Forum Discussion

player_72606's avatar
Icon for Nimbostratus rankNimbostratus
Mar 04, 2012

bigip as FW

Hi all,



i would like to use the bigip as FW between the networks it is the L3 for them


for example one network is web server and the other is sql servers, i would like to permit


1433 from the web to the sql and also remote desktop session



any ideas?


3 Replies

  • Hamish's avatar
    Icon for Cirrocumulus rankCirrocumulus



    There's several ways. v11 is targeted to provide firewalling as well as ADC. There's several features that will provide the drop anything (e.g. Packet filters). However by default packets won't be forwarded across the LTM anyway. If the list of traffic you want is small, you could just create forwarding VS's for that traffic and nothing else.



    The management may be a bit more unwieldy than a dedicated firewall though..



  • can you please explain, how using packet filters differs from using VS from the aspect of packet filtering?
  • As Hamish said, LTM is an ICSA certified firewall in 11.x:





    I'd actually suggest using virtual servers to limit access through LTM. With a virtual server, you can enable it on specific ingress VLAN(s). If you need to do more specific source based ACLs, you can use iRules on the virtual servers. Virtual servers and optionally iRules should perform much more efficiently than using packet filters as the latter are applied to all connections whereas a VS is by definition just one listener (IP:port combination). The packaging for this is going to get more refined as the ADC firewall matures.