Thanks for your help!! As suggested, I was able to provide the users requested security with dedicated virtual servers. On the outside interface I used a typical IP Forwarding virtual, then on inside vlans I applied virtual servers such as the following to forward to my outside firewall. A separate virtual for each vlan, all using same pool to the firewall.
pool IP_Forwarding_FW06 {
monitor all Gateway_ICMP_30sec
members 1.1.1.1:any {}
}
virtual IP_Forward_v454 {
pool IP_Forwarding_FW06
destination any:any
mask 0.0.0.0
vlans Msg-v454 enable
}
virtual IP_Forward_v462 {
pool IP_Forwarding_FW06
destination any:any
mask 0.0.0.0
vlans ADFS-v462 enable
}
virtual Generic_IP_Forwarding_virtual_server {
ip forward
destination any:any
mask 0.0.0.0
vlans {
External-v342
Heartbeat
} enable
}
Added to that an irule to limit which of the internal networks were allowed to call virtual servers. This is to separate out two groups of networks. Dev source nets can call dev virtuals, and prod source nets can call prod vips, but not vice-versa.
Apply the Prod_FW irule to Production virtuals.
rule Prod_FW {
when CLIENT_ACCEPTED {
log local0. "Prod_FW: New Connection From [IP::client_addr]:[TCP::client_port]"
if { [class match [IP::client_addr] equals Dev_NETS] } {
log local0. "Prod_FW: IP Address matched, dropping"
table incr -subtable FW_stats [IP::client_addr]
log local0. "Prod_FW: [IP::client_addr] hit this rule [table lookup -subtable FW_stats [IP::client_addr]] times"
reject
}
}
}