For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

techguru_90881's avatar
techguru_90881
Icon for Nimbostratus rankNimbostratus
Jan 13, 2014

TFTP inspection on F5 LTM

Dear Team ,

 

In our current setup we are using F5 LTM as a inline device in our network and all the request when going outside of the network they get natted to a Single ip in F5 (one of the virtual server IP) and we have forwarding virtual server configured to accept all request .

 

But when a server behind F5 try to TFTP to a server on different network , it gets fail . The flow of the traffic is :-

 

TFTP CLient(Source X IP) ---> F5 device(After Patting source ip changes X->Y) --- >Firewall ----> TFTP SERVER

 

Then the new request automatically generated by TFTP server to tftp client with the nat ip :-

 

TFTP Server (Destination IP Y with ephermal port)----> Firewall(allowed as inspection is enabled)---->F5 device [Drop the packet]

 

as the traffic is sent to pat IP(Y in this case) it drop because PAT(port address translation ) is unidireactional .

 

So is there any method to inspect the TFTP traffic , so that the return traffic (which initiated by the server) can be allowed .

 

application delivery
deployment
design
devops
iRules
performance
TMSH

1 Reply

  • PeteWhite's avatar
    PeteWhite
    Icon for Employee rankEmployee
    Jan 15, 2014

    Create a VS specifically for that traffic on UDP port 69 and assign the UDP profile. Assign a SNAT profile just for this traffic.