Forum Discussion
BRoan1
Nimbostratus
NimbostratusLTM VE behind Sophos Firewall deployment - configuration/setup question
Apologies both for the long post and my ignorance. This is a different setup than what I'm used to dealing with and I'm trying to get some clarity. I am standing up a new rack in a co-location facil...
when you use one-arm configurations you need to use SNAT on the BIgIP, you can use automap or a SNAT pool.
Without this, the requests coming from the Internet to the Virtual server and the servers will not go back through the BigIP.
If your servers in this case need to have the firewall as the default gateway, so traffic they initiate will not go through the BigIP. And use a SNAT to make any reply from the server go back through the BigIP. But you probably already have this if you say you can browse a web server.
You use BigIP as the default gateway when you have dual-arm (routed mode)
mihaic
MVP
MVPIn my opinion, It would be best if you always had a firewall in front of a virtual server.
A firewall would be a layer of security in front of your F5 device. You would NAT and allow IN only the ports the Virtual server is using. Your virtual server will only get traffic on the port it is listening on.
But no matter what you choose do not forget about hardening your F5 device:
https://my.f5.com/manage/s/article/K53108777
BRoan1Nimbostratus
NimbostratusThanks, that's precisely what I was intending to do. The greater question is would it be better to use public IP's on the external interface and virtual servers, or NAT those through the firewall using a different private network (192.168.254.0/28 for instance)?