Friday, July 21, 2017

Finding traffic that's hitting a F5 vip via IRule

So let say you have  traffic hitting a f5 VirtualServer,  but you want to  find out what/who  is hitting it and what URI they are asking for,  you can do  a log Statement inside   a iRule defining what you want to log ( src addr, host_header URI )  


e.g

ltm rule HOSTSWITCHER {
    when HTTP_REQUEST {
    switch [HTTP::host] {
   "mysite.mydomain.com" {

    persist cookie insert "c00k3yM0nst3r" "7d 00:00:00"
    log local0. " The site name  [HTTP::host] and uri  [HTTP::uri]  is hitting  the mysite.mydomain.com"
    pool mysite.mydomain.com_pool
   }
  
 

   default {
   log local0. " The site name  [HTTP::host] and uri  [HTTP::uri] and client's address  [IP::client_addr]   is hitting  the default"
   persist cookie insert "de3fAUlt" "1d 00:00:00"
   pool default_pool
  }
 }
}
}


This helps to find DNS entries that could be lefted over and pointing to your public address. By generating a log message for the host and|or URI  you can easily debugged left over or bad configurations.

The f5 logs  for  ltm will show something similar ;



KenFelix




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o 
        /  \

No comments:

Post a Comment