For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

gdoyle's avatar
gdoyle
Icon for Cirrostratus rankCirrostratus
Nov 07, 2019
Solved

X-Fowraded-For with a UDP profile?

Hey, all. I have a request from a customer that they want to see the originating source IP (i.e. not the IP of the VIP) for logs they are receiving. Currently this is setup using a UDP protocol and U...
application delivery
iRules
LTM
  • Stephen_Anders1's avatar
    Stephen_Anders1
    Nov 07, 2019

    In order to have any chance at doing this, you will need to do a stream rewrite or a payload and append operation. Since BigIP doesn't have a protocol parser for UDP, and since Syslog is not a request/response protocol, there are only when CLIENT_DATA events.

    You will need to map out the current syslog message format and your rule might look very roughly like:

     

    when CLIENT_DATA {

    set sNewMsg "SourceIP:[IP::client_addr]:[UDP::payload]"

    UDP::payload replace 0 0 $sNewMsg

    }

Stephen_Anders1's avatar
Stephen_Anders1
Icon for Employee rankEmployee
Nov 07, 2019

In order to have any chance at doing this, you will need to do a stream rewrite or a payload and append operation. Since BigIP doesn't have a protocol parser for UDP, and since Syslog is not a request/response protocol, there are only when CLIENT_DATA events.

You will need to map out the current syslog message format and your rule might look very roughly like:

 

when CLIENT_DATA {

set sNewMsg "SourceIP:[IP::client_addr]:[UDP::payload]"

UDP::payload replace 0 0 $sNewMsg

}