Overview

The F5 BIG-IP Integration mirrors traffic to a new pool containing the Network Analyzer node.

Deploy The Network Analyzer

Configuring F5 Big-IP Device

Step 1: Configure Pool

Create F5 pool named httpmirrorpool
Add node running network-analyzer to httpmirrorpool

References:

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-local-traffic-management-basics-14-0-0/04.html#guid-e3f736ff-8c72-4b9f-8413-343e3bd868ad

https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-local-traffic-management-basics-14-0-0/03.html#guid-9003a0cb-88a1-4e0f-bf34-2172d2caad12

Step 2: Configure iRule

Create F5 iRule named http_mirroring to mirror HTTP requests to the new pool by copy/pasting our provided iRule

when RULE_INIT {
    # Log debug locally to /var/log/ltm? 1=yes, 0=no
    set static::hsl_debug 1

    # Pool name to clone requests to
    set static::hsl_pool "httpmirrorpool"
}
when CLIENT_ACCEPTED {

    if {[active_members $static::hsl_pool]==0}{
        log "[IP::client_addr]:[TCP::client_port]: [virtual name] $static::hsl_pool down, not logging"
        set bypass 1
        return
    } else {
        set bypass 0
    }

    # Open a new HSL connection if one is not available
    set hsl [HSL::open -proto TCP -pool $static::hsl_pool]
    if {$static::hsl_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: New hsl handle: $hsl"}
}
when HTTP_REQUEST {

    # If the HSL pool is down, do not run more code here
    if {$bypass}{
        return
    }
    # Insert an XFF header if one is not inserted already
    # So the client IP can be tracked for the duplicated traffic
    HTTP::header insert X-Forwarded-For [IP::client_addr]

    # Check for POST requests
    if {[HTTP::method] eq "POST"}{

        # Check for Content-Length between 1b and 1Mb
        if { [HTTP::header Content-Length] >= 1 and [HTTP::header Content-Length] < 1048576 }{
            HTTP::collect [HTTP::header Content-Length]
        } elseif {[HTTP::header Content-Length] == 0}{
            # POST with 0 content-length, so just send the headers
            HSL::send $hsl "[HTTP::request]\n"
            if {$static::hsl_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Sending [HTTP::request]"}
        }
    } else {
        # Request with no payload, so send just the HTTP headers to the clone pool
        HSL::send $hsl "[HTTP::request]\n"
        if {$static::hsl_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Sending [HTTP::request]"}
    }
}
when HTTP_REQUEST_DATA {
    # The parser does not allow HTTP::request in this event, but it works
    set request_cmd "HTTP::request"
    if {$static::hsl_debug}{log local0. "[IP::client_addr]:[TCP::client_port]: Collected [HTTP::payload length] bytes,\
        sending [expr {[string length [eval $request_cmd]] + [HTTP::payload length]}] bytes total"}
    HSL::send $hsl "[eval $request_cmd][HTTP::payload]\nf"
}

References:

https://clouddocs.f5.com/api/irules/HSL.html

Step 3: Add iRule to Applications

Add http_mirroring iRule to applications

Public Knowledge Base