Forum Discussion

Olayinka-F5LB's avatar
Olayinka-F5LB
Icon for Altocumulus rankAltocumulus
Aug 26, 2022

F5 communication with pool members

Hello community, Is it possible for an F5 to load balance traffic to pool members in a network segment if it doesn't have a self-IP in that network segment? **Please refer to the diagram attached**...
security
AlexS_yb's avatar
AlexS_yb
Icon for Cirrocumulus rankCirrocumulus

Lots of answer, i'll add mine to the mix as well.

When implementing the F5, I made sure the F5 had an interface all the destination pools vlans.  But I wasn't ready to make it the DGW for everything, so I have SNAT and implemented XFF header

My thoughts where.

I have a PA out the front that routes to the F5 (yes I know I could place it out front but). If I want I decrypt and inspect traffic on the inboud by the PA, but the F5 has ASM and WAF as needed.

 

I could if I wanted to push F5 -> pool server via the PA - and have designed to allow that for some occassions - for the front end servers, that way I can get F5 ASM and PaloAlto Security looking at the traffic. Not in place by default because of the latency vs the threat.  But its there if needed.

 

buulam's avatar
buulam
Icon for Admin rankAdmin
Sep 06, 2022

Common design as well! Good to keep in mind for Virtual Edition deployments where the licensing is by throughput, also.