BigIP and PCI

Question

I have a PCI requirement to separate traffic behind my F5 cluster by function AND a firewall.  Meaning WEB servers can not talk to EMAIL servers without going through a firewall.  My question is do pool members have to be on the same subnet as the F5?  Meaning can I have a VLAN on the F5 that routes to a firewall where the pool members reside behind?&nbsp;
&nbsp;Attached is a diagram showing what I mean&nbsp;

hoolio · Answer

As long as you have routing configured on the BIG-IP, the firewall and the pool members, this should work fine.  Ideally, you'd have redundant firewalls so you don't  reduce the value of having redundant BIG-IPs.&nbsp;
&nbsp;Aaron

tcvander_93096 · Answer

Thank you for the response, yes there are redundant F5's and Firewall's, I was trying to keep the drawing simple.  Where you state routing you mean static route's builit in the F5 and Firewall's, not a routing protocol running; correct?

hoolio · Answer

Static routes should work fine.  If you have the advanced routing module licensed you could also use a routing protocol.&nbsp;
&nbsp;Aaron

Forum Discussion

BigIP and PCI

Recent Discussions

Service discovery is not happening in AS3

Kerberos Auth is not working after keytab file -

History Current Connections from Local pool Traffic.

Http / https health monitor issue

F5-SDK Get GTM Pool Server, Virtual Server, Unused Objects, and JSON Conversion for Data Processing

Related Content

Decoding PCI-DSS v4.0: F5's Ridiculously Easy Guide to Technical Compliance

Re: BigIP Report

BigIP Report Old

Upgrade F5 BIGIP

Shrink/Compact BIGIP VE Virtual Disk

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS