Forum Discussion

gavin84_31753's avatar
gavin84_31753
Icon for Nimbostratus rankNimbostratus
Mar 16, 2018

F5 HA Pair in front of DMZ IDS/IPS/Firewall Appliance

I have seen a few topics on this, but I may have missed the solution. We are trying to deploy a Best Bundle VE HA pair in front of our Core IPS/Firewall appliance, which is also clustered within Azure. I have only worked the F5 in the capacity of it acting as a reverse proxy. It is being deployed in this fashion to view decrypted traffic between Web/DMZ and the other internal enclaves and to also limit the number of public IP connections in the cloud.

 

We would want the F5 pair to route directly to the web/DMZ but for traffic coming back up(initiated from LAN) from the firewall appliance, to route outbound directly to the internet, while also utilizing the AFM. What key pieces are required to make outbound traffic work with respect to LAN initiated traffic destined to internet. We know the firewall will have a default router to the LTM. But are unsure if that's virtual server, or the self IPs, etc...Any help would be appreciated.

 

AFM
Azure
cloud
security

2 Replies

Sort By
  • Romani_2788's avatar
    Romani_2788
    Historic F5 Account
    May 19, 2018

    In addition to that, this setup is pretty much how the Link Controller would work or setting up links in GTM/DNS, where the traffic is initiated outbound from the internal network.

     

    You need to make sure that the listeners (virtual servers) that you use are listening on the internal vlan and their pool members are the gateways leading or going to the internet, that way the connections are load balanced across the links outbound.

     

    So pretty much just a reverse of your setup that accepts in-bound traffic. This is how this should work.