Forum Discussion

JeffRitze's avatar
JeffRitze
Icon for Nimbostratus rankNimbostratus
Feb 19, 2021

iRule: Log SNAT IP's when using Oneconnect

Hello F5 Friends,

I'm at a bit of a loss for how to write an iRule here and I'm hoping you all can help me out. I have a need to send a security vendor the Client Side and Server Side IP addresses used for all connections coming in through my F5. I tested out this iRule below and it logs successfully and forwards off to our vendor successfully within our infrastructure.

when SERVER_CONNECTED {
  # log clientside and serverside connection details to /var/log/ltm
  log local0. "Clientside connection: SrcIP:Port [clientside {IP::remote_addr}]:[clientside {TCP::remote_port}] to DstIP:Port [clientside {IP::local_addr}]:[clientside {TCP::local_port}] translates to Serverside connection: SrcIP:Port [IP::local_addr]:[TCP::local_port] to DstIP:Port [IP::remote_addr]:[TCP::remote_port]"
}

Unfortunately, I found out after this was in place that it wasn't generating logs for all connections coming into the associated virtuals. (I have this iRule applied to All virtuals on my F5.) Through some testing I found that this iRule was not logging for connections where the Server Side connection was being reused by the oneconnect profile.

Next I tried using the "LB_SELECTED" event instead of "SERVER_CONNECTED" and in this case I see that I'm logging on all HTTP requests that come inbound. So the first event doesn't trigger enough and the second event triggers too often. I was hoping for some help in finding that happy medium.

Can someone help me with the right event trigger or logic in the iRule that would log the CS IP's and SS IP's as each new front end connection is established to a back end server when Oneconnect is in the mix?

Thanks,

Jeff

1 Reply

  • i dont think there is an easy solution.

     

    do you need oneconnect? disabling it seems like a possible solution.

     

    a workaround would be to store the CS and SS IPs in a table and check against that before logging a new one. have to think about timeout for the entries though.

     

    you can also look at influencing the oneconnect behaviour somehow, perhaps like this

     

    https://clouddocs.f5.com/api/irules/ONECONNECT__label.html

     

    though that feels tricky.