SSL Termination and SNAT

Question

Hi.&nbsp;
It is possible to have a VS with an SSL profile and SNAT disabled?
This is so the client IP will appear as the source address on the web server as opposed to the f5's floating IP.&nbsp;
Ultimately I'd like to place an IPS between the f5 and the web servers to inspect decrypted HTTP traffic.&nbsp;
Without SNAT disabled, the IPS will potentially block all f5 traffic to the web servers as it sees the source IP as the f5's floating IP.
Unfortunately the IPS can't apply a action (block or allow) using the X-Forwarded-For header as the source IP.&nbsp;
Thanks.&nbsp;

hannes_rapp · Answer

1) "It is possible to have a VS with an SSL profile and SNAT disabled? &nbsp;
Yep. You do not have to offload SSL in F5 to apply IP-address translations. Also you can have SSL offload enabled while SNAT is disabled, you will just have to make sure you will not run into asymetric routing issues by doing that.
2) "Without SNAT disabled, the IPS will potentially block all f5 traffic to the web servers as it sees the source IP as the f5's floating IP."&nbsp;
Is this an assumption, or have you tested it? All modern WAF/IPS/IDS systems are expected to work regardless of the source IP address of an incoming request. If your requests are getting blocked in "IPS Device" after you apply SNAT, it' because of an IP-based whitelist or poorly managed IPS profile.

Forum Discussion

SSL Termination and SNAT

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

SSL Termination

SSL Orchestrator Advanced Use Cases: Outbound SNAT Persistence

FTPS_SSL_ Termination

SSL Orchestrator Service Extensions: DoH Guardian

SNAT pool persistence

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS