Forum Discussion

Olayinka-F5LB's avatar
Olayinka-F5LB
Icon for Altocumulus rankAltocumulus
Aug 26, 2022

F5 communication with pool members

Hello community, Is it possible for an F5 to load balance traffic to pool members in a network segment if it doesn't have a self-IP in that network segment? **Please refer to the diagram attached**...
security
AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus
Sep 04, 2022

Lots of answer, i'll add mine to the mix as well.

When implementing the F5, I made sure the F5 had an interface all the destination pools vlans.  But I wasn't ready to make it the DGW for everything, so I have SNAT and implemented XFF header

My thoughts where.

I have a PA out the front that routes to the F5 (yes I know I could place it out front but). If I want I decrypt and inspect traffic on the inboud by the PA, but the F5 has ASM and WAF as needed.

 

I could if I wanted to push F5 -> pool server via the PA - and have designed to allow that for some occassions - for the front end servers, that way I can get F5 ASM and PaloAlto Security looking at the traffic. Not in place by default because of the latency vs the threat.  But its there if needed.

 

  • buulam's avatar
    buulam
    Icon for Admin rankAdmin
    Sep 06, 2022

    Common design as well! Good to keep in mind for Virtual Edition deployments where the licensing is by throughput, also.