Forum Discussion

vmwaretrain_137's avatar
vmwaretrain_137
Icon for Nimbostratus rankNimbostratus
Sep 12, 2015

APM as security for my DMZ

We are planning to implement a new DMZ.

 

My organisation currently has APM at the perimeter providing posture security checks.

 

Can we leverage the F5 APM as the security layer for our DMZ also?

 

  • Hello Mate,

     

    For an enterprise network, you might need a firewall to segregate the DMZ. APM can use it for security posture checks but it is not a perfect perimeter device to filter i guess.

     

    I strongly recomend to use a saparate FW to separate DMZ.

     

    -Jinshu

     

  • it depends on what you expect from a firewall and what is going to be in your DZM. but the BIG-IP appliance is perfectly equipped to be a basic (so no next gen inspection and such) data center firewall. it is a deny default device to start with, certified by ICSA as a firewall and can handle a lot of traffic.

     

  • Hello,

    You have to use firewall but what you can do is configure virtual server on F5 which will have DMZ IP, NAT it on FW to outside IP. On back end F5 will talk to server.

    Outside IP -->DMZ IP (F5 Virtual server)-->Inspection by APM policy-->Backend server IP

     

    I configured APM policy to check geolocation. Below is my policy. This is how I am blocking traffic from countries other than Canada & USA. Users are allowed location box is checking IP subnets that I have allowed. HTH