Forum Discussion

jayantand's avatar
jayantand
Icon for Altostratus rankAltostratus
Jun 10, 2023

Wildcard in SNAT

I want configure an snat translation to change the source IP ltm tries to connect *.f5.com(say). Can I use wildcard in snat? If not, is there any other solution to this? Current Scenerio: LTM(src-1....
application delivery
pbf
pbr
snat
wildcard
jayantand's avatar
jayantand
Icon for Altostratus rankAltostratus

Hi whisperer,

I have two issues

1. IP intelligence/ reputation feeds: as you mentioned that can be done manually as well, doing it that way now.

2. I want configure an MS Teams webhook and I was told to allow *.office.com. This is where I am facing the challenge.

The FW1 sitting inline (LTM->FW1->Internet) doesn't support wildcard. Hence I am thinking of these two approaches. Will be glad to find an easy alternative 😊

LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[Allow all https for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR

LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[PBR to FW2 that supports * for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR

whisperer's avatar
whisperer
Icon for MVP rankMVP
Jun 12, 2023

Normally, I would say just trust the F5 self IPs out to Internet with a dedicated firewall rule. Don't do any URL whitelisting. BUT, if you don't use SNAT pools and use auto SNAT, that type of firewall policy would not be restrictive enough for potentially VIP related traffic -- for example, load balancing proxy servers.

The issue is really how to differentiate F5 generated traffic from other traffic also hiding behind the SNAT IP address. If you can't, then perhaps a) whitelist multiple destinations, b) consider a more capable firewall, c) utilize automation like Ansible Tower to automate the update tasks.

While there may be a solution for what you are trying to accomplish, I can't think of an "elegant one". I have seen in the past, companies use a dedicated network for management traffic where you could use static management routes for traffic to egreee MGMT interface, and then having a dedicated switch/firewall for controlling traffic.