Hello,I am setting up logging to log access to the Virtual servers as we use SNAT addressing to access all internal resources. It has come about as part of our Security requirements to log all access so that it can be fully traced back to the client that initiated the connection, as the servers they are connecting to will show the SNAT address that was assigned to the client accessing it at the time. I have created the below iRule which assigns a snatpool to the client then sends the logs to a syslog server, but I am unable to get the SNAT address that is assigned to the client included in the logs when CLIENT_ACCEPTED { # Set logging variables set vip [IP::local_addr]:[TCP::local_port] set reqTime [clock format [clock seconds] -format {%Y/%m/%d %H:%M:%S}] set hslHandle [HSL::open -publisher /Common/SNATLog_Publisher] # Do the SNAT stuff if { [class match [getfield [IP::client_addr] "%" 1] equals internal_nets] } { snatpool snat_pool_internal } else { snatpool snat_pool_external } } when SERVER_CONNECTED { #Get client and server IPs and Ports set client "[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]" set clientip "[IP::local_addr clientside]:[TCP::local_port clientside]" set node "[IP::remote_addr]:[TCP::remote_port]" } when CLIENT_CLOSED { # log connection info HSL::send $hslHandle "$reqTime: Client $client -> SNAT: $clientip -> VIP: $vip -> Node: $node" } For example - the client has a LAN address of 192.168.0.50 and has been assigned the SNAT address of 10.0.0.50. It is accessing a server which has a Virtual IP address of 10.10.10.1 and connects to a pool member on 192.168.168.52. This will generate the logs of:tmm[23710]: 2023/06/14 08:50:05: Client 192.168.0.50:52293 -> SNAT: 10.10.10.1:443 -> VIP: 10.10.10.1:443 -> Node: 192.168.168.52It appears that the SNAT address is showing as the VIP address - how do i get it to include the SNAT ip address assigned as part of the snatpool snat_pool_internal ?

Hi JohnnyG , Pretty irule first, Why do you add "Clientside" in this Line Code : set clientip "[IP::local_addr clientside]:[TCP::local_port clientside]" SNAT IP not in the Client side but server side , So Remove it and check again I think it should be like this now : when CLIENT_ACCEPTED { # Set logging variables set vip [IP::local_addr]:[TCP::local_port] set reqTime [clock format [clock seconds] -format {%Y/%m/%d %H:%M:%S}] set hslHandle [HSL::open -publisher /Common/SNATLog_Publisher] # Do the SNAT stuff if { [class match [getfield [IP::client_addr] "%" 1] equals internal_nets] } { snatpool snat_pool_internal } else { snatpool snat_pool_external } } when SERVER_CONNECTED { #Get client and server IPs and Ports set client "[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]" set clientip "[IP::local_addr]:[TCP::local_port]" set node "[IP::remote_addr]:[TCP::remote_port]" } when CLIENT_CLOSED { # log connection info HSL::send $hslHandle "$reqTime: Client $client -> SNAT: $clientip -> VIP: $vip -> Node: $node" } According to this Article : https://clouddocs.f5.com/api/irules/TCP__local_port.htmlI hope this helps you 🙂

Forum Discussion

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

Related Content

Logging/Blocking possible prompt injection

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

Persisting SNAT Addresses in Link Controller Deployments

Block IP Addresses With Data Group And Log Requests On ASM Event Log

F5 Distributed Cloud - Traffic Steering based on Client IP Address