Can irules be used to match source address infromation before and after SNAT?

Question

We are using an F5 as an SSL-offload and then again as a reverse proxy. In both cases, the source address is natted. 
&nbsp;We have an IPS after the SSL-offload and before the reverse proxy that does detect attacks but attacks appear to come from the SSL_offload address.&nbsp;
&nbsp;We need to determine what the original source of attacks are so are looking to see if irules can provide some information to trace back to the original source.&nbsp;
&nbsp;Anyone else deal with this type of issue? Keen to hear how to get around this....&nbsp;&nbsp;
&nbsp;cheers
&nbsp;Patrick&nbsp;&nbsp;

hooleylist · Answer

Hi Patrick, 
&nbsp;  
&nbsp; LTM can insert a custom HTTP header named X-Forwarded-For (or any arbitrary name) with the original client IP address.  To configure this you can create a custom HTTP profile and enable the 'insert X-Forwarded-For' option.  If you want to insert a custom named header, you can do this with the HTTP profile options.  Set the 'request header to remove' to MY_CUSTOM_HEADER and set the 'request header to insert' to MY_CUSTOM_HEADER: [IP::client_addr]. 
&nbsp;  
&nbsp; The IPS would need to be able to read the custom HTTP header instead of the IP header. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

Can irules be used to match source address infromation before and after SNAT?

1 Reply

Recent Discussions

F5 terminal - help to run commands - disk space full

Can iRule be used to perform exception of IPI category based on Geolocation

[ASM] - what is "Browser Challange file" ?

LDAPS and renegotiation

Need help on i-rule to specific uri path

Related Content

iRule assistance based on URI and source address

iRule to only allow certain IP addresses to a hostname

Node IP address defined as %1

Custom error page iRule with IP address filtering

Http response irule for server address with TLSv1.2