Forum Discussion
AltostratusWildcard in SNAT
AltostratusHi whisperer,
I have two issues
1. IP intelligence/ reputation feeds: as you mentioned that can be done manually as well, doing it that way now.
2. I want configure an MS Teams webhook and I was told to allow *.office.com. This is where I am facing the challenge.
The FW1 sitting inline (LTM->FW1->Internet) doesn't support wildcard. Hence I am thinking of these two approaches. Will be glad to find an easy alternative 😊
LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[Allow all https for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR
LTM(src-1.1.1.1) -To- *.f5.com [Takes 0.0.0.0/0] --> SNAT(1.1.1.1->2.2.2.2) -To- *.f5.com [Takes 0.0.0.0/0] --> FW1[PBR to FW2 that supports * for source 2.2.2.2] [Takes 0.0.0.0/0] --> Internet OR
MVPNormally, I would say just trust the F5 self IPs out to Internet with a dedicated firewall rule. Don't do any URL whitelisting. BUT, if you don't use SNAT pools and use auto SNAT, that type of firewall policy would not be restrictive enough for potentially VIP related traffic -- for example, load balancing proxy servers.
The issue is really how to differentiate F5 generated traffic from other traffic also hiding behind the SNAT IP address. If you can't, then perhaps a) whitelist multiple destinations, b) consider a more capable firewall, c) utilize automation like Ansible Tower to automate the update tasks.
While there may be a solution for what you are trying to accomplish, I can't think of an "elegant one". I have seen in the past, companies use a dedicated network for management traffic where you could use static management routes for traffic to egreee MGMT interface, and then having a dedicated switch/firewall for controlling traffic.
