Forum Discussion
LTM VE behind Sophos Firewall deployment - configuration/setup question
- Mar 24, 2023
when you use one-arm configurations you need to use SNAT on the BIgIP, you can use automap or a SNAT pool.
Without this, the requests coming from the Internet to the Virtual server and the servers will not go back through the BigIP.
If your servers in this case need to have the firewall as the default gateway, so traffic they initiate will not go through the BigIP. And use a SNAT to make any reply from the server go back through the BigIP. But you probably already have this if you say you can browse a web server.
You use BigIP as the default gateway when you have dual-arm (routed mode)
In my opinion, It would be best if you always had a firewall in front of a virtual server.
A firewall would be a layer of security in front of your F5 device. You would NAT and allow IN only the ports the Virtual server is using. Your virtual server will only get traffic on the port it is listening on.
But no matter what you choose do not forget about hardening your F5 device:
https://my.f5.com/manage/s/article/K53108777
- BRoan1Mar 22, 2023Nimbostratus
Thanks, that's precisely what I was intending to do. The greater question is would it be better to use public IP's on the external interface and virtual servers, or NAT those through the firewall using a different private network (192.168.254.0/28 for instance)?
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com