bigip as FW

Question

Hi all,&nbsp;
&nbsp;i would like to use the bigip as FW between the networks it is the L3 for them
&nbsp;for example one network is web server and the other is sql servers, i would like to permit
&nbsp;1433 from the web to the sql and also remote desktop session&nbsp;
&nbsp;any ideas?&nbsp;

hamish · Answer

Yep. 
&nbsp;  
&nbsp; There's several ways. v11 is targeted to provide firewalling as well as ADC. There's several features that will provide the drop anything (e.g. Packet filters). However by default packets won't be forwarded across the LTM anyway. If the list of traffic you want is small, you could just create forwarding VS's for that traffic and nothing else.  
&nbsp;  
&nbsp; The management may be a bit more unwieldy than a dedicated firewall though.. 
&nbsp;  
&nbsp; H

player_72606 · Answer

can you please explain, how using packet filters differs from using VS from the aspect of packet filtering?

hoolio · Answer

As Hamish said, LTM is an ICSA certified firewall in 11.x: 
&nbsp;  
&nbsp; http://www.f5.com/pdf/solution-profiles/big-ip-ltm-firewall-security-sp.pdf 
&nbsp;  
&nbsp; I'd actually suggest using virtual servers to limit access through LTM.  With a virtual server, you can enable it on specific ingress VLAN(s).  If you need to do more specific source based ACLs, you can use iRules on the virtual servers.  Virtual servers and optionally iRules should perform much more efficiently than using packet filters as the latter are applied to all connections whereas a VS is by definition just one listener (IP:port combination).  The packaging for this is going to get more refined as the ADC firewall matures. 
&nbsp;  
&nbsp; Aaron

Forum Discussion

bigip as FW

Recent Discussions

Related Content

Satellite FW, Attacks on European airports, Game was a malware, Self-propagating malware

Re: BigIP Report

BigIP Report Old

Securing APIs with BigIP

Integrating the F5 BIGIP with Azure Sentinel

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS