GTM behind firewall

Question

Hi,
Trying to understand how wide ip pool/pool member health monitor works, when GTM is behind firewall. 
we dont have LTM, GTM is directly checking the application server(generic host).
We have created generic server object and under that we have created virtual server with public and private ip. 
In this scenario health check is done on private or public ip?
Thanks,
Sachin&nbsp;

sachin_80710 · Answer

To add more details, on firewall we have not allowed any outbound communication to application public ip. But still we see wide ip up.

sachin_80710 · Answer

Also i checked status of wide ip pool member, it show message 'offline Monitor /Common/tcp from public-IP-address state:timeout
Public-IP-address mentioned in message is public ip of link configured in firewall. This public ip is natted to private ip of GTM listener &nbsp;

ots02 · Answer

Hi sachin,&nbsp;
How many servers do you have total, that are serving identical content. If you only have one server, you would probably be better served by an old-fashioned A record in Zonerunner.
When you say "This public ip is natted to private ip of GTM listener", are you referring to the GTM's UDP listener on a GTM self IP?&nbsp;

ots02 · Answer

Is it something like this:&nbsp;
server_A 10.10.10.10 NAT ISP 1 &gt; 111.111.111.111 &nbsp;
server_A 10.10.10.10 NAT ISP 2 &gt; 222.222.222.222&nbsp;
WIP myserver@mycorp.com&nbsp;
pool members = 111.111.111.111, 222.222.222.222&nbsp;
GTM self-IP (UDP listener) 10.10.10.20 NAT &gt; 111.111.111.123 dns@mycorp.com&nbsp;

stephanmanthey · Answer

Hi Sachin,&nbsp;
when specifying a server object in GTM (as you did for your generic host type servers) you have the option to define a NAT address. This will be the external address and GTM will respond with the external and routable IP address upon incoming DNS requests matching a Wide IP definition.&nbsp;
Same definition has to be done for GTM as a server, especially if you plan to build a sync group with multiple GTM controllers in different datacenters.&nbsp;
Based on the data center assignments GTM and other server objects may belong to the same data center and in this case GTM can check the virtual services on the "local" servers directly.&nbsp;
Thanks, Stephan &nbsp;

F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

GTM behind firewall

5 Replies

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

F5 Architecture Track Sessions - AppWorld 2026

Recent Discussions

Deleting an AS3 Tenant

Request for Bug Tracker/Known Issues – BIG-IP Version 17.5.1.2

AST Configuration Assistance

Adding logging to APM per-request policy without SWG license

Single LTM with multiple GTM domains

Related Content

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Introduction to F5 BIG-IP Advanced Firewall Manager (AFM)

BIG-IP Next Edge Firewall CNF for Edge workloads

Securing the LLM User Experience with an AI Firewall

Mitigate AI Scraping bots using F5 Distributed Cloud Web Application Firewall

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS