For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

JeremySch_31598's avatar
JeremySch_31598
Icon for Nimbostratus rankNimbostratus
Aug 07, 2017

Router Traffic from all vlans to a proxy that is one of the vlans off of the BIP IP appliance

I have a Big IP Appliance and have several vlans configured each with their own subnet and the BIG IP is the gateway for each of these vlans and their corresponding subnets.   VLAN 10 - Appliance ...
application delivery
BIG-IP
LTM
security
JeremySch_31598's avatar
JeremySch_31598
Icon for Nimbostratus rankNimbostratus
Aug 07, 2017

Yes it is a proxy for http/https only. All other traffic will not be allowed to the Internet (North of the F5's) except for other servers in vlan 30. Servers in VLAN 30 are allowed out to more than just port 80 and 443.

 

The application servers (vlan 10) however still need to be able to talk to the database servers (vlan 20) on ports other than 80 and 443.

 

I think this should work if I create a virtual server with 0.0.0.0/0 destined to 0.0.0.0/0 port 80 and a duplicate virtual server with destination port 443. Then have the virtual servers listen on the vlan 10 and vlan 20 interfaces with a pool that is only the proxy server.

 

There would also be a ip fwd virtual server for allowing access to the database servers from vlan 10 subnets to the database server IPs. Since this would be more specific it should I believe take precedence over the proxy rules I create.

 

Does this sound like a valid solution?