Forum Discussion

nurairtt91's avatar
nurairtt91
Icon for Altocumulus rankAltocumulus
Aug 18, 2025
Solved

Syslog virtual server

Configured virtual server in F5 for syslog.We disabled SNAT as we need to see the original source IP in the syslog collector. F5 is forwarding the traffic without changing the source IP as expected to the collector. However, this traffic is dropped by the firewall as the RPF check fails. Disabling RPF in the firewall is not an option, as it is a security risk.

Is there a way F5 can include the original source IP? Can iRule help here? or we have any other solution for this.

 

  • Hello nurairtt91​ 

    To resolve your RPF issue, you'll need to enable SNAT on the F5 virtual server while preserving the original source IP within the syslog payload itself.
    This requires your syslog collector to be capable of extracting the source IP from the message content rather than relying on packet headers.


    The optimal solution would be configuring your devices to include their own IP addresses directly in the log messages.
    However, if this isn't feasible, you can implement payload manipulation on the F5 using an iRule to inject the original source IP into each syslog message before forwarding to the collector.

    You can try this irule

    when CLIENT_ACCEPTED {
        set original_source [IP::client_addr]
    }
    
    when CLIENT_DATA {
        TCP::collect
    }
    
    when SERVER_DATA {
        set syslog_data [TCP::payload]
        set modified_data "OriginalIP:$original_source $syslog_data"
        TCP::payload replace 0 [TCP::payload length] $modified_data
        TCP::release
    }

     

6 Replies

  • Hello nurairtt91​ 

    To resolve your RPF issue, you'll need to enable SNAT on the F5 virtual server while preserving the original source IP within the syslog payload itself.
    This requires your syslog collector to be capable of extracting the source IP from the message content rather than relying on packet headers.


    The optimal solution would be configuring your devices to include their own IP addresses directly in the log messages.
    However, if this isn't feasible, you can implement payload manipulation on the F5 using an iRule to inject the original source IP into each syslog message before forwarding to the collector.

    You can try this irule

    when CLIENT_ACCEPTED {
        set original_source [IP::client_addr]
    }
    
    when CLIENT_DATA {
        TCP::collect
    }
    
    when SERVER_DATA {
        set syslog_data [TCP::payload]
        set modified_data "OriginalIP:$original_source $syslog_data"
        TCP::payload replace 0 [TCP::payload length] $modified_data
        TCP::release
    }

     

  • Hi, one of the options is x-forwarded-for but its mainly will work in the layer 7 traffic with http profile(if you enable SNAT). 

      • Aswin_mk's avatar
        Aswin_mk
        Icon for MVP rankMVP

        Yes, is the irule will be able to add the source ips in any tcp/udp traffic? (The communications when SNAT enabled for any of the tcp or udp traffic, did you try this in layer 4 traffic?