Forum Discussion

yadvendra's avatar
yadvendra
Icon for Nimbostratus rankNimbostratus
Jun 23, 2026

Query on source IP preservation for syslog traffic through F5 virtual server

Hi All,

 

We have an F5 virtual server that load balances Syslog traffic (UDP/514) to multiple log collectors.

 

We are considering enabling SNAT Automap on the virtual server, but we still need the Splunk collectors to see the original source IP address of the devices sending the logs.

 

Since this is UDP Syslog traffic and not HTTP/HTTPS, X-Forwarded-For is not an option.

 

Has anyone implemented a solution where SNAT is enabled on F5 but the backend SIEM servers can still identify the actual client IP? Any suggestions or best practices would be appreciated.

 

Thanks.

3 Replies

  • Hii

    how r u? 
    In simple word, you can´t. 

    If you used SNAT, the F5 device replace the with self-ip or SNAT address configurated.

    But, why razon you need used SNAT? Asymmetric traffic in your network? I need more context of your problem.

    I'll be waiting to help with the solution.

     

     

    • yadvendra's avatar
      yadvendra
      Icon for Nimbostratus rankNimbostratus

      Hello Jose, Thanks for your reply..

      We are considering enabling SNAT Automap because, with SNAT disabled, ACI is seeing the same source IP from multiple locations and marking some endpoints as rogue. Original interface where the sender is present and again the interface where F5 is connected 

  • Hi yadvendra,

    Setting the SNAT option to “none” may be helpful. Since UDP syslog is unidirectional, logs can usually reach the SIEM without SNAT, provided that the SIEM does not send a response.

    Another option: If the devices sending logs include their own IP addresses in the log by adding them as the “source” parameter, this parameter can be evaluated during the parsing process on the SIEM side.