Forum Discussion

RAHUL0018's avatar
RAHUL0018
Icon for Altocumulus rankAltocumulus
Jul 17, 2020

How to Pass Actual Source IP to Pool Server

Hi, I have an LTM in which an application is hosted and traffic is being forwarded to Backend Pool Server.

 

This application is being migrated to WAF and till now it was directly accessible on internet through server only. There are some validations logics in application based on the Public Source IP from which any transaction is being initiated.

 

After migration, i am only receiving the Self IP of Active instance on Server instead of actual Source IP. As of now, Source Address translation is set to AUTOMAP. When it is changed to NONE, the application stopped working.

 

Please guide how to pass actual source IP to pool server.

application delivery
ASM Advanced WAF
LTM
security

2 Replies

Sort By
  • Mayur_Sutare's avatar
    Mayur_Sutare
    Icon for MVP rankMVP
    Jul 17, 2020

    Hello,

     

    As you have already stated that when you are setting Source Address Translation to NONE from AutoMAP, application is not working. This means backend pool member do not have gateway set to F5 and it is creating asymmetric routing issue.

     

    There are two ways to achieve your requirement -

     

    1.     If you do not wish to change default gateway of backend pool members to F5, you need to enable x-forwarded-for under http profile. This will preserve client actual IP when SNAT is enabled and send it to backend pool members. This need configuration to be done at server end as well to extract client IP from http header. Below article will help you for this configuration.

                 https://support.f5.com/csp/article/K4816

     

    2.     Setting default gateway of backend pool members to F5. For this, you dont need to enable SNAT on Virtual Server and with this, you can see actual client IP address at backend pool. But depending upon the architecture, separate Self & Floating IP may need to configure at F5 end.

     

    Hope it helps!

    Mayur

    • RAHUL0018's avatar
      RAHUL0018
      Icon for Altocumulus rankAltocumulus
      Jul 17, 2020

      Thank You Mayur. I will prefer to go with the option 1 without changing anything on the server and enabling the application to capture the X-Forwarded field.