For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Jan 23, 2019

Source NAT based on XFF header

Hello all I'm trying to implement irule that is doing source NAT based on XFF header received from our proxy server behind the f5 LTM . This irule should serve more than 50 subnets , each subnet ...
application delivery
iRules
LTM
Abed_AL-R's avatar
Abed_AL-R
Icon for Cirrostratus rankCirrostratus
Jan 23, 2019

I'm trying to configure this irule

when HTTP_REQUEST {

    if { [class match [HTTP::header values "X-Forwarded-For"] equals XFF_SourceNAT] } {
    log local0.alert "Matched XFF [HTTP::header values "X-Forwarded-For"] to group"
        set category [class match -value [HTTP::header values "X-Forwarded-For"] equals XFF_SourceNAT]
       log local0.alert "Setting category to $category"

 NAT traffic according to xforwarded-for header
            snatpool $category
    } else {
    log local0. "No X-Forwarded-For header found."
     either for websense updates or traffic is not hitting the xff datagroup
            if { [[IP::client_addr] equals 192.168.182.0/16] } 
    {
    pool FW-Pool
    } else {
    drop

    }
}
}

And in datagroup XFF_SourceNAT {address type) I configured:

172.28.0.0/16:= 2.2.2.2

But in the /var/log/ltm is see the follwoing error:

`Jan 23 21:22:49 slot2/f5 err tmm5[9013]: 01220001:3: TCL error: /partition1/SNAT-XFF-irule  - bad IP network address format (line 1)invalid IP match item  for IP class /ORT/XFF_SourceNAT (line 1)     invoked from within "class match [HTTP::header values "X-Forwarded-For"] equals XFF_SourceNAT"


What can be done to fix the issue?