Forum Discussion

JohnnyG's avatar
JohnnyG
Icon for Nimbostratus rankNimbostratus
Jun 14, 2023

SNAT IP address logging

Hello, I am setting up logging to log access to the Virtual servers as we use SNAT addressing to access all internal resources.  It has come about as part of our Security requirements to log all acc...
application delivery
  • Mohamed_Ahmed_Kansoh's avatar
    Mohamed_Ahmed_Kansoh
    Jun 14, 2023

    Hi JohnnyG , 
    Pretty irule first, 

    Why do you add "Clientside" 
    in this Line Code : 

        set clientip "[IP::local_addr clientside]:[TCP::local_port clientside]"

    SNAT IP not in the Client side but server side , 
    So Remove it and check again 
    I think it should be like this now : 

    when CLIENT_ACCEPTED {
    # Set logging variables
    set vip [IP::local_addr]:[TCP::local_port]
    set reqTime [clock format [clock seconds] -format {%Y/%m/%d %H:%M:%S}]
    set hslHandle [HSL::open -publisher /Common/SNATLog_Publisher]
    # Do the SNAT stuff 
    if { [class match [getfield [IP::client_addr] "%" 1] equals internal_nets] } {
        snatpool snat_pool_internal
}
    else {
        snatpool snat_pool_external
}
}

when SERVER_CONNECTED {
    #Get client and server IPs and Ports
    set client "[clientside {IP::remote_addr}]:[clientside {TCP::remote_port}]"
    set clientip "[IP::local_addr]:[TCP::local_port]"
    set node "[IP::remote_addr]:[TCP::remote_port]"
}

when CLIENT_CLOSED {
    # log connection info
    HSL::send $hslHandle "$reqTime: Client $client -> SNAT: $clientip -> VIP: $vip -> Node: $node"
}

    According to this Article : 
    https://clouddocs.f5.com/api/irules/TCP__local_port.html

    I hope this helps you 🙂 
     

whisperer's avatar
whisperer
Icon for MVP rankMVP

Mohamed_Ahmed_Kansohhas treated you well here, but will want to point out one more thing. It is possible that the VIP and SNAT will actually be the same. Usually one would use SNAT automap but then it becomes difficult to 'marry' a connection for troubleshooting purposes and of course automap has a 64k limit across all Virtual Server usage. So, the convention is to use Snatpools, but generally one uses the VIP in the pool. This way, the same IP address is seen as "server" on clientside and "client" on serverside. This may actually not be an issue... what IP addresss are in both of the Snatpools? Have you tested this with a client matching internal nets AND a client not matching internal nets? Do you see a different SNAT IP at that time in the logs?

Mohamed_Ahmed_Kansoh's avatar
Mohamed_Ahmed_Kansoh
Icon for MVP rankMVP
Jun 14, 2023

Hi whisperer , 
Thanks , I havn't tested it , but it should work because he uses two different events and 2 variables... 
SO VIP will give him local IP on Bigip in the client side , and SNAT will give him the local IP on server side. 

My understanding about Local IP : is something belongs to bigip may be ( SNAT Floating , Self , SNAT pool , Or Listner Virtual server ) but the Local IP will differ depending upon the triggered event on server side or client side. 

Maybe as you said this little bit tricky , but I have sent to him another iRule with only one event he can use it and will give him same result.

Did I understand you well ?