Forum Discussion
NimbostratusLTM External VLAN Design
How many people here have put the external VLAN for the F5 outside their Firewall?
Currently we have deployed an LTM behind the FW and we handling external NAT'ing on the Firewall. I wanted to know what the general consesus of this is? Good results? Bad?
For the most part, we have been fine, but now with the implementation of the GTM it becomes more relevant as now I can only pull internal IPs from the GTM and i want to use the GTM for external IPs.
2 Replies
- The_Bhattman
I have had many customers ask me the same thing. They heard stories from people that they have placed the F5 LTM in front of a firewall and it's saved them from countless attacks. I have personally seen a benefit from doing this - but in my mind I wouldn't want the F5 ADC to pull double duty of being a firewall's firewall and Load balancer. I prefer keeping the functionality seperate.
-=Bhattman=-
- Kevin_Stewart
Employee
It's definitely done this way by many F5 customers. It's a default deny appliance - that should make the network guy happy, and it's ICSA-certified - which should make the IA guy happy. You've got packet filtering built into LTM (which is a large part of the certification), and then you have the new Advanced Firewall Manager (AFM) which is a full proxy, extremely high throughput, stateful firewall that runs on top of the ADC. I would probably agree with Bhattman in that there are absolutely situations where you'd want to separate firewall and load balancer, but then in many cases that's not true anymore.
