Forum Discussion
Sebastian_Meth
Nimbostratus
Jun 22, 2011selective forwarding VS with IP and Port filtering
Hi,
I have a setup with a F5 ltm behind a firewall. The ltm connects two IP networks.
firewall
...
hoolio
Cirrostratus
Jun 23, 2011Hi Sebastian,
You could create a forwarding network virtual server and then add the destination hosts/subnets which should be sent to the firewall to a datagroup. In CLIENT_ACCEPTED, you could check if [IP::local_addr] is in the datagroup using 'class match' for v10 or matchclass for v9. Requests for the firewall would be sent to the firewall pool. All others would be sent to the gateway for the other network. Or you could reverse the logic for matching and have the hosts/subnets which do not need to go through the firewall to the datagroup.
Here's a 10.x example:
when CLIENT_ACCEPTED {
if {[class match [IP::local_addr] equals firewall_nets_class]}{
pool firewall_pool
}
Default action for non-matching destination hosts is to use the virtual server's default pool
}
Aaron
Recent Discussions
Related Content
DevCentral Quicklinks
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com
Discover DevCentral Connects