Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP LTM Technology

Source IP Address and PORT Translation in BIG-IP

The Source Network Address Translation (SNAT) is an essential concept in F5 BIG-IP devices used to manage the translation of IP addresses for outgoing traffic. SNAT allows the device to change the source IP address of packets as they leave the system, enabling proper routing and response handling for connections from clients to servers.

Let’s break down the key concepts and settings around SNAT and SNAT Pools.

1. SNAT (Source Network Address Translation) Overview

SNAT allows the BIG-IP system to translate the source IP address of a packet as it leaves the system. This is primarily used when the source IP of a client connection needs to be changed to a different IP address for routing purposes or to ensure proper return traffic from the server reaches the client.

SNAT Address Capacity:

  • SNAT Address Capacity is determined by the number of available IP addresses multiplied by the pool member count.

  • Formula:

    • SNAT Address Capacity = 65535 * Pool Member Count

    • This implies that for each pool member, you can have up to 65535 different translation addresses.

Port Exhaustion:

  • If too many clients are using the same source IP address and port for outgoing traffic, a situation called Port Exhaustion can occur. This means that there are no more available ports to map the connections, causing connection issues.

  • To mitigate port exhaustion, SNAT should be configured with a sufficient number of source IP addresses in the SNAT pool.

2. SNAT Pool

A SNAT Pool contains a group of source IP addresses from which the BIG-IP system selects when performing SNAT for outgoing traffic. These addresses are chosen based on a configured method (e.g., least connections) to ensure optimal traffic distribution.

SNAT Pool Behavior:

  • Least Connections Method: BIG-IP selects an IP address from the SNAT Pool based on the number of active connections associated with each IP address. The system will choose the SNAT address with the least active connections to distribute traffic evenly.

Multiple Egress Networks:

  • The SNAT Pool can contain addresses from more than one egress network. This allows you to mix addresses from different networks, giving you more flexibility in traffic routing and handling.

3. Auto Map Precedence Order

The Auto Map feature in BIG-IP allows the system to automatically assign an IP address for SNAT. When Auto Map is used, the system follows a specific precedence order to determine the most appropriate source address to use for translation.

The Auto Map Precedence Order is as follows:

  1. Float-IP / Egress VLAN:

    • The system will first attempt to use a floating IP address from the egress VLAN if one is available. Floating IPs are typically used for high availability and are associated with multiple devices in a failover setup.

  2. Float-IP / Other VLAN:

    • If no suitable floating IP address is found in the egress VLAN, it will try to use a floating IP from other VLANs.

  3. Non-Float-IP / Egress VLAN:

    • Next, the system will check for a non-floating IP address within the egress VLAN.

  4. Non-Float-IP / Other VLAN:

    • If none of the above options are suitable, the system will use a non-floating IP from other VLANs.

Here's a textual graph (or flow chart) summarizing the SNAT Configuration and Auto Map Precedence Order for BIG-IP:

-----------------------------------------------------------
|                  SNAT Address Capacity                 |
|  (65535 * Pool Member Count) --> Determines total IPs   |
|             available for translation.                 |
-----------------------------------------------------------

                |
                v

-----------------------------------------------------------
|                   Port Exhaustion Problem               |
|   - Occurs when too many connections use the same source|
|     IP address/port, causing a shortage of available    |
|     ports. SNAT can mitigate this by using multiple IPs.|
-----------------------------------------------------------

                |
                v

-----------------------------------------------------------
|                        SNAT Pool                       |
|  - Contains multiple source IPs for SNAT translation.   |
|  - IPs are selected based on "Least Connections".       |
|  - Can mix multiple egress networks for flexibility.   |
-----------------------------------------------------------

                |
                v

-----------------------------------------------------------
|                    Auto Map Precedence Order           |
|   Determines how BIG-IP selects an IP for SNAT:        |
-----------------------------------------------------------

1. **Float-IP / Egress VLAN** - First preference for floating IP in egress VLAN.
2. **Float-IP / Other VLAN** - If no egress VLAN option, fallback to other VLAN.
3. **Non-Float-IP / Egress VLAN** - If no floating IPs, use non-floating IP in egress VLAN.
4. **Non-Float-IP / Other VLAN** - If all above fail, use non-floating IP from other VLANs.
   
-----------------------------------------------------------

PreviousBIG-IP LTM TechnologyNextPacket Filters

Last updated 3 months ago