Firewall sandwich

Question

Hi,
I am trying do figure out scenario described in this doc Load Balancing 101: Firewall Sandwiches and as well in SOL2211
I think I can understand how setup in Load Balancing 101: Firewall Sandwiches works except some doubts about last hop pool described in SOL2211. Assuming that FW in LB101 schema are not syncing session tables what will happen when last hop pool will be used? According to 2211:
You can resolve this issue by configuring the BIG-IP virtual servers to use a last hop pool. This configuration will override the auto_lasthop variable. The pool selected for last hop contains the firewall or router addresses, which enables the BIG-IP system to select an alternative IP address and, therefore, a new MAC address in the event that one of the firewall devices fails. A last hop pool is also useful as a security feature because return packets sent through this virtual server are restricted to the last hop pool members.

BIG-IP will not send outgoing traffic using original FW MAC (as it normally is doing with auto last hop enabled). Instead traffic will be send to another member of last hop pool. But this member will have no info about incoming connection as original packets were processed by other member. So I assume that connection will be terminated. Am I right or wrong? If so what should be done to avoid this if FW are not syncing tables? Or it's not possible when session tables are not synced - so if original FW fails connections has to be terminated and started again?
Another aspect I am not sure is if last hoop pool is handling only connections for given VS. On the schema Gateway Pool is used (I assume defined in Network&gt;Routes with Resource set to Use Pool...) - so this pool is used globally for VS - right?
Then if Last Hop Pool is set on VS it's only used for outgoing traffic for this VS, so different VS can have different settings and it will for example let using different FW or routers for different types of application traffic?
Piotr

dragonflymr · Answer

I wonder if that is correct modification for schema in LB101.

Scenario:
1. Two applications using 192.0.2.5:80 (App_A) and 192.0.2.6:80 (App_B)
2. Each application should use separate FW pools, lets say App_A FW_pool_A (172.16.2.10-12), App_B FW_pool_B (172.16.2.13-14)
3. Of course each app balanced (on ADC2) to different set of web servers Pool_A (172.16.4.10-12), Pool_B (172.16.4.13-14)

Implementation:
1. On ADC1 two VS, VS_A (192.0.2.5:80) with FW_pool_A, VS_B (192.0.2.6:80) with FW_pool_B
2. FWs in each pool using same DG 172.16.2.5
3. On ADC2, VS_A (192.0.2.5:80) with Pool_A and Last Hop Pool set to FW_pool_A, VS_B (192.0.2.6:80) with Pool_B and LHP set to FW_pool_B (of course FW pools are now defined on ADC2 using IP from 172.16.3.0/24)
4. Servers from both Pool_A and B using DG 172.16.4.5
5. Routes on both router and FWs staying the same.

Is that OK or not really, could be done smarter?

Piotr

dragonflymr · Answer

Sorry, last two issues.

1. According to my test when Auto Last Hop is enabled even if there is no DG defined at all on BIG-IP returning traffic is correctly directed to original last hop. So why at all define GW pool in original schema from LB101?

2. In some answer to LHP question there was info that Auto Last Hop nad LHP are excluding each other. Looking at the https://support.f5.com/kb/en-us/solutions/public/8000/200/sol8290.html it seems not true.
As far as I understand when ALH is enabled along LHP then ALH is responsible for returning traffic to the same member in LHP that original send it. I can't really figure out what will happen with ALH disabled - how traffic will be returned to correct member. It seems to me that LHP is only prohibiting returning traffic to MAC that is not belonging to any of members.
Still description in sol8290 is a bit cryptic to me so I could be wrong here.
Looking on schema in LB101 I wonder how traffic can be returned to FW in the GW pool that originally send it (if ALH is not enabled), in this case packet will be sent to member only according to LB used for GW pool?

Piotr

stephanmanthey · Answer

Hi Piotr,
regarding your question 1: The default gateway pool is required to handle outgoing connections in case your firewall sandwich is used for outgoing traffic initiated by internal users.
For your tests regarding AutoLastHop you may find the connection table "all-properties" switch useful:  
tmsh show sys conn all-properties

It will show the ingress VLAN and last hop information for each connection.
Just add additional parameters to filter output on criteria as client IP or virtual server IP etc.
In my opinion it does not show all information. At least I´m missing the egress VLAN information (used by VLAN-keyed connection feature to avoid asymmetric traffic flow on serverside).
Thanks, Stephan

Forum Discussion

Firewall sandwich

3 Replies

Recent Discussions

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5Access | MacOS Sonoma

Transaction looks successful but file not downloading

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

F5 Access Guard Deprecated: ZTA APM

Related Content

F5 AFM/Edge Firewall and the difference between Edge Firewalls and Next-generation Firewalls (NGFW)

Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

BIG-IP Advanced Firewall Manager (AFM) DNS NXDOMAIN Query Attack Type Walkthrough - part two

Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy