For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Brian_25776's avatar
Brian_25776
Icon for Nimbostratus rankNimbostratus
Jun 23, 2014

Replacing Stealthwatch Flow Replicator with LTM

Currently we have a Stealthwatch UDP Flow Replicator in our environment that we use to collect Netflow and Syslog UDP datagrams and send to various collection points. In the case of Syslog, we collect over port 514 and 516 and perform port translation to another port (i.e. 10524) where an instance of of RSYSLOG organizes data according to what port it is collected over.

 

My question is how can we replace the Flow Replicator with a LTM? I figure this will involve iRules, but since I'm relatively green to how to set this up, I felt I should reach out.

 

I will attempt to illustrate our network setup and the flow of our data that we wish to achieve.

 

 

deployment
design
management

4 Replies

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jun 23, 2014

    I believe a clone pool could be an alternative here providing that you don't want all servers to receive the message.

     

    /Patrik

     

  • Brian_25776's avatar
    Brian_25776
    Icon for Nimbostratus rankNimbostratus
    Jun 24, 2014

    Will the LTM be able to receive UDP traffic over port 514 and translate the port to 10514 while preserving the originating IP address? I imagine that an iRule will be required for this process.

     

  • Patrik_Jonsson's avatar
    Patrik_Jonsson
    Icon for MVP rankMVP
    Jun 24, 2014

    Hi Brian

     

    As long as you have port translation enabled on the virtual server (enabled by default) don't use a SNAT it should work fine.

     

    /Patrik