Forum Discussion
Muhammad_57196
Nimbostratus
NimbostratusSandwich configuration but with two firewalls in between
Hi,
Need your help urgently, please. We have sandwich configuration but with two firewalls. There is two firewalls between the external and internal pair of F5s as shown below.
----------------
- ZONE 1 -
----------------
. .
. .
. .
------ ------
-F5-1 - -F5-2 -
------ ------
. .
.............
. .
------ ------
-Fw-1- -Fw-2-
------ ------
. .
. .
------ ------
-Fw-3- -Fw-4-
------ ------
. .
..............
. .
------ ------
-F5-3 - -F5-4 -
------ ------
. .
. .
. .
-------------------
- ZONE 2 -
-------------------
I need internal pairs of F5s (F5-1 and F5-2 acting as active/standby) to make intelligent decision in case if the external pairs of firewalls (Fw-3 and Fw-4 acting as active/active) goes down. In normal case the traffic comes on F5-1 and it will sends it to F5-3 via Fw-1 and Fw-3. Now if Fw-3 goes down, i want F5-1 to send the traffic to F5-3 through Fw-2 and Fw-4.
My approach is as follows. I will define the standard virtual servers let say 10.1.1.1 and 10.1.1.5 on external pairs of F5s (i.e., F5-3 and F5-4) with pool members of switch interface connecting to zone 2. On internal pairs of F5, i will define performance layer 4 virtual server (with no address translation) with pool member of 10.1.1.1 and 10.1.1.5. On these internal pairs of F5s, the route to 10.1.1.1/30 is via Fw-1 and 10.1.1.5/30 is via Fw-2. Now if Fw-3 goes down in this scenario, the monitor for the pool will not be able to talk to the vip: 10.1.1.1 on external pairs of F5s (i.e., F5-3 and F5-4) and hence it will make pool member 10.1.1.1 as down on internal F5 and therefore F5-1 will not send the traffic to its pool member 10.1.1.1. Any comments on this approach. Is there any better approach in monitoring links in case of two firewalls in the path. Any help is appreciated.
Thanks a lot in advance.
Regards,
Dr. Muhammad Malik
Muhammad_57196Hi,
Its strange i didn't get any reply. I have another solution for the sandwich configuration with two firewalls in between. The external pair of F5 will have performance layer 4 virtual server configured with pool members of the interfaces of the internal firewalls (not the external firewalls that is close to external F5s). In this way the monitor will monitor the whole path upto internal firewall. The monitor will show the firewall path as down in case if any of the external or internal firewalls goes down.
I will really appreciate if anyone can comments on this approach to monitor two firewalls in between the two F5s.
Regards,
Dr. Muhammad Malik- The_BhattmanHi Dr. Muhammad,
I think your approach is sound, but what are you monitoring? I mean you should be monitoring something that definately points out that the Firewall is not sending ANY traffic? I think that is the key here.
CB - Muhammad_57196Hi CB,
Thanks for the reply ... really appreciated. Any suggestion for the monitor on external pair of F5s so that it will monitor the whole path from the external pair of F5s to the internal pairs of firewalls via external pair of firewalls.
[External pair of F5s] ----- [external Firewall] ---- [internal Firewall] ---- [internal pair of F5s]
I am thinking of monitor that ping the interface of the internal pair of F5s or how about tcp monitor that monitors the management port on the internal firewall. Any suggestion is welcome.
Cheers
Dr. Muhammad Malik - JRahm
Admin
You could test through to the floating self ip between the internal pair of F5's, or you could set up a dummy virtual server that has a pool configured to an internal resource that is always available (loopback of an internal distribution switching layer, mail gateways, ets), that way you are testing not only to your internal app delivery devices, but through them.
