cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

348
Views
0
Helpful
3
Replies
bjames
Enthusiast

One CSS LB two firewalls, DMZ, return path?

Hi,

I have a client wanting to setup their (only)CSS to load balance two firewalls on the public side, servers in the DMZ, and return path through the firewalls. I recommended they keep the CSS off the public side, but they want the external FWLB. My question is, is it as simple as setting up another VLAN for the CSS on the public side then VIPing the FW addresses?

I saw the docs on FWLB, but it states you cannot use NAT, how is security accomplished through the firewalls then?

Thanks in advance,

Bob James

3 REPLIES 3
clayton-price
Beginner

I typically don't assign public IP's on my Internet facing firewalls. The public addresses reside on a device behind the firewall. Then you simply configure your rules to allow access to the public IP's as needed. In my opinion this is more secure than having public IP's and NAT on your firewalls.

I use two LB's to load balance firewalls. I'm not sure it would work with only one?

Hi,

I don't quite understand what you are saying? What is the purpose of the firewall (or firewalls) if traffic is just allowed to flow through them? No NAT, or packet filtering?

How can this be more secure than a very standard practice?

Thanks in advance,

You can do packet filtering without NAT.

Content for Community-Ad