F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Sebastian_Meth's avatar
Sebastian_Meth
Icon for Nimbostratus rankNimbostratus
Jun 22, 2011

selective forwarding VS with IP and Port filtering

Hi,   I have a setup with a F5 ltm behind a firewall. The ltm connects two IP networks.     firewall   ...
config
design
hoolio's avatar
hoolio
Icon for Cirrostratus rankCirrostratus
Jun 22, 2011
Hi Sebastian,

You could create a forwarding network virtual server and then add the destination hosts/subnets which should be sent to the firewall to a datagroup. In CLIENT_ACCEPTED, you could check if [IP::local_addr] is in the datagroup using 'class match' for v10 or matchclass for v9. Requests for the firewall would be sent to the firewall pool. All others would be sent to the gateway for the other network. Or you could reverse the logic for matching and have the hosts/subnets which do not need to go through the firewall to the datagroup.

Here's a 10.x example: 

when CLIENT_ACCEPTED {

   if {[class match [IP::local_addr] equals firewall_nets_class]}{

      pool firewall_pool
   }
    Default action for non-matching destination hosts is to use the virtual server's default pool
}

Aaron