Routing of DMZ F5 traffic to internal F5 traffic
I have a design / functionality question. I have a DMZ server that I'll be bringing into our internal network but will be fronting it will the F5 appliance in our DMZ. The question I has is two fold... (1) Would it be good practice to have the traffic coming from the DMZ F5 to the internal F5 and then to the backend vs? (2) Because I have to enter firewall rules for each server that we are bringing inside and fronting with the F5, would it be good practice to simply setup one set of ACLS to allow the DMZ and Internal f5's to talk with each other and then edit the firewall acl with a new port each time we add new functionalty?
I wouldn't consider it best practice, but people have their own opinions. Ask yourself this, would you open a rule up from the Internet direct to an internal server? If not, what protection do you think the F5 is adding to this connection to make your scenario better? Assuming you are just talking about LTM, it is working as a proxy and terminating the connection, but for the most part it will pass all application traffic, including application attacks/exploits, right through to your internal server.
As far as routing and firewall rules, that is configuration dependent, but I don't think you can just create a rule allowing DMZ F5 to talk to internal F5. Your traffic will go through the external F5 and have some source IP(defined by if SNAT is enabled, what snat pool you use, or automap) to a destination of the internal virtual server. I imagine you will need a separate rule for each VS you want to work this way.