Forum Discussion

l_lupos's avatar
l_lupos
Icon for Nimbostratus rankNimbostratus
Jun 13, 2017

F5 Positioning between 2 Firewalls (checkpoint and fortinet)

Hi, I would like to ask if its possible to position the f5 inline between firewalls. Point to point connections.

 

FW1---F5---FW2

 

Each segment is separated by 2 vlans vlan 56 connecting on FW1 and vlan 58 on FW2. By the way they are connected through a switch.

 

What do I need to configure on F5 side. Routes? Wildcard VS? I am load balancing servers behind FW2. And there are clients and servers behind FW1 that needs to communicate with the servers behind FW2.what policies need to be configured?

 

Any suggestions?

 

2 Replies

  • k20's avatar
    k20
    Icon for Nimbostratus rankNimbostratus

    Clients---FW1-----(VIP)F5----FW2----Servers Clients---FW1-----F5(VIP)----FW2----Servers

     

    You can have either side of the F5 to be your virtual servers. Which FW is a default gateway for your F5?

     

    If FW1 is a default gateway, you need a static route on the F5 to get to the servers with the next hop being the IP on FW2 facing the F5.

     

    If FW2 is a default gateway, you need the traffic from the servers can get back to the clients through the F5. If your return traffic is not going through the F5 (you will face an asymmetric routing which your Checkpoint FW will drop by anti-spoofing or tcp packet out of state.

     

  • k20's avatar
    k20
    Icon for Nimbostratus rankNimbostratus

    Is the return "load balanced" traffic not coming back to the F5?

     

    Is the client traffic not hitting your FW1?

     

    What is the default route on your FW2?

     

    Is your FW2 a bridging or layer 3 firewall?

     

    These are unknown variables to me. So any suggestions at this point could be invalid.

     

    Wildcard VS? Are you talking about IP forwarding virtual servers? For example, when your real servers need to go to Microsoft or Linux or whatever vendors to get patched and the traffic has to pass through the F5, yes you would need an outbound IP forwarding virtual server. Same thing for inbound. If you want to get to a particular backend server behind your FW2 from your workstation, for example, in order to do some maintenance, install patches, software, etc., and you don't want to connect to a VS, sure you would also need an inbound IP forwarding virtual server. Just search for "IP forwarding virtual server".