Thank you guys.
This is the final iRule that is doing the work just fine:
when HTTP_REQUEST {
if {[HTTP::header values "Client-IP"] ne ""}{
foreach clientip [split [string map [list " " ""] [HTTP::header "Client-IP"]] ","] {
if { [class match -- $clientip equals XFF_SourceNAT] } {
log local0.alert "Matched clientip [HTTP::header values "Client-IP"] to group"
set category [class match -value $clientip equals XFF_SourceNAT]
log local0.alert "Setting snatpool to $category"
NAT traffic according to xforwarded-for header
snatpool $category
HTTP::header remove "Client-IP"
} else {
log local0. "No X-Forwarded-For header found."
pool FW-Pool
}
}
}
}
Forcepoint (websense) proxy can insert either "x-forwarded-for" header or "Client-IP" header.
But unfortunately we didn't see the "x-forwarded-for" header even it was enabled on the wensense proxy. So just to save time we did it with the "Client-IP" header.
We removed the Client-IP header at the end of the iRule because there was some sites doing the " what is my ip" showingthe "Client-IP" calue instead of the public NAT IP.
a datagroup value example:
172.28.0.0/16:=school1
"school1" has a value of public IP address in SNAT pool list.