Forum Discussion
player_72606
Nimbostratus
Nimbostratusbigip as FW
Hi all,
i would like to use the bigip as FW between the networks it is the L3 for them
for example one network is web server and the other is sql servers, i would like to permit
1433 from the web to the sql and also remote desktop session
any ideas?
HamishCirrocumulus
Yep.
There's several ways. v11 is targeted to provide firewalling as well as ADC. There's several features that will provide the drop anything (e.g. Packet filters). However by default packets won't be forwarded across the LTM anyway. If the list of traffic you want is small, you could just create forwarding VS's for that traffic and nothing else.
The management may be a bit more unwieldy than a dedicated firewall though..
H
player_72606can you please explain, how using packet filters differs from using VS from the aspect of packet filtering?
hooleylistCirrostratus
As Hamish said, LTM is an ICSA certified firewall in 11.x:
http://www.f5.com/pdf/solution-profiles/big-ip-ltm-firewall-security-sp.pdf
I'd actually suggest using virtual servers to limit access through LTM. With a virtual server, you can enable it on specific ingress VLAN(s). If you need to do more specific source based ACLs, you can use iRules on the virtual servers. Virtual servers and optionally iRules should perform much more efficiently than using packet filters as the latter are applied to all connections whereas a VS is by definition just one listener (IP:port combination). The packaging for this is going to get more refined as the ADC firewall matures.
Aaron