For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Piotr_Lewandows's avatar
Piotr_Lewandows
Icon for Altostratus rankAltostratus
May 30, 2017

Strange issue with SNAT stats, pinging self IP and Allow None

Hi,   I am running out of ideas why BIG-IP behaves as in cases described below, either it's my lack of knowledge, expected behavior or bug.   Tested on v11.2.0HF7 Active-Passive cluster.   Ca...
devops
LTM
ping self ip
port lockdown
security
snat stats
Pedro_Haoa's avatar
Pedro_Haoa
Ret. Employee
Jun 01, 2017

Hi,

 

Remember that there are multiple types of listeners, so the order of precedence is as follow:

 

  • Connection table
  • Packet filters
  • Destination “listener” (i.e. Virtual Server)
  • IP : port
  • IP : * (all ports)
  • NW : port
  • NW : *
  • * : port
  • * : * (wildcard virtual server)
  • Source “listener” (SNATs not in VS)
  • Single IP
  • Network
  • All Addresses
  • NATs

So first BIG-IP system check if there's an entry in the connection table. By default PF don't affect existing connections, but they can be changed to filter existing connections. Next we have the destination listeners or VSs, and then our source listeners (SNATs). Within both destination and source listeners, they can be configured more or less specific. Finally we process NATs.

 

I hope this helps.

 

Pedro