Forum Discussion
NimbostratusF5 HA Pair in front of DMZ IDS/IPS/Firewall Appliance
I have seen a few topics on this, but I may have missed the solution. We are trying to deploy a Best Bundle VE HA pair in front of our Core IPS/Firewall appliance, which is also clustered within Azure. I have only worked the F5 in the capacity of it acting as a reverse proxy. It is being deployed in this fashion to view decrypted traffic between Web/DMZ and the other internal enclaves and to also limit the number of public IP connections in the cloud.
We would want the F5 pair to route directly to the web/DMZ but for traffic coming back up(initiated from LAN) from the firewall appliance, to route outbound directly to the internet, while also utilizing the AFM. What key pieces are required to make outbound traffic work with respect to LAN initiated traffic destined to internet. We know the firewall will have a default router to the LTM. But are unsure if that's virtual server, or the self IPs, etc...Any help would be appreciated.
Please take a look at this. You'd need the basic required configuration plus any ACL rules if you plan to use AFM:
In addition to that, this setup is pretty much how the Link Controller would work or setting up links in GTM/DNS, where the traffic is initiated outbound from the internal network.
You need to make sure that the listeners (virtual servers) that you use are listening on the internal vlan and their pool members are the gateways leading or going to the internet, that way the connections are load balanced across the links outbound.
So pretty much just a reverse of your setup that accepts in-bound traffic. This is how this should work.
