For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Sandow_114889's avatar
Sandow_114889
Icon for Nimbostratus rankNimbostratus
Apr 10, 2013

Policy Based Routing to a Standard Virtual Server

I have a Cisco 6500 Router that I am configuring Policy Based Routing to a Standard Virtual server IP address that has a pool of web filtering devices behind it in transparant proxy mode. If I PBR directly to the web filters everthing works fine. My device gets routed to the web filter and it is then filter correctly. If I do a proxy from my web browser to the F5 virtual IP address everthing works fine, i get directed to the web filter and filtering works as it should. The problem comes in when I do the policy route to the Virtual Server IP address I don't get pushed to the web filters but go out directly to the internet not filtered. Doing a packet capture I know traffic is reaching the F5's physical interface. It almost looks like it goes out directly from that interface to the internet. Any suggestions on how I need to configure this?

 

config
design

5 Replies

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Apr 10, 2013
    Can you post the VS configuration (suitably 'secured') at all? I assume it's a wildcard VS?

     

     

    Just out of interest, why the PBR?
  • Sandow_114889's avatar
    Sandow_114889
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2013

     

     

    Name: Web_Filter

     

    Partition: Common

     

    Destination: Host 10.x.x.x

     

    Service Port: 0 *All Ports

     

    State: Enabled

     

    Configuration: Basic

     

    Type: Standard

     

    Protocol: TCP

     

    OneConnect Profile: None

     

    HTTP Profile: None

     

    FTP Profile: None

     

    SSL Profile (Client): None

     

    SSL Profile (Server): None

     

    SMTP Profile: None

     

    SIP Profile: None

     

    Vlan Traffic: Enabled On

     

    Vlan List: Production_Vlan

     

    Rsources:

     

    Default Pool: Web_Filter_Pool

     

    Default Persistence Profile: Source_addr

     

    Pool:

     

    Configuration: Basic

     

    Health Monitors: gateway_icmp

     

    Members:

     

    Load Balancing Method: Round Robin

     

    Priority Group Activation: Disabled

     

    Current members:

     

    Just one member 10.x.x.x (Web filter test)

     

     

     

    PBR is what the vender requested to be used. Thanks

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Apr 10, 2013
    OK, so the destination is a specific IP address, however, the traffic you are sending to the VS is for any number of public IPs I assume. That being the case I can only assume you also have a wildcard 0.0.0.0 VS configured too and it is that handling this traffic not your Web_Filter VS.

     

     

    P.S For performance reasons (as you are not using any advanced features) I'd suggest you change the VS type to Performance L4
  • Sandow_114889's avatar
    Sandow_114889
    Icon for Nimbostratus rankNimbostratus
    Apr 10, 2013

    I do not have a wildcard configured. I just have the web filter one configured for a pool of web filters (Filter 1-6 for example). I have a VIP configured for that I am doing my route to. So do I need a wildcard configured for this to work, if so what would I route to then?

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    Apr 10, 2013
    I'm rather confused then. If the traffic sent to the VS doesn't contain a destination IP matching the VS IP then LTM should drop it unless of course it's handled by some other VS (most likely a wildcard VS) which you are saying there is not. That traffic shouldn't be going anywhere.