Forum Discussion
AltostratusGTM & LTM Firewall rules setup question
Hello All, I have a question regarding GTM and LTM firewall rules setup. Here is the deal. Lets say there are 3 data center with 3 GTM's and 3 pairs of ltm's in each data center.
DC1 - GTMDC1, LTMDC1a(Active)+LTMDC1b(Stby) DC2 - GTMDC2, LTMDC2a(Active)+LTMDC2b(Stby) DC3 - GTMDC3, LTMDC3a(Active)+LTMDC3b(Stby)
All the 3 GTM's will be in same sync group, and fw rules between the GTM's and LTM's in each dc will have port 22, 443 and 4353 open to allow bigip_add and iquery. The fw rule between all the 3 GTM's in diff data centers ie
GTMDC1 <==> GTMDC2 <==> GTMDC3 22, 443, 4353
My question is should I also be opening up the fw rules from GTM's from one data-center to LTM's at other data centers?
==========================================
GTMDC1 <=fwrule 4353,22=> LTMDC2a(Active)+LTMDC2b(Stby)
GTMDC1 <=fwrule 4353,22=> LTMDC3a(Active)+LTMDC3b(Stby)
==========================================
==========================================
GTMDC2 <=fwrule 4353,22=> LTMDC1a(Active)+LTMDC1b(Stby)
GTMDC2 <=fwrule 4353,22=> LTMDC3a(Active)+LTMDC3b(Stby)
==========================================
==========================================
GTMDC3 <=fwrule 4353,22=> LTMDC1a(Active)+LTMDC1b(Stby)
GTMDC3 <=fwrule 4353,22=> LTMDC2a(Active)+LTMDC2b(Stby)
==========================================
I am not delegating the LTM's on GTM with in the data center to monitor the VIP's ie I will be disabling
iq-allow-path no, iq-allow-service-check no, iq-allow-snmp no
and let the GTM's handle the LTM VIP availability.
Thank you.
1 Reply
Stanislas_Piro2Cumulonimbus
Hi,
only ssh and 4353 must be opened between GTM and GTM
If LTM and GTM are defined in 3 different Datacenter objects, GTM and LTM will communicate each other inside each datacenter. GTM will get status and VS changes of other Datacenter's LTM through the GTM on the same site.
