using LTM VE as Firewall

In theory, yes... You have packetfilters available. And they can be configured from the GUI or the command line.

 

 

However it isn't an easy process... Especially if you have multiple people involved... And a lot of rules. I'm not sure I'd recommend it as a primary firewall...

 

 

H

OK, if I have some case like this :

 

 

1. user will open web page via browser, web page can be anything not the one set up in pool

 

2. on datagroups, we will set up url/domain list

 

3. when user access a page which existed in domain list, big-ip will try to insert html page into the web page

 

4. the web page shown to user it will be the one after big-ip made changes.

 

 

How to make LTM VE to do like that? thanks

As a forward proxy you mean?

 

 

You'd need to write (Or adapt an existing) iRule to do this. It should be fairly easy, a quick test for the URL against the datagroup and return a canned page instead of fetching the real one.

 

 

H

so that one working as forward proxy?

 

 

do u have any example on how to do this? I mean the example of irules

I'm reticent to glom onto someone else's issue, but I have a similar question: Can you use an iRule to drop traffic for which there isn't a service configured? For example, configuring a VIP to drop inbound ICMP.

Posted By Gortguy on 07/18/2011 09:53 AM

 

I'm reticent to glom onto someone else's issue, but I have a similar question: Can you use an iRule to drop traffic for which there isn't a service configured? For example, configuring a VIP to drop inbound ICMP.

 

Yeah, that's no problem at all. You have full access to the traffic. The only caveat is that I believe it has to be ip... Anything else I'm not sure there's an event to trigger for...

 

 

H

 

Posted By Fiko on 07/18/2011 03:41 AM

 

so that one working as forward proxy?

 

 

do u have any example on how to do this? I mean the example of irules

 

Checkout the codeshare portion of devcentral (Under downloads).

 

 

 

 

H

 

btw what is the configuration of virtual server to make this work?

 

 

change it to forwarding (IP) ?

 

That depends on exactly how your architecture is arranged. If the servers are sitting on a directly attached VLAN, then yes... If it's via a router, then probably not (Although technically uou could still, I personally wouldn't because it makes the config that much harder to understand... But YMMV).

 

 

H

Here's the architecture which will be applied

 

 

 

user ===== F5 ===== Web Server

 

__________||

 

__________||

 

__________CM

 

 

CM is application server which will be used to control F5 using iControl SDK

 

 

if those kind of arch. applied then how the configuration of virtual server should be?

 

 

btw I can't find in the code share on how making an irules for forward proxy, I'm not quite good on networking so I really confuse how to do this