UDP packet duplication and send them to 2 different pools

Question

Hello everyone,I have a VIP that is receiving all syslogs of a customer's firewalls. (more or less 350 devices)The customer needs to send the same an exact copy of each message to another pool.[SYSLOG MESSAGE]--[POOL 1]--[MEMBER 1 A]
        |                 |-[MEMBER 2 A]
        |                 '-[MEMBER 3 A]
        |
[CLONED MESSAGE]--[POOL 2]--[MEMBER 1 B]
                          '-[MEMBER 2 B]Do you have some suggestion to obtain this behaviour?Thanks in advance,Regards.EDIT 1I've tested HSL but it is starting each connection from TMM and it is not possible change the source IP address preserving the original IP.when CLIENT_ACCEPTED {
    set syslog_pool1 [HSL::open -proto UDP -pool pool_1]
    set syslog_pool2 [HSL::open -proto UDP -pool pool_2]
}
when CLIENT_DATA {
    HSL::send $syslog_pool1 [UDP::payload]
    HSL::send $syslog_pool2 [UDP::payload]
}

daniel_wolf · Answer

Hello,&nbsp;maybe clone pools might work for you. The idea is to use them for sending traffic to an IDS, but I think they could satisfy your requirement too.&nbsp;K13392: Configuring the BIG-IP system to send traffic to an intrusion detection system (11.x - 15.x)&nbsp;But honestly I don't have a lot a experience with clone pools, so this I sort a of a shot in the dark.&nbsp;KRDaniel

djzoidberg · Answer

Hello Daniel,thank you for answering.&nbsp;I think that, it is not the right way. Clone pools change the destination mac address and not the destination IP address. Other then that, I have also to balance the traffic on the second pool.

nikoolayy1 · Answer

I also think that clone pools that Daniel says is the option that should be tested. You can also check using iRules to do the same with clone pools command https://clouddocs.f5.com/api/irules/clone.html . You can also check this article for SPAN mirroring https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-system-passive-monitoring-14-0-0/configuring-the-big-ip-system-for-passive-monitoring.html .

webguy96 · Answer

These steps might help. I have not validated the client-ip replace logic but can tell you send raw [UDP::payload] works fine in our testing.

Be sure to match up whatever you decide to use for your Log Publisher name to the reference within the iRule.

1) Create a single pool containing all members that need the duplicated syslog data

Ex: syslog_pool

Members:

10.10.0.100:514

10.10.0.101:514

2) Create a new HSL Log Destination

a) Select your pool from step 1

b) Select 'UDP' for the protocol

c) Change distribution type from 'adaptive' to 'replicated'

3) Create a new HSL Log Publisher entitled 'syslog_publisher'

a) Select the HSL Log Destination from step 2

4) Create a new iRule that will handle the inbound traffic

when CLIENT_ACCEPTED {

set payloadLength [UDP::payload length]

set address [IP::client_addr]

set addressLength [ string length $address ]

set hsl [HSL::open -publisher /Common/syslog_publisher]

}

when CLIENT_DATA {

HSL::send $hsl "UDP::payload replace $payloadLength $addressLength $address"

}

5) Create a standard virtual server

a) Assign the appropriate IP and Service Port

b) Select UDP Protocol

c) Select UDP Profile

d) Assign the iRule from step 4

steve_michaels · Answer

Hi webguy96&nbsp;we are working with this iRule and we see the raw payload and syslog mesage payload correctly, We want the message format to be syslog format so we used a secondary log destination on the F5 to specify that format. When we do that we are not seeing the original client_Ip address in the mesage sent to our syslog server. Instead we see the F5 self_ip address as the host field. See below. We want to see the data in syslog format as spec in rfc 5424,Here is the iRule:when CLIENT_ACCEPTED {set payloadLength [UDP::payload length]set address [IP::client_addr]set addressLength [ string length $address ]set hsl [HSL::open -publisher /Common/syslog_publisherdup]set payloadraw [UDP::payload]}when CLIENT_DATA {HSL::send $hsl "$payloadraw $address"}&nbsp;And here is the what see on our syslog server:{&nbsp;&nbsp;"message": "&lt;5&gt;Nov 10 11:25:17 uid: test6514 10.1.1.1",&nbsp;&nbsp;"severity": 6,&nbsp;&nbsp;"facility": 16,&nbsp;&nbsp;"host": "f5management.jhuapl.edu",&nbsp;&nbsp;"appname": "tmm",&nbsp;&nbsp;"procid": "18524",&nbsp;&nbsp;"structuredData": "[F5@12276]",&nbsp;&nbsp;"severityName": "info",&nbsp;&nbsp;"facilityName": "local0",&nbsp;&nbsp;"_time": 1668097517.735,&nbsp;&nbsp;"_raw": "&lt;134&gt;1 2022-11-10T11:25:17.735353-05:00&nbsp;f5management.jhuapl.edu&nbsp;tmm 18524 - [F5@12276] &lt;5&gt;Nov 10 11:25:17 uid: test6514 10.1.1.1"}

Forum Discussion

UDP packet duplication and send them to 2 different pools

Recent Discussions

3rd party SFP

Custom Attack Signature for Accept Header

Upgrade to 'BIGIP-15.1.0.5-0.0.8 (Could not access configuration source; sda, 1)

how does gtm/dns monitor wild-ip pool members?

why the device certificate verify failed when the device certificate is not expired?

Related Content

Decrypting BIG-IP Packet Captures Automatically

F5 packet buffer

Copper SFP Differences

Packet Processing Order

L2 Deployment of vCMP guest with Ixia network packet broker

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS