Forum Discussion

JohnnyG's avatar
JohnnyG
Icon for Nimbostratus rankNimbostratus
Jun 14, 2023

SNAT IP address logging

Hello, I am setting up logging to log access to the Virtual servers as we use SNAT addressing to access all internal resources.  It has come about as part of our Security requirements to log all acc...
application delivery
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Jun 14, 2023

    Hi JohnnyG , 
    Pretty irule first, 

    Why do you add "Clientside" 
    in this Line Code : 

        set clientip "[IP::local_addr clientside]:[TCP::local_port clientside]"

    SNAT IP not in the Client side but server side , 
    So Remove it and check again 
    I think it should be like this now : 

    when CLIENT_ACCEPTED {
    # Set logging variables
    set vip [IP::local_addr]:[TCP::local_port]
    set reqTime [clock format [clock seconds] -format {%Y/%m/%d %H:%M:%S}]
    set hslHandle [HSL::open -publisher /Common/SNATLog_Publisher]
    # Do the SNAT stuff 
    if { [class match [getfield [IP::client_addr] "%" 1] equals internal_nets] } {
        snatpool snat_pool_internal
}
    else {
        snatpool snat_pool_external
}
}

when SERVER_CONNECTED {
    #Get client and server IPs and Ports
    set client "[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]"
    set clientip "[IP::local_addr]:[TCP::local_port]"
    set node "[IP::remote_addr]:[TCP::remote_port]"
}

when CLIENT_CLOSED {
    # log connection info
    HSL::send $hslHandle "$reqTime: Client $client -> SNAT: $clientip -> VIP: $vip -> Node: $node"
}

    According to this Article : 
    https://clouddocs.f5.com/api/irules/TCP__local_port.html

    I hope this helps you 🙂 
     

JohnnyG's avatar
JohnnyG
Icon for Nimbostratus rankNimbostratus

Hi Mohamed,

Thanks for looking at this for me - not sure why the clientside was added, but removing makes it the same as the value that is being used for the Virtual Server address:

    set vip [IP::local_addr]:[TCP::local_port]

    set clientip "[IP::local_addr]:[TCP::local_port]"

Would that also not duplicate the incorrect IP address in the generated logs ?

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Jun 14, 2023

Hi JohnnyG , 
No , Because it depends on the which event has been triggered. 

set vip [IP::local_addr]:[TCP::local_port]


This will be saved in Variable $vip at Client side.

But this : 

    set clientip "[IP::local_addr]:[TCP::local_port]"

this will be saved in variable $clientip when server side connection being established. 

so both of values are different. 

Have a look at this Article : https://clouddocs.f5.com/api/irules/TCP__local_port.html
it proves what I say.