Forum Discussion

jquinones82_469's avatar
jquinones82_469
Icon for Nimbostratus rankNimbostratus
Jun 11, 2013

LTM External VLAN Design

How many people here have put the external VLAN for the F5 outside their Firewall?

 

 

Currently we have deployed an LTM behind the FW and we handling external NAT'ing on the Firewall. I wanted to know what the general consesus of this is? Good results? Bad?

 

For the most part, we have been fine, but now with the implementation of the GTM it becomes more relevant as now I can only pull internal IPs from the GTM and i want to use the GTM for external IPs.

 

 

config
design

2 Replies

Sort By
  • The_Bhattman's avatar
    The_Bhattman
    Icon for Nimbostratus rankNimbostratus
    Aug 30, 2013

    I have had many customers ask me the same thing. They heard stories from people that they have placed the F5 LTM in front of a firewall and it's saved them from countless attacks. I have personally seen a benefit from doing this - but in my mind I wouldn't want the F5 ADC to pull double duty of being a firewall's firewall and Load balancer. I prefer keeping the functionality seperate.

     

    -=Bhattman=-

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Aug 30, 2013

    It's definitely done this way by many F5 customers. It's a default deny appliance - that should make the network guy happy, and it's ICSA-certified - which should make the IA guy happy. You've got packet filtering built into LTM (which is a large part of the certification), and then you have the new Advanced Firewall Manager (AFM) which is a full proxy, extremely high throughput, stateful firewall that runs on top of the ADC. I would probably agree with Bhattman in that there are absolutely situations where you'd want to separate firewall and load balancer, but then in many cases that's not true anymore.