Dual Firewalled Enviroments - 1 LB

Question

Hello. We are looking for assistance with a simple way to route &amp; load balance traffic in a setup that we haven't configured before. We have two separate firewalls for the environments behind our LTM/GTM load balancer and need to make sure that the following conditions are met:&nbsp;
&nbsp;1) We are attempting to load balance traffic sourcing from two separate firewalls and need to ensure that traffic is sent back through the proper firewall.&nbsp;
&nbsp;2) SNAT cannot be used in these environments as the developers need to see true source IPs. &nbsp;
&nbsp;3) The servers need to be able to connect to the correct firewall when they are the source. &nbsp;
&nbsp;4) We have no overlapping IP space, but have been using route domains to manage default gateways to ensure that traffic is routed correctly (which is working fine for IPv4). This will not be supported for IPv6 and it is necessary for the environments to be IPv6 compliant. &nbsp;
&nbsp;What would be the best manner to approach this? &nbsp;

michael_yates · Answer

Hi jenmick1, 
&nbsp;  
&nbsp; Q:  We are attempting to load balance traffic sourcing from two separate firewalls and need to ensure that traffic is sent back through the proper firewall. 
&nbsp; A:  Shouldn’t the rest of your network configuration (non-BigIP) be taking care of your network routes and routing table for you?  If the BigIP does not know the route it should utilize its default route.  
&nbsp;   
&nbsp; Q:  SNAT cannot be used in these environments as the developers need to see true source IPs.  
&nbsp; A:  Can you configure X-Forward in the HTTP Profile so that the True Client IP Address is placed in the header and the downstream application can retrieve it? 
&nbsp;  
&nbsp; Q:  The servers need to be able to connect to the correct firewall when they are the source.  
&nbsp; A:  If your servers are the source then they become a client and are passed through the BigIP if the traffic destination is not on a subnet that is owned by the BigIP.  The traffic from the server should be allowed to pass through unaffected, but other devices might cause this not to work (firewall configurations). 
&nbsp;  
&nbsp; I can't offer any insight into your Route Domain issue, perhaps on someone else can give you some suggestions. &nbsp;

jenmick1_43986 · Answer

Perhaps I can clarify this a bit. There are 2 firewalls, each protecting a different set of subnets. The route domains with IPv4 allow me to set two different gateways since each FW handles calls for different environments. The developers are using one firewall to manage traffic from public space (anything not in company private IP space), and the other firewall manages company (internal) space. &nbsp;
&nbsp;Can the load balancer differentiate between the two with a single default gateway? I think this is probably a better way to define what my developers are asking me for. &nbsp;
&nbsp;Thanks!
&nbsp;jenmick1&nbsp;

Forum Discussion

Dual Firewalled Enviroments - 1 LB

2 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

F5Access | MacOS Sonoma

Rewrite uri translation not working

Transaction looks successful but file not downloading

Related Content

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two

Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy