GTM & LTM Firewall rules setup question
Hello All, I have a question regarding GTM and LTM firewall rules setup. Here is the deal. Lets say there are 3 data center with 3 GTM's and 3 pairs of ltm's in each data center.
DC1 - GTMDC1, LTMDC1a(Active)+LTMDC1b(Stby) DC2 - GTMDC2, LTMDC2a(Active)+LTMDC2b(Stby) DC3 - GTMDC3, LTMDC3a(Active)+LTMDC3b(Stby)
All the 3 GTM's will be in same sync group, and fw rules between the GTM's and LTM's in each dc will have port 22, 443 and 4353 open to allow bigip_add and iquery. The fw rule between all the 3 GTM's in diff data centers ie
GTMDC1 <==> GTMDC2 <==> GTMDC3 22, 443, 4353
My question is should I also be opening up the fw rules from GTM's from one data-center to LTM's at other data centers?
==========================================
GTMDC1 <=fwrule 4353,22=> LTMDC2a(Active)+LTMDC2b(Stby)
GTMDC1 <=fwrule 4353,22=> LTMDC3a(Active)+LTMDC3b(Stby)
==========================================
==========================================
GTMDC2 <=fwrule 4353,22=> LTMDC1a(Active)+LTMDC1b(Stby)
GTMDC2 <=fwrule 4353,22=> LTMDC3a(Active)+LTMDC3b(Stby)
==========================================
==========================================
GTMDC3 <=fwrule 4353,22=> LTMDC1a(Active)+LTMDC1b(Stby)
GTMDC3 <=fwrule 4353,22=> LTMDC2a(Active)+LTMDC2b(Stby)
==========================================
I am not delegating the LTM's on GTM with in the data center to monitor the VIP's ie I will be disabling
iq-allow-path no, iq-allow-service-check no, iq-allow-snmp no
and let the GTM's handle the LTM VIP availability.
Thank you.