V11 as a firewall?

Question

I would like to move things around in my DMZs and "publish" interfaces as virtual servers between tiers on LTMs (no ASM or PSM).  I thought this would improve performance as the services needed by each tier would be published in the vlan where the clients live (otherwise the services have to route through a firewall). &nbsp;
&nbsp;I also thought that it would be pretty standard but when I proposed this to our QSA, the response was that F5 is not a SPI firewall.  I guess it isn't a pure firewall play, and the QSA didn't feel comfortable with the design.&nbsp;
&nbsp;I went and talked to my F5 support engineer and he said that at V11, F5 was certified as a firewall by an independent lab:
&nbsp;https://www.icsalabs.com/sites/default/files/F5_BIG-IP_11 0_Family_4 1xLab_Report_20120127.pdf&nbsp;

&nbsp;

Has anyone had any experience with this?  How did you convince your auditors that it's ok, or is it ok? &nbsp;

&nbsp;I'd be interested in hearing your thoughts.&nbsp;
&nbsp;Thanks,
&nbsp;Mike&nbsp;&nbsp;

&nbsp;

hooleylist · Answer

Hi Mike, 
&nbsp;  
&nbsp; TMOS has always acted as a stateful firewall in that it's a default deny device.  With the ICSA certification in v11, I don't see any reason you couldn't use TMOS for this scenario. 
&nbsp;  
&nbsp; I'm interested to hear what other users have to say on this. 
&nbsp;  
&nbsp; Aaron

mike_sullivan_2 · Answer

Well, I thought this might be an interesting question for this group, but the lack of activity seems to indicate otherwise. 
&nbsp;  
&nbsp; @moderators:  Should I post this somewhere else? 
&nbsp;  
&nbsp; Thanks, 
&nbsp; Mike

michael_koyfma1 · Answer

Mike, 
&nbsp;  
&nbsp; As you realize, the ICSA Network Firewall certification is pretty recent, and most QSAs are still not familiar with it.  Curious if you have shown your QSA the ICSA Labs report and still had the same reaction?

mike_sullivan_2 · Answer

Hi Michael, 
&nbsp;  
&nbsp; Yes it is recent.  I did share that with the QSA and I could see the gears turning, but they still are hung up on it.  It isn't over yet, I'm trying to get them to justify their opinion (I told them I can use a different icon in the diagram if that would help ;-) ). 
&nbsp;  
&nbsp; Mike

jwham20 · Answer

@mike: 
&nbsp;  
&nbsp; That's a tough one.  I spent hours at RSA repeating the same conversation over and over: 
&nbsp;  
&nbsp; attendee: "Hi, doing a firewall refresh, want to see about loadbalancing the new Firewalls with F5" 
&nbsp; Me:  "Why the extra gear? the F5 is a firewall" 
&nbsp; attendee:  "No you're not" 
&nbsp; Me:  "Why" 
&nbsp; attendee:"umm, cause you're not" 
&nbsp; ................. 
&nbsp; headdesk 
&nbsp; ------------------ 
&nbsp;  
&nbsp; I took the approach of asking what constitutes a firewall in their mind, then taking that checklist and confirming the F5 v11 has all the functionality they listed.  
&nbsp;  
&nbsp; As for a new icon...  sweet!  Come up with a cool one and send it in :)! 
&nbsp;  
&nbsp; -Josh &nbsp;

Forum Discussion

V11 as a firewall?

7 Replies

Recent Discussions

Need help on i-rule to specific uri path

Reverse Proxy Not Behaving

F5 terminal - help to run commands - disk space full

vulnerabilities-CVE-2020-16150 & CVE-2013-0169

google autenticator broken barcode

Related Content

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

ProxyPass v10/v11

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

icmp of management firewall