Help
Technical Forum
Ask questions. Discover Answers.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions

UDP packet duplication and send them to 2 different pools

djzoidberg
Nimbostratus
Nimbostratus

‎17-Mar-2021 10:51 - last edited on ‎04-Jun-2023 21:00 by Fog

Hello everyone,

I have a VIP that is receiving all syslogs of a customer's firewalls. (more or less 350 devices)

The customer needs to send the same an exact copy of each message to another pool.

[SYSLOG MESSAGE]--[POOL 1]--[MEMBER 1 A]
        |                 |-[MEMBER 2 A]
        |                 '-[MEMBER 3 A]
        |
[CLONED MESSAGE]--[POOL 2]--[MEMBER 1 B]
                          '-[MEMBER 2 B]

Do you have some suggestion to obtain this behaviour?

Thanks in advance,

Regards.

EDIT 1

I've tested HSL but it is starting each connection from TMM and it is not possible change the source IP address preserving the original IP.

when CLIENT_ACCEPTED {
    set syslog_pool1 [HSL::open -proto UDP -pool pool_1]
    set syslog_pool2 [HSL::open -proto UDP -pool pool_2]
}
when CLIENT_DATA {
    HSL::send $syslog_pool1 [UDP::payload]
    HSL::send $syslog_pool2 [UDP::payload]
}
Labels:
0 Kudos
5 REPLIES 5

Daniel_Wolf
MVP
MVP

‎17-Mar-2021 13:15

Hello,

 

maybe clone pools might work for you. The idea is to use them for sending traffic to an IDS, but I think they could satisfy your requirement too.

 

K13392: Configuring the BIG-IP system to send traffic to an intrusion detection system (11.x - 15.x)

 

But honestly I don't have a lot a experience with clone pools, so this I sort a of a shot in the dark.

 

KR

Daniel

djzoidberg
Nimbostratus
Nimbostratus
In response to Daniel_Wolf

‎17-Mar-2021 16:23

Hello Daniel,

thank you for answering.

 

I think that, it is not the right way. Clone pools change the destination mac address and not the destination IP address. Other then that, I have also to balance the traffic on the second pool.

0 Kudos

Nikoolayy1
MVP
MVP
In response to djzoidberg

‎21-Mar-2021 07:26

I also think that clone pools that Daniel says is the option that should be tested. You can also check using iRules to do the same with clone pools command https://clouddocs.f5.com/api/irules/clone.html . You can also check this article for SPAN mirroring https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-system-passive-monitoring-14-0-0/configuring-the-big-ip-system-for-passive-monitoring.html .

0 Kudos

webguy96
Nimbostratus
Nimbostratus

‎25-May-2021 14:35

These steps might help. I have not validated the client-ip replace logic but can tell you send raw [UDP::payload] works fine in our testing.

Be sure to match up whatever you decide to use for your Log Publisher name to the reference within the iRule.

 

1) Create a single pool containing all members that need the duplicated syslog data

Ex: syslog_pool

Members:

10.10.0.100:514

10.10.0.101:514

2) Create a new HSL Log Destination

a) Select your pool from step 1

b) Select 'UDP' for the protocol

c) Change distribution type from 'adaptive' to 'replicated'

 

3) Create a new HSL Log Publisher entitled 'syslog_publisher'

a) Select the HSL Log Destination from step 2

 

4) Create a new iRule that will handle the inbound traffic

when CLIENT_ACCEPTED {

set payloadLength [UDP::payload length]

set address [IP::client_addr]

set addressLength [ string length $address ]

   set hsl [HSL::open -publisher /Common/syslog_publisher]

}

when CLIENT_DATA {

   HSL::send $hsl "UDP::payload replace $payloadLength $addressLength $address"

}

5) Create a standard virtual server

a) Assign the appropriate IP and Service Port

b) Select UDP Protocol

c) Select UDP Profile

d) Assign the iRule from step 4

0 Kudos

steve_michaels
Cirrus
Cirrus
In response to webguy96

‎10-Nov-2022 08:38

Hi @webguy96 we are working with this iRule and we see the raw payload and syslog mesage payload correctly, We want the message format to be syslog format so we used a secondary log destination on the F5 to specify that format. When we do that we are not seeing the original client_Ip address in the mesage sent to our syslog server. Instead we see the F5 self_ip address as the host field. See below. We want to see the data in syslog format as spec in rfc 5424,

Here is the iRule:

when CLIENT_ACCEPTED {

set payloadLength [UDP::payload length]

set address [IP::client_addr]

set addressLength [ string length $address ]

set hsl [HSL::open -publisher /Common/syslog_publisherdup]

set payloadraw [UDP::payload]

}

when CLIENT_DATA {

HSL::send $hsl "$payloadraw $address"

}

 

And here is the what see on our syslog server:

{
  "message": "<5>Nov 10 11:25:17 uid: test6514 10.1.1.1",
  "severity": 6,
  "facility": 16,
  "host": "f5management.jhuapl.edu",
  "appname": "tmm",
  "procid": "18524",
  "structuredData": "[F5@12276]",
  "severityName": "info",
  "facilityName": "local0",
  "_time": 1668097517.735,
  "_raw": "<134>1 2022-11-10T11:25:17.735353-05:00 f5management.jhuapl.edu tmm 18524 - [F5@12276] <5>Nov 10 11:25:17 uid: test6514 10.1.1.1"
}

0 Kudos
Copyright © 2023 Khoros, LLC