sNAT with AFM

Question

Hi,
LB is acting as default GW of servers and FW. We've been using iRules for firewalling and SNATing when needed. Now we want to start to use AFM and I am  not sure what is best approach to do SNAT for outgoing rules?&nbsp;
I supposed SNAT can be applied directly in the AFM rule, but it looks is not possible. Is good approach to use iRule doing SNAT and assign this iRule into AFM rule which needs SNAT?&nbsp;
Sorry for silly questions, just do not have experience and want to use the best approach possible.&nbsp;
Thanks,
Zdenek&nbsp;

stephanmanthey · Answer

Hi Zdenek,&nbsp;
I would leave the SNAT configuration with the LTM part of the configuration for transparency reasons.  &nbsp;
Especially when applying a SNAT out of an iRule you need to make sure the related IP address is contained in the SNAT Translation List, configured as a floating self IP or used as virtual address for a virtual server. This is mandatory, as this address has to respond to ARP requests.&nbsp;
Thanks, Stephan&nbsp;

zdenda · Answer

Hmm, I though I can easly specify snat IP in the iRule and choose whatever IP I want. So are you saying that before I use any IP in the iRule for sNATing connections, I have to create any kind of failover object in traffic group using this IP?&nbsp;
I am just thinking, does it really need to respond to ARP requests since it will be always source IP..
But anyway, I think it should respond to ARP as it is part of LB network config. So thanks for tip, I would overlooked it.&nbsp;

stephanmanthey · Answer

Hi Zdenek,  
sooner or later you can expect the server to send a response and the address used via SNAT needs to be resolved via ARP. ( I stumbled across this a while ago.)   
There is one workaround. None of your virtual IPs (including SNATs) need to belong to locally attached networks (not in range of configured self IPs).  
But in this case the floating self IPs need to be used as next hop by your peripheral components to reach this virtual address space.  
The BIG-IP will route the traffic internally to the virtual address.  
In this case only the self IPs will be ARPed.  
Thanks, Stephan

Forum Discussion

sNAT with AFM

3 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Single LTM with multiple GTM domains

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

What is the best practice for migrating from iseries to rseries?

Related Content

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

F5 BIG-IP AFM and FireMon Integration Guide

Enriching AFM with public domain Threat Intelligence

Protecting the F5 BIG-IP AFM system with AFM Protocol Inspection System Checks

Traffic Intelligence in AFM

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS