For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

VernonWells's avatar
VernonWells
Icon for Employee rankEmployee
Jul 29, 2015

I would recommend using 

tcpdump
to look at the traffic flow:

and check /var/log/ltm to ensure that there are no errors. Since you have the http profile applied, the flow should look like this in a tcpdump:

 CLIENT                     BIG-IP                  SERVER
         --- SYN      --->    |
         <-- SYN/ACK  ---     |
         --- ACK      --->    |
         ---  --->    |
                              +  --- SYN      --->
                              + <--- SYN/ACK  ---
                              +  --- ACK      --->
                              +  ---  --->

where REQHDR are the request headers. On the second half (between the BIG-IP and the SERVER), the source address will be the SNAT source address (172.16.254.50).

Having said all of that, the SNAT source address on the BIG-IP (172.16.254.50) must be able to reach the public addresses (since it's an RFC 1918 address, I assume it is subject to further address translation somewhere else?) and there must be a route back to that address.

Vishal_Bhugra_1's avatar
Vishal_Bhugra_1
Icon for Nimbostratus rankNimbostratus
Jul 30, 2015
I did the packet capture, but I do see the HTTP header, But I am not sure how can How can I capture the server side. I have only one vlan and a default route. The SNAT SOURCE 172.16.254.50 is behind the Firewall, where it is getting NAT. Will it work ?