If you want to intercept SSL traffic, that is much trickier, because you would need to stand up an SSL forward proxy and the pool members would need to be provided a trusted internal signing certificate which signs for www.yahoo.com. It absolutely can be done, but is, as Mohamed says, not simple.

Mohamed_Lrhazi's avatar
Mohamed_Lrhazi
Icon for Altocumulus rankAltocumulus
Aug 08, 2015
That virtual would SNAT to some IP, and then send traffic where?