Forwarding VIP

Question

Hi,
I need a solution for a VIP, which will securely proxy traffic from my DMZ to LAN (via middle network where F5 lives), as direct communication is prohibited. &nbsp;
The goal ultimately is to have one server in DMZ talking to a range of different addresses on LAN (dest addresses cannot be tied down, and will change frequently), on a single port, and likely be encrypted. Also here will be no load balancing or NAT required, so im thinking a forwarding VIP will suit best for my requirements, with maybe a message filter to tie down to the DMZ source IP. &nbsp;
My concern is how secure is a forwarding VIP, as i really need a full proxy type VIP, so maybe im barking up the wrong three with forwarding VIP, or on the other hand is it possible to achieve my goal using standard/secure VIP? I already have a firewall in place, so if a forwarding rule is the same as a firewall rule, its pretty pointless.
Thanks in advance!&nbsp;

jrahm · Answer

would need more details to be helpful. what protocol? you can have a standard 0.0.0.0: vip and could apply an iRule w/ a datagroup or a sideband service that has the list of internal IPs allowed and use a simply forward statement.

WRT to security of a forwarding vip or a standard vip-there's no difference in security posture. Standard vip just needs a destination, whereas a forwarding vip will consult the routing table. You can do more with a standard vip wrt to security because you can apply profiles to get at the higher layers, but "just as" is no more secure than a forwarding vip.

superd_88943 · Answer

sorry for slow reply here jason.. thanks a lot for response, very helpful :)

jrahm · Answer

Moving comment to answer:&nbsp;
would need more details to be helpful. what protocol? you can have a standard 0.0.0.0: vip and could apply an iRule w/ a datagroup or a sideband service that has the list of internal IPs allowed and use a simply forward statement. &nbsp;
WRT to security of a forwarding vip or a standard vip-there's no difference in security posture. Standard vip just needs a destination, whereas a forwarding vip will consult the routing table. You can do more with a standard vip wrt to security because you can apply profiles to get at the higher layers, but "just as" is no more secure than a forwarding vip.&nbsp;

Forum Discussion

Forwarding VIP

3 Replies

Bram - January 2026 Featured Member

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Single LTM with multiple GTM domains

Question about adding VEs to existing physical appliance device group without ASM licenses

2026 301a exam

How can I measure Advanced WAF (ASM) throughput on a running BIG-IP VE (per VIP / per policy)?

What is the best practice for migrating from iseries to rseries?

Related Content

VIP in https that redirect to another vip in https

Lightboard Lessons: Vip Targeting Vip

Bidirectional Forwarding Detection (BFD) Protocol Cheat Sheet

SSH forward proxy

Forwarding Logs to SIEM Tools via HTTP Proxy for F5 Distributed Cloud Global Log Receiver

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS