cancel
Showing results for 
Search instead for 
Did you mean: 

APM - How to configure logging of snat addresses for network access and app tunnels

fwendlandt
Nimbostratus
Nimbostratus

Hello everyone,

we are using BIG-IP Access Policy Manager to enable administrative access to systems via App Tunnel and Network Access resources.

For security reasons, we need to be able to map requests logged on backend resources/systems  (e.g. in SSH audit logs) to the session or user accessing said backend resource via App Tunnel or Network Access in APM.

Currently, the following request information is logged.

 Network Access:
May 17 14:42:00 tmm0 tmm[22565]: 01580002:5: /APM/ap_rmgw:Common:c1237463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c1237463:15 packet: tcp 192.168.12.18:58680 -> 10.0.0.1:22

 App Tunnels:
May 17 14:41:10 tmm1 tmm1[22565]: 01580002:5: /APM/ap_rmgw:Common:c6787463: allow ACL: #app_tunnel_/APM/Some_App-Tunnel@c6787463:0 packet: tcp 89.229.152.144:63252 -> 10.0.0.1:2

 

For Network Access requests, an IP address of the lease pool configured in the Network Access resource is logged as the client IP. For App Tunnel requests, the public IP of the client accessing APM is logged as the client IP.

In our setup, both requests will be NATed by APM before hitting the target system (through a snat pool in case of a Network Access request, through the active appliances backend IP in case of App Tunnels). Therefore, the APM self IPs (snat pool/appliance backend) will be logged on the target host, leading to us not being able to correlate logs in APM with logs on the target systems.

Is there any way to log the SNAT/NAT addresses and ports used to access target systems through APM?

I've tried using ACCESS_ACL_ALLOWED in an iRule to log additional information, unfortunately this event only seems to trigger on Portal Access resources, not when using App Tunnels or Network Access resources.

Thank you,

Fabian

0 REPLIES 0