Forum Discussion

Cirrus

Jan 30, 2015

Network Topology Assistance

More and more I am coming across network topologies that don't fit the traditional 1-arm or 2-arm design. I am seeing more "nontraditional deployments" that make me think twice about the best practic...

StephanManthey

Nacreous

Feb 02, 2015

Hi Erich,

a diagram would be great.

Using routing domains to isolate the different security zones is a common and proven approach and available since TMOS v10.

By default the routing domains are "isolated" and there is no cross-traffic allowed. And I would leave it this way.

That´s why traffic from one security zone to another will always have to pass the firewall. And from my perspective this is the only clean approach to track and control traffic.

Defining a virtual server in a different route domain as a resource (as pool member with "local" routing domain index) to be reached via firewall as next hop is absolutely fine from my perspective.

I recently deployed it this way for a client on TMOS v11.5.1.

Thanks, Stephan

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)