bigip as FW

Yep.

 

 

There's several ways. v11 is targeted to provide firewalling as well as ADC. There's several features that will provide the drop anything (e.g. Packet filters). However by default packets won't be forwarded across the LTM anyway. If the list of traffic you want is small, you could just create forwarding VS's for that traffic and nothing else.

 

 

The management may be a bit more unwieldy than a dedicated firewall though..

 

 

H

can you please explain, how using packet filters differs from using VS from the aspect of packet filtering?

As Hamish said, LTM is an ICSA certified firewall in 11.x:

 

 

http://www.f5.com/pdf/solution-profiles/big-ip-ltm-firewall-security-sp.pdf

 

 

I'd actually suggest using virtual servers to limit access through LTM. With a virtual server, you can enable it on specific ingress VLAN(s). If you need to do more specific source based ACLs, you can use iRules on the virtual servers. Virtual servers and optionally iRules should perform much more efficiently than using packet filters as the latter are applied to all connections whereas a VS is by definition just one listener (IP:port combination). The packaging for this is going to get more refined as the ADC firewall matures.

 

 

Aaron