CISCO Flow Sensor and Load Balancer
Taw qhia
If a load balancer is installed in front of a resource on the network, it obscures visibility and may reduce the detection of threats in the Secure Network Analytics system. Use the instructions in this guide to configure the load balancer and Flow Sensor. This configuration stitches the client side and server side flows together, so the outside host connects to the inside host, providing visibility and enhanced security on the Flow Sensor and the Secure Network Analytics system.
Cov neeg mloog
The primary audience for this guide includes administrators responsible for configuring the Secure Network Analytics system.
Ua ntej Koj Pib
Before starting the procedures in this guide, you should do the following:
- Confirm that your Secure Network Analytics system is communicating. Go to the Desktop Client. Check the Alarm Table to make sure there are no active Management Channel Down or Failover Channel Down alarms.
- Confirm that your Secure Network Analytics system appliance licenses are active.
Configuring the Load Balancer
Use the following instructions to configure the load balancer. You will disable the X-Forwarded-For (XFF) option for HTTP, create an iRule, and enable a virtual server resource. If you prefer to use an existing iRule, you can modify it using the information provided here. For successful integration, apply the instructions in this section to all load balancers in the network. The instructions in this guide show the configuration on an F5 Load Balancer as an example, but we believe this configuration can be used on all types of load balancers.
Disabling the XFF Option for HTTP
Use the following procedure to disable the XFF option for HTTP.
The built-in functionality to insert data in an XFF HTTP header must be disabled in the F5 Load Balancer as follows:
- Log in to the F5 Load Balancer configuration utility.
- Under the Main tab, click Local Traffic.
- Nyem Profiles > Services > HTTP.
If HTTP is not shown in the Services menu, skip to step 8. 
Click http.- Under Settings, locate Insert X-Forwarded-For.
- Select Disabled from the drop-down list (or uncheck the Enabled check box to clear it).
- Nyem qhov hloov tshiab khawm.
- From the Services menu, click Fast HTTP.
If Fast HTTP is not available in the Services menu, skip the rest of this section. Proceed to Creating the iRule. - Locate Insert X-Forwarded-For.
- Select Disabled from the drop-down list (or uncheck the Enabled check box to clear it).
- Click the Update button to save and exit.
- Continue to Creating the iRule.
Creating the iRule
Use the following instructions to add an iRule for the XFF header. This procedure is used to map the Load Balancer IP and ensure that accurate port and protocol information are reported to the Flow Sensor. If you prefer to use an existing iRule, you can modify it using the information provided here.
To create an iRule for the XFF header in the F5 Load Balancer, complete the following steps:
- In the Main tab, click Local Traffic.
- Click iRules.
- Nyem qhov Tsim khawm.
- In the Name field, enter xff.
- Copy and paste the following text into the Definition field:
when CLIENT_ACCEPTED {
if { [PROFILE::exists clientssl] } then {
set client_protocol “https”
set local_port 443
} lwm {
set client_protocol “http”
set local_port 80
}
}
when HTTP_REQUEST {
if { [HTTP::header exists “X-Forwarded-For”] } {
HTTP::header replace X-Forwarded-For “[HTTP::header X-Forwarded-For], [IP::client_addr]”
} lwm {
HTTP::header insert “X-Forwarded-For” [IP::client_addr] }
if { [HTTP::header exists “X-Forwarded-Proto”] } {
HTTP::header replace X-Forwarded-Proto “[HTTP::header X-Forwarded-Proto], $client_protocol”
} lwm {
HTTP::header insert “X-Forwarded-Proto” $client_protocol
}
if { [HTTP::header exists “X-Forwarded-Port”] } {
HTTP::header replace X-Forwarded-Port “[HTTP::header X-Forwarded-Port], [TCP::client_port]”
} lwm {
HTTP::header insert “X-Forwarded-Port” [TCP::client_port] }
if { [HTTP::header exists “X-Forwarded-Host”] } {
HTTP::header replace X-Forwarded-Host “[HTTP::header X-Forwarded-Host], [IP::local_addr]:$local_port”
} lwm {
HTTP::header insert “X-Forwarded-Host” [IP::local_addr]:$local_port
}
} - Click the Finished button to save and exit.
- Continue to Adding the iRule as a Virtual Server Resource.
Adding the iRule as a Virtual Server Resource
To enable a virtual server, the new XFF iRule must be added as a resource in the F5 Load Balancer. This step enables the load balancer to report the XFF Header.
- Under the Main tab, click Local Traffic.
- Click Virtual Servers.
- Locate the Service Port column and find Service Port 80 (HTTP) or 443 (HTTPS) that is handling the traffic handled by the device. Click the Virtual Server name.
- Nyem qhov Resources tab.
- In the iRules section, click the Manage button.
- Scroll through the Available iRules to find the new XFF iRule. Click the XFF iRule to select it.
- Click on the << button to add the XFF iRule to the Enabled box.
- Click the Finished button to save and exit.
Configuring All Load Balancers in the Network
If there are multiple load balancers chained on the network, apply the preceding instructions in this Configuring the Load Balancer section on each load balancer before proceeding to Enabling XFF Processing on the Flow Sensor.
Configuring each load balancer preserves the XFF information and appends it. In this configuration, the Flow Sensor will report only the original load balancer IP in the translated host.
Configuring the Load Balancer instructions include the following:
- Disabling the XFF Option for HTTP
- Creating the iRule
- Adding the iRule as a Virtual Server Resource
Enabling XFF Processing on the Flow Sensor
To process the XFF header field on the Flow Sensor, complete the following steps:
- Nkag mus rau koj tus Manager.
- Click Configure > Global > Central Management.
- Click the (Ellipsis) icon for your Flow Sensor, then click View Appliance Statistics. The Flow Sensor Admin interface opens.
- Click Configuration > Advanced Settings.
- Check the Enable X-Forwarded-For Processing check box.
- Nyem rau khawm Thov.
- Repeat these instructions on all Flow Sensors in the network that are receiving load balancer support.
- Continue to Verifying the Configuration.
Txheeb xyuas qhov Configuration
To verify the load balancer configuration, log in to the Desktop Client or the Web App. The Desktop Client provides the load balancer IP address and port, and the Web Client provides the load balancer IP address.
Verifying the Configuration in the Manager Desktop Client
Use the following instructions to review the load balancer IP address and port in the Desktop Client.
- To generate X-Forwarded-For traffic on a client in front of the F5 Load Balancer, use a browser on a web server located behind the load balancer to log in to the Desktop Client.
- Locate the Flow Sensor in the Enterprise Tree. Right-click the Flow Sensor name (or IP address).
- Click Flows > Flow Table.
- Review the Translated Host and Translated Port columns to confirm the F5 Load Balancer IP address and port are shown.
- Translated Host (load balancer IP address)
- Translated Port (load balancer port)
Adding Columns to the Flow Table (Desktop Client)
If the Translated Host and Translated Port columns are not shown in the Desktop Client Flow Table, complete the following steps:
- Right-click any column.
- Scroll through the list. Select More until you reach the T’s.
- Click Translated Host and Translated Port to add them to the Flow Table.
Verifying the Configuration in the Web App
Use the following instructions to review the load balancer IP address in the Web App. The translated port is not available in the Web App. See Verifying the Configuration in the Manager Desktop Client to verify the port.
- Qhib a web page on the server (behind the F5 Load Balancer).
- Nkag mus rau Tus Thawj Tswj.
- Click Investigate > Flow Search.
- Nyem Nrhiav.
- When the Flow search results display flows, click Manage Columns.
- Click the check box to add a check mark to Peer NAT and Subject NAT.
- Nyem Teeb.
- Confirm the load balancer IP address is shown in the Peer NAT column or the Subject NAT column.
The column is determined by the direction of the flow.
Hu rau Support
Yog tias koj xav tau kev pab txhawb nqa, thov ua ib qho hauv qab no:
- Hu rau koj tus khub Cisco hauv zos
- Hu rau Cisco Support
- Qhib ib rooj plaub los ntawm web: http://www.cisco.com/c/en/us/support/index.html
- Kev them nyiaj yug xov tooj: 1-800-553-2447 Ib (US)
- Rau cov lej txhawb thoob ntiaj teb: https://www.cisco.com/c/en/us/support/web/tsd-cisco-worldwide-contacts.html
Hloov keeb kwm
| Cov ntaub ntawv Version | Tshaj tawm Hnub | Kev piav qhia |
| 1_0 | Lub Yim Hli 11, 2025 | Initial Version. |
Copyright Information
Cisco thiab Cisco logo yog cov cim lag luam lossis cov cim lag luam ntawm Cisco thiab / lossis nws cov koom tes hauv Asmeskas thiab lwm lub tebchaws. Rau view ib daim ntawv teev npe ntawm Cisco trademarks, mus rau qhov no URL: https://www.cisco.com/go/trademarks. Cov khoom lag luam thib peb tau hais tseg yog cov cuab yeej ntawm lawv cov tswv. Kev siv lo lus tus khub tsis hais txog kev sib koom tes ntawm Cisco thiab lwm lub tuam txhab. (1721R)
© 2025 Cisco Systems, Inc. thiab/los yog nws cov koom tes. Txhua txoj cai.
FAQ
Lub hom phiaj ntawm phau ntawv qhia no yog dab tsi?
This guide provides instructions for configuring the load balancer and Flow Sensor to enhance security and visibility in the Secure Network Analytics system.
Who is the intended audience for this guide?
The guide is intended for administrators responsible for configuring the Secure Network Analytics system.
What should I do before starting the procedures in this guide?
Ensure your Secure Network Analytics system is communicating and that appliance licenses are active.
How do I contact Cisco Support?
You can contact Cisco Support via their website, phone, or by reaching out to your local Cisco Partner.
Cov ntaub ntawv / Cov ntaub ntawv
 |
CISCO Flow Sensor and Load Balancer [ua pdf] Cov neeg siv phau ntawv qhia Flow Sensor and Load Balancer, Sensor and Load Balancer, Load Balancer, Balancer |