I need to be able to capture source IP on FTPS connection.

Question

I need to capture the source IP for ftps traffic, and match that IP to a FTP session.
It is easy enough to create an irule to capture source IP, and have that sent to a logging server, where then splunk can query the logs. After I have the list of source IP's I need to be able to match that up with a user. Because the data is being passed through the load balancer as secure, I can not do any inspection at the LTM, and I don't see time stamps as being a good enough match for busy servers to positively match a ftp session to a source IP. &nbsp;

vernonwells · Answer

Your choices are:&nbsp;
Offload TLS on the BIG-IP (and potentially re-encrypt between BIG-IP and the servers);Inspect a presented client certificate.
Naturally, 2 only works if a.) a certificate is actually presented by the client; and b.) it is a user certificate, rather than a machine certificate.&nbsp;

Forum Discussion

I need to be able to capture source IP on FTPS connection.

1 Reply

Recent Discussions

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Error while running ansible

ASM instance creation

[ASM] - what is "Browser Challange file" ?

Related Content

Decrypting BIG-IP Packet Captures without iRules

Decrypting BIG-IP Packet Captures Automatically

Ultimate irule debug - Capture and investigate

Capturing source IP addresses for VIP

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap