NimbostratusSo we have clients and servers behind the Big-IP in in-line mode, so of course we need a SNAT for the client. But let's say we ... forgot to create a SNAT - is it possible to have Big-IP send out an alert, or log a messages that it received a request to a Virtual Server that will never get routed properly?
Hi!
Why not SNAT all traffic then and insert XFF headers which then can enable logging of the clients real IP on the web server?
One thing I can think of is using the LB_FAILED event in conjunction with HSL. Maybe somebody can think of something better though.
From devcentrals wiki
The LB_FAILED event is triggered when LTM is ready to send the request to a pool member and one hasn’t been chosen (the system failed to select a pool or a pool member), is unreachable (when no route to the target exists), has reached a queue limit, or is non-responsive (fails to respond to a connection request).
when LB_FAILED {
set hsl [HSL::open -proto UDP -pool syslog-514_pool]
HSL::send $hsl "LB_Failed triggered for client: [IP::client_addr]\n"
}
This rule would send a message to your syslog server, which you can then configure to alert you.
Kind regards, Patrik
CirrostratusI don't think that would be useful. The only thing I can think of is an iRule that would be configured to increment a counter for every HTTP_RESPONSE and then write a log message on the CLIENT_CLOSED event if the counter value was 0 (thus there had been no responses seen).
Of course, this could generate false positives for many reasons.
While we're brainstorming... 🙂
If the clients and servers share the same networks you can try something like this to prevent forgetting to set the SNAT:
when LB_SELECTED {
if { [IP::addr [IP::client_addr]/24 equals [LB::server addr]/24] } {
snat automap
}
}
/Patrik