Firewall sandwich
Hi,
I am trying do figure out scenario described in this doc Load Balancing 101: Firewall Sandwiches and as well in SOL2211
I think I can understand how setup in Load Balancing 101: Firewall Sandwiches works except some doubts about last hop pool described in SOL2211. Assuming that FW in LB101 schema are not syncing session tables what will happen when last hop pool will be used? According to 2211:
You can resolve this issue by configuring the BIG-IP virtual servers to use a last hop pool. This configuration will override the auto_lasthop variable. The pool selected for last hop contains the firewall or router addresses, which enables the BIG-IP system to select an alternative IP address and, therefore, a new MAC address in the event that one of the firewall devices fails. A last hop pool is also useful as a security feature because return packets sent through this virtual server are restricted to the last hop pool members.
BIG-IP will not send outgoing traffic using original FW MAC (as it normally is doing with auto last hop enabled). Instead traffic will be send to another member of last hop pool. But this member will have no info about incoming connection as original packets were processed by other member. So I assume that connection will be terminated. Am I right or wrong? If so what should be done to avoid this if FW are not syncing tables? Or it's not possible when session tables are not synced - so if original FW fails connections has to be terminated and started again?
Another aspect I am not sure is if last hoop pool is handling only connections for given VS. On the schema Gateway Pool is used (I assume defined in Network>Routes with Resource set to Use Pool...) - so this pool is used globally for VS - right?
Then if Last Hop Pool is set on VS it's only used for outgoing traffic for this VS, so different VS can have different settings and it will for example let using different FW or routers for different types of application traffic?
Piotr