Mar 27, 2026 - For details about updated CVE-2025-53521 (BIG-IP APM vulnerability), refer to K000156741.

SNAT pool persistence

Problem this snippet solves: This example shows how select the same SNAT address from the SNAT pool for a given client IP address over multiple connections without tracking the selection in memory. ...
Published Mar 18, 2015
Version 1.0
application delivery
devops
irules
utility
Emmanuel_L_1791's avatar
Emmanuel_L_1791
Icon for Nimbostratus rankNimbostratus
Dec 11, 2017

To mitigate initialization issue a solution could be to use a datagroup instead of Array/snatpool (tested on v11.5.4) :

when RULE_INIT { 
 The only configuration needed is to set the name of the Datagroup(type string) that lists SNAT addresses as $static::snatpool_name_DG
 Configure the name of the Datagroup
set static::snatpool_name_DG "my_snat_pool_DG"
 Datagroup size
set static::snatpool_size [class size "static::snatpool_name_DG"]
}

when CLIENT_ACCEPTED {
 Calculate the crc32 checksum of the client IP - Use the modulo of the checksum and the number of SNAT IPs to choose from to select a SNAT IP
snat [class element -name [expr {[crc32 [IP::client_addr]] % $static::snatpool_size}] $static::snatpool_name_DG]
}

Datagroup exemple (keep the same list as snatpool to be declared as failover object):

ltm data-group internal my_snatpool_DG {
records {
    10.0.0.1 { }
    10.0.0.2 { }
    10.0.0.3 { }
}
type string
}