For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

uni's avatar
uni
Icon for Altocumulus rankAltocumulus
Apr 11, 2012

Persistent SNAT address based on session cookie

I have a client whose application is sensitive to the client IP address changing within a session. In their environment, there is some selective SNATting (internal clients are SNATted, public IPs ar...
config
design
uni's avatar
uni
Icon for Altocumulus rankAltocumulus
Apr 12, 2012
Thanks Hoolio. I decided to go with the cookie insert method. It means my rule remains independent of the application and avoids the session table updates. It also remains independent of the actual snatpool, unlike the hashing method.

 

 

This is the code I ended up with:

 

 

rule snat-cookie-persistence-rule {
timing on
   when RULE_INIT {
      set static::stgcookie "STGSESSION"
      set static::aes_key "AES 128 0123456789abcdef0123456789abcdef"
   }
   
   when HTTP_REQUEST {
      set cookieexists [HTTP::cookie exists $static::stgcookie] 
      if { $cookieexists } {
         if {not ([catch {AES::decrypt $static::aes_key [b64decode [HTTP::cookie value $static::stgcookie]]} snatip])}{
           log local0. "setting snat address $snatip"
            snat $snatip
         }
      }
   }
   
   when HTTP_RESPONSE {
      if { not $cookieexists } {
         if { [serverside {IP::local_addr}] ne [clientside {IP::remote_addr}] } {
           log local0. "inserting cookie value [serverside {IP::local_addr}]"
            HTTP::cookie insert name $static::stgcookie value [b64encode [AES::encrypt $static::aes_key [serverside {IP::local_addr}]]]
         }
      }
   }
}