Forum Discussion

Dmitri_Ch__1425's avatar
Dmitri_Ch__1425
Icon for Cirrus rankCirrus
Dec 17, 2015

F5 'firewall sandwiches' with inline firewalls?

Hi

 

I'm looking at implementing F5 'firewall sandwich' to help to load balance few firewalls.

 

The white paper [1] shows firewalls with IP addresses (i.e. used as DGW by network equipment/servers). How one would implement such configuration when firewalls are inline and don't have IP addresses assigned?

 

The white paper mentions that "This basic concept of the firewall sandwich can be used to manage traffic across many transparent and semi-transparent devices, stateful or not, like SSL accelerators, IDS/IPS, and routers and proxy servers—any inline device that requires better availability".

 

Does anyone have any links or can share experience implementing firewall sandwich with inline firewalls?

 

Thank you.

 

[1] https://f5.com/resources/white-papers/load-balancing-101-firewall-sandwiches

 

application delivery
LTM

1 Reply

Sort By
  • StephanManthey's avatar
    StephanManthey
    Icon for MVP rankMVP
    Dec 17, 2015

    Hi Dmitri,

     

    in case your firewalls are not even addressable on ethernet layer it will be necessary to put them in into different transfer VLANs.

     

    The virtual server would use a pool of gateways "behind" the firewalls as next hop.

     

    In case you can address them on MAC layer you can use static ARP entries with fake IP addresses and transparent health checks to monitor the availability of each path.

     

    Thanks, Stephan

     

Related Content