Forum Discussion
NimbostratusSFTP setup for capturing client IPs
We have load balanced our SFTP servers in BIG-IP LTM v10 by enabling the below settings in virtual server:
Performance (layer 4) FastL4 profile SNAT: Automap
Since we want to rely on our existing Gateway, we have enabled "Automap" feature for SNAT. Though the SFTP setup works fine, we are not able to see the client IPs and only LB self-IP appears in the backend Linux servers.
I understand setting LB as default gateway and removing Automap will help to capture client IP. However, I would like to know if there are any other ways we can capture the original IP without disturbing the setup. There is no option for Xforwarded-for in performance layer 4 virtual server
Any help on this would be highly appreciated. Thanks in advance
2 Replies
Cthulhucalling_Cirrus
New to the F5 world, but I believe you could implement an iRule to log the client connection
when CLIENT_ACCEPTED { log local0. "SFTP connection from [IP::client_addr]" }If you're having your BIG-IP syslogging, this will show up in the syslogs, just not in your SFTP logs.
X-Forwarded-For is an HTTP header, so it has no meaning in the context of other protocols, regardless of virtual server type.
Without using the BIG-IP as the SFTP servers' default gateway, or using policy based routing to send the application servers' response traffic back to the BIG-IP, there is unfortunately no other way to have the original client IP available to the network layer once SNAT has occurred.
The logging option is a good suggestion, though I would advise using High Speed Logging (HSL) to a remote logging destination if you expect a high connection count. Have a look at the following article to get you started on HSL:
https://devcentral.f5.com/articles/-the101-irules-101-logging-amp-comments.Uh0DlmQ6Xs8
