Forum Discussion

JWhitesPro_1928's avatar
JWhitesPro_1928
Icon for Cirrostratus rankCirrostratus
Feb 05, 2018

F5 FireEye Ingress with Single BIG-IP

Please--before you link me the existing deployment documents understand that I am asking for help on this because the existing deployment guides do say they are for ingress traffic but the guide just has you walk through an iApp that is using the forward proxy. I feel the guides should have a manual example of the ingress solution that does not involve using the forward proxy for outbound traffic.

 

I was wondering if anyone here has ever successfully set up a single BIG-IP to inspect inbound traffic (from the internet) using methods similar to the guides? I was curious if you had any details on the setup, in particular the physical connections does your single big-ip (or big-ip ha pair) have connections directly into the FireEye device or do the fireeye and the bigip both just plug into a switch and share the appropriate vlans?

 

How are you making the solution fail-open?

 

While this article is not part of the guides, i followed a chain of links from the guides and I Think this set up is what needs to actually be done...though I am confused about part of the setup that is said has to be done because of limitations of the VE.

 

https://devcentral.f5.com/articles/divert-unencrypted-traffic-through-an-ips-with-local-traffic-manager

 

AFM
LTM
security

1 Reply

Sort By
  • Niels_van_Sluis's avatar
    Niels_van_Sluis
    Icon for MVP rankMVP
    Feb 05, 2018

    The VE limitations only apply to the 2nd VE in the demo, which is only used to simulate an L2 IPS. So when using a real L2 IPS, you shouldn't worry about this.

     

    I think the fail-open depends on the IPS being used, but if the IPS doesn't have a fail-open solution it should be possible to configure a fail-open by using priority groups or a simple iRule.