Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
8 years ago

Strange issue with SNAT stats, pinging self IP and Allow None

Hi,   I am running out of ideas why BIG-IP behaves as in cases described below, either it's my lack of knowledge, expected behavior or bug.   Tested on v11.2.0HF7 Active-Passive cluster.   Ca...
devops
LTM
ping self ip
port lockdown
security
snat stats
Pedro_Haoa's avatar
Pedro_Haoa
Ret. Employee
8 years ago

Hi,

 

Remember that there are multiple types of listeners, so the order of precedence is as follow:

 

  • Connection table
  • Packet filters
  • Destination “listener” (i.e. Virtual Server)
  • IP : port
  • IP : * (all ports)
  • NW : port
  • NW : *
  • * : port
  • * : * (wildcard virtual server)
  • Source “listener” (SNATs not in VS)
  • Single IP
  • Network
  • All Addresses
  • NATs

So first BIG-IP system check if there's an entry in the connection table. By default PF don't affect existing connections, but they can be changed to filter existing connections. Next we have the destination listeners or VSs, and then our source listeners (SNATs). Within both destination and source listeners, they can be configured more or less specific. Finally we process NATs.

 

I hope this helps.

 

Pedro