For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Chris_Phillips's avatar
Chris_Phillips
Icon for Nimbostratus rankNimbostratus
Oct 03, 2006

voyeuristic pool monitoring

Hi all,     Unless i'm very much mistaken there is no way at all within the LTM's to make them snat their monitor traffic. As such whilst we can happily use a snatpool or such on a virtual serve...
application delivery
dev
devops
iRules
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Oct 04, 2006
Hi Chris -

 

 

I'll just chime in to answer your question as to why we don't have the ability to SNAT monitor traffic:

 

 

Monitor traffic is sourced from the non-floating self-IP for each unit in a redundant pair, since each unit will be performing its own independent health checks. (If a monitor instead used a floating address as a sourceIP, the standby box would never get a response, so all the nodes would be marked DOWN until after that unit became Active -- obviously not an ideal situation on failover for all nodes to be marked DOWN on the newly active unit.)

 

 

SNATs, on the other hand, are typically configured to use floating self-IPs (or SNAT-defined shared address) to maintain consistency on failover, so you would need to have a firewall rule allowing all 3 addresses to access the nodes.