Forum Discussion

davideladio_246's avatar
davideladio_246
Icon for Nimbostratus rankNimbostratus
Jan 28, 2016

Filtering TCP packets using a TAG not working properly...

Hi there and thanks in advance!

 

I'm receiving data, which are logs from many different devices, in the F5.

 

These logs have a tag added to each log identifying the source device

 

[firewall] [activedirectory] [proxy]

 

Based on this tags i'll send each log to a different port of the same final device.

 

[firewall] ---> Goes to (for example) device:5001 [activedirectory] ---> Goes to (for example) device:5002 [proxy] ---> Goes to (for example) device:5003

 

Right now the F5 does it almost well BUT it reads the tag only of the first packet wrriving which stablishes the tcp connection and all the other logs are not evaluated and are sent based on the first one.

 

UDP is not an option and opening and closing different TCP sessions for each log is not the best way to face this...

 

Is the F5 able to monitor and evaluate all the logs and their tags? how?

 

If this is something widely explained and there is documented excuse me, i didn't find it and a link to the source would be great ;)

 

Any other information you may need to help me please ask!

 

Thanks you very much in advance!

 

Best regards, David Eladio García Ontañón.-

 

iRules
security

2 Replies

Sort By
  • Kai_Wilke's avatar
    Kai_Wilke
    Icon for MVP rankMVP
    Jan 28, 2016

    Hi David,

    you can access each single TCP packet by using a combination of [TCP::collect] (collect a single TCP packet), [TCP::payload] (access the captured packet data) and [TCP::release] (send the captured packet on the wire) commands.

    You could also [LB::detach] an existing serverside connection on each arived packet and then make a new routing decission using the [pool] or [node] command.

    An example code would look like this...

     

    when CLIENT_ACCEPTED {
    set default_pool [LB::server pool]
    set last_pool ""
    TCP::collect
}
when CLIENT_DATA {
    if { [TCP::payload] contains "\[activedirectory\]" } then {
        set new_pool YOUR_SYSLOG_POOL_1
    } elseif { [TCP::payload] contains "\[proxy\]" } then {
        set new_pool YOUR_SYSLOG_POOL_2
    } elseif { [TCP::payload] contains "\[firewall\]" } then {
        set new_pool YOUR_SYSLOG_POOL_3
    } else {
        set new_pool $default_pool
    }
    if { $new_pool ne $last_pool } then {
        set last_pool $new_pool 
        LB::detach
        pool $new_pool
        TCP::release
        TCP::collect
    } else {
        TCP::release
        TCP::collect
    }
}

     

    Cheers, Kai

  • davideladio_246's avatar
    davideladio_246
    Icon for Nimbostratus rankNimbostratus
    Jan 28, 2016

    Thanks so much Kai, sounds great!!

     

    Let me try it out and i'll let you know.

     

    I'm also trying to get the exact configuration we have configured in the F5 right now to compare with this.

     

    Thanks so much and Best regards, David Eladio García Ontañón.-