LTM Connection Loggin

Question

Hey guys,&nbsp;
We have recently migrated to F5 HA pairs using SNAT and one of the requirements that came from our Security Group is logging every connection that passes through the F5 Load Balancers. The idea is that they would like to have the original client IP and ports, as well as all mapped F5 SNAT Pool IP and port. &nbsp;
The goal being to see something similar to:&nbsp;
Built {inbound|outbound} TCP connection_id for interface : real-address / real-port ( mapped-address/mapped-port) [( idfw_user)] to interface : real-address / real-port ( mapped-address/mapped-port) [( idfw_user)] [( user)]&nbsp;
Teardown TCP connection id for interface : real-address / real-port [( idfw_user)] to interface : real-address / real-port [( idfw_user)] duration hh:mm:ss bytes bytes [ reason ] [( user)] &nbsp;
I have seen two approaches so far - Request Logging Profile (https://devcentral.f5.com/questions/big-ip-114-ltm-connection-logging) and iRule (https://devcentral.f5.com/questions/logging-outgoing-snat-list-connections). I have both of them working, but the issue is that this is not a Global Configuration and would have to be configured for every new Application defined. We have a custom HTTP iApp Tempplate, but still there is a possibility that our Administrators would forget to assign the iRule or Logging Profile to custom iApps built. &nbsp;
My Question - is there a way to enable global connection logging on LTM, hopefully including the SNAT mapping?&nbsp;
Thanks and appreciate your help.&nbsp;

sec-enabled_658 · Answer

Another option may be the AFM module. Within the AFM module you create a global rule that could log each connection source ip/port and destination ip/port. You can set the log format to log the original IP and the NAT'd IP I believe. All this information can be sent to syslog, etc.

tihomir_hristov · Answer

Hello Nathan,&nbsp;
Thank you for the reply. Unfortunately, we are not licensed for AFM and it is not an option. I was thinking in the direction of enabling debug logging some of the LTM sub-modules (IP, network, ...) and finding that information there. I tried enabling notice for IP and debug for network but can't see anything helpful there. &nbsp;
Thanks &nbsp;

dragonflymr · Answer

Just wild guess, maybe turning on Packet Filters with one rule for all traffic with Action: Accept and Logging: Enabled could be kind of workaround?

Piotr

tihomir_hristov · Answer

Hello Piotr,

This is actually a good idea. I gave it a shot but as soon as I enable packet filter logging I start getting log throttling:

Apr 23 17:34:02 slb1-f5 notice tmm[9030]: 01250002:5: Per-invocation log rate exceeded; throttling.

I am trying to see how to bypass that problem.

Thank will keep you guys posted

tihomir_hristov · Answer

Hey guys,&nbsp;
So I tried the packet filtering rules. The only problem that I see here is the fact that the Packet Filter rules being logged will only show one side of the connection at a time. We would either log the real IP client-side connection or the translated IP server-side connection but there is nothing there to tie the two together. While we have configured our SNAT to try to maintain the source port of the client, there is a possibility in which that would be impossible and then the ability to related the client and server-side connection would be completely lost. &nbsp;
I don't think that this approach would work.&nbsp;
Thanks for the replies and if anybody has another idea I would love to try it out!&nbsp;

Forum Discussion

LTM Connection Loggin

8 Replies

Recent Discussions

F5Access | MacOS Sonoma

enable tls1.2 on management interface on F5 ltm running version 10.x

[ASM] - what is "Browser Challenge file" ?

SMS server with BIGIP

F5 terminal - help to run commands - disk space full

Related Content

Securely connecting Kubernetes Microservices with F5 Distributed Cloud

Troubeshooting website connection

F5 Connection Mirroring question

DevCentral Connects hosts Capture the Flag!

Rebalancing connections