Forum Discussion

BRoan1's avatar
BRoan1
Icon for Nimbostratus rankNimbostratus
Mar 21, 2023

LTM VE behind Sophos Firewall deployment - configuration/setup question

Apologies both for the long post and my ignorance. This is a different setup than what I'm used to dealing with and I'm trying to get some clarity.

I am standing up a new rack in a co-location facility. My ISP is providing blended IP space and has provided two different public IP address blocks: one for their frontside network (/29) and one for the backside network (/28). 

The LTM will be used exclusively for load-balancing IIS web servers and SSL offloading.

*the addresses I'm using in my example aren't "real" addresses, but they are within the same range

My firewall is configured with 172.16.255.180 as the WAN IP, using 172.16.255.177 as the gateway;   172.16.255.160/28 is the backside network for the DMZ, 172.16.255.161 is the DMZ interface assignment; 10.1.00/16 is my LAN, 10.1.200.1 is the LAN interface assignment. 

I do not have any firewall rules for incoming traffic yet; but I do have a DMZ to WAN rule to allow outbound traffic.

My LTV VE is running 13.1.5 and I have not yet started setup, but I will likely only have two interfaces/VLANS: internal and external. The internal interface/VLAN will be on the 10.1.0.0 network. All my web servers will be on that network.

At long last, the question: When configuring the EXTERNAL interface, should I use an address from the DMZ's public IP's (which means all my virtual servers hosting externally-accessible sites would have public IP's in that range) or use the firewall to NAT that traffic to a different network?  Is there a better approach? What are the pros and cons?

  • when you use one-arm configurations you need to use SNAT on the BIgIP,  you can use automap or a SNAT pool.

    Without this, the requests coming from the Internet to the Virtual server and the servers will not go back through the BigIP. 

    If your servers in this case need to have the firewall as the default gateway, so traffic they initiate will not go through the BigIP. And use a SNAT to make any reply from the server go back through the BigIP. But you probably already have this if you say you can browse a web server.

    You use BigIP as the default gateway when you have dual-arm (routed mode)

     

     

  • In my opinion, It would be best if you always had a firewall in front of a virtual server.

    A firewall would be a layer of security in front of your F5 device. You would NAT and allow IN only the ports the Virtual server is using. Your virtual server will only get traffic on the port it is listening on.

    But no matter what you choose do not forget about hardening your F5 device:
    https://my.f5.com/manage/s/article/K53108777

     

     

    • BRoan1's avatar
      BRoan1
      Icon for Nimbostratus rankNimbostratus

      Thanks, that's precisely what I was intending to do. The greater question is would it be better to use public IP's on the external interface and virtual servers, or NAT those through the firewall using a different private network (192.168.254.0/28 for instance)?

  • when you use one-arm configurations you need to use SNAT on the BIgIP,  you can use automap or a SNAT pool.

    Without this, the requests coming from the Internet to the Virtual server and the servers will not go back through the BigIP. 

    If your servers in this case need to have the firewall as the default gateway, so traffic they initiate will not go through the BigIP. And use a SNAT to make any reply from the server go back through the BigIP. But you probably already have this if you say you can browse a web server.

    You use BigIP as the default gateway when you have dual-arm (routed mode)

     

     

  • I would choose to use NAT.  But as long as you have a firewall in front of your virtual servers and allow only the ports they use the other option should be ok too.

     

  • BRoan1's avatar
    BRoan1
    Icon for Nimbostratus rankNimbostratus

    Ok. Rather than the configuration I supplied above, I opted for a one-arm configuration behind my firewall. The firewall performs NAT from public IP the private IP of the virtual server, which is on the same network subnet as my hosts. I can successfully browse a web server from the Internet, huzzah!

    Unfortunately, hosts that have the BigIP LTM VE as their gateway cannot browse out to the Internet. I added a default gateway to the VE using the firewalls LAN interface IP and I can see NTP traffic getting passed. I was also able to successfully upload a QKVIEW to iHealth from the admin web console. What am I missing?

  • BRoan1's avatar
    BRoan1
    Icon for Nimbostratus rankNimbostratus

    Yup. Switched the gateway to the firewall and everything is working like it should. Thanks for the insight and help!