Forum Discussion
Routing of DMZ F5 traffic to internal F5 traffic
- Oct 28, 2014
I wouldn't consider it best practice, but people have their own opinions. Ask yourself this, would you open a rule up from the Internet direct to an internal server? If not, what protection do you think the F5 is adding to this connection to make your scenario better? Assuming you are just talking about LTM, it is working as a proxy and terminating the connection, but for the most part it will pass all application traffic, including application attacks/exploits, right through to your internal server.
As far as routing and firewall rules, that is configuration dependent, but I don't think you can just create a rule allowing DMZ F5 to talk to internal F5. Your traffic will go through the external F5 and have some source IP(defined by if SNAT is enabled, what snat pool you use, or automap) to a destination of the internal virtual server. I imagine you will need a separate rule for each VS you want to work this way.
I wouldn't consider it best practice, but people have their own opinions. Ask yourself this, would you open a rule up from the Internet direct to an internal server? If not, what protection do you think the F5 is adding to this connection to make your scenario better? Assuming you are just talking about LTM, it is working as a proxy and terminating the connection, but for the most part it will pass all application traffic, including application attacks/exploits, right through to your internal server.
As far as routing and firewall rules, that is configuration dependent, but I don't think you can just create a rule allowing DMZ F5 to talk to internal F5. Your traffic will go through the external F5 and have some source IP(defined by if SNAT is enabled, what snat pool you use, or automap) to a destination of the internal virtual server. I imagine you will need a separate rule for each VS you want to work this way.
- mpete32_168869Dec 12, 2014
Cirrus
That's technically what we're attempting to do is to use the DMZ F5 as a proxy eliminating having to place any servers in the DMZ. - mimlo_61970Dec 12, 2014
Cumulonimbus
I wouldn't advise it. Take SCHANNEL attack for example. No one ever really said if F5 stopped it, but I would assume if it did they would have been shouting from the rooftops that they could solve the problem. So now you have an exploit that goes right through your F5 and onto the backend server, executing an arbitrary command on a server on your internal network.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com